Issue in network routing when load balancing a network system

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












Trying to Bypass a load Balancer



Our system directs network traffic across a three way load balancer serving three cellular modems in normal operation. We use a program called speedtest_cli that measures the traffic. The idea is that the test packets will all use the same modem we specify, but it appears this is not so as
I can see traffic on all modems during the test on a more or less idle system. So with the balancing measurements off, our traffic balancing is subpar.



The speed test program allows you to specify an address to generate packets from, but this does not avoid the balancing of its packets which is done by marking network traffic using packet marking according to the load we want, then directing each bundle of marked packets to a particular modem.



To bypass this marking, I wanted to make a fourth style of marking and then direct the speedtest_cli to source its packet from a particular IP address that would be marked differently from the others. Then presumably this bundle could be directed to the modem I want depending on which modem I want to speed test.



Setmark4 is the fourth marking group which I intend to route to a particular modem during the test but when I added this marking i got errors starting the test. 



Chain PREROUTING (policy ACCEPT)
target prot opt source destination
CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
SETMARK4 all -- anywhere 10.7.1.0 ctstate NEW
SETMARK1 all -- anywhere anywhere ctstate NEW
SETMARK2 all -- anywhere anywhere ctstate NEW
SETMARK3 all -- anywhere anywhere ctstate NEW
PREBALANCE all -- 10.0.0.0/16 anywhere ctstate NEW

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
SETMARK4 all -- 10.7.1.0 anywhere ctstate NEW
SETMARK1 all -- anywhere anywhere ctstate NEW
SETMARK2 all -- anywhere anywhere ctstate NEW
SETMARK3 all -- anywhere anywhere ctstate NEW
PREBALANCE all -- anywhere anywhere ctstate NEW

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1300
CONNMARK all -- anywhere anywhere CONNMARK save

Chain BALANCE (1 references)
target prot opt source destination
SETMARK4 all -- 10.7.1.0 anywhere
SETMARK1 all -- anywhere anywhere statistic mode random probability 0.31999999983 connmark match 0x0
SETMARK2 all -- anywhere anywhere statistic mode random probability 0.45999999996 connmark match 0x0
SETMARK3 all -- anywhere anywhere statistic mode random probability 1.00000000000 connmark match 0x0

Chain PREBALANCE (2 references)
target prot opt source destination
RETURN all -- anywhere 10.0.0.0/16
RETURN all -- anywhere anywhere connmark match ! 0x0
RETURN all -- anywhere anywhere ctstate RELATED,ESTABLISHED
BALANCE all -- anywhere anywhere

Chain SETMARK1 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x1
MARK all -- anywhere anywhere MARK set 0x1

Chain SETMARK2 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x2
MARK all -- anywhere anywhere MARK set 0x2

Chain SETMARK3 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x3
MARK all -- anywhere anywhere MARK set 0x3

Chain SETMARK4 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x4
MARK all -- anywhere anywhere MARK set 0x4
[root@localhost ~]#


I had been creating the address to source from by hooking it to a dummy interface using ip addr add. This worked before
I added the fourth packet marking group, but afterward I get an error saying that the IP cannot access the outside world. Pinging the new IP address also
does not work.



Is there something off with the marking table change that causes this? Or is there a better way to allow a particular set up
source address to bypass the BALANCE and be directed to a particular outgoing interface?






linux networking iptables







share|improve this question







New contributor




Chris Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    0
    down vote

    favorite












    Trying to Bypass a load Balancer



    Our system directs network traffic across a three way load balancer serving three cellular modems in normal operation. We use a program called speedtest_cli that measures the traffic. The idea is that the test packets will all use the same modem we specify, but it appears this is not so as
    I can see traffic on all modems during the test on a more or less idle system. So with the balancing measurements off, our traffic balancing is subpar.



    The speed test program allows you to specify an address to generate packets from, but this does not avoid the balancing of its packets which is done by marking network traffic using packet marking according to the load we want, then directing each bundle of marked packets to a particular modem.



    To bypass this marking, I wanted to make a fourth style of marking and then direct the speedtest_cli to source its packet from a particular IP address that would be marked differently from the others. Then presumably this bundle could be directed to the modem I want depending on which modem I want to speed test.



    Setmark4 is the fourth marking group which I intend to route to a particular modem during the test but when I added this marking i got errors starting the test. 



    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
    SETMARK4 all -- anywhere 10.7.1.0 ctstate NEW
    SETMARK1 all -- anywhere anywhere ctstate NEW
    SETMARK2 all -- anywhere anywhere ctstate NEW
    SETMARK3 all -- anywhere anywhere ctstate NEW
    PREBALANCE all -- 10.0.0.0/16 anywhere ctstate NEW

    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
    SETMARK4 all -- 10.7.1.0 anywhere ctstate NEW
    SETMARK1 all -- anywhere anywhere ctstate NEW
    SETMARK2 all -- anywhere anywhere ctstate NEW
    SETMARK3 all -- anywhere anywhere ctstate NEW
    PREBALANCE all -- anywhere anywhere ctstate NEW

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1300
    CONNMARK all -- anywhere anywhere CONNMARK save

    Chain BALANCE (1 references)
    target prot opt source destination
    SETMARK4 all -- 10.7.1.0 anywhere
    SETMARK1 all -- anywhere anywhere statistic mode random probability 0.31999999983 connmark match 0x0
    SETMARK2 all -- anywhere anywhere statistic mode random probability 0.45999999996 connmark match 0x0
    SETMARK3 all -- anywhere anywhere statistic mode random probability 1.00000000000 connmark match 0x0

    Chain PREBALANCE (2 references)
    target prot opt source destination
    RETURN all -- anywhere 10.0.0.0/16
    RETURN all -- anywhere anywhere connmark match ! 0x0
    RETURN all -- anywhere anywhere ctstate RELATED,ESTABLISHED
    BALANCE all -- anywhere anywhere

    Chain SETMARK1 (3 references)
    target prot opt source destination
    CONNMARK all -- anywhere anywhere CONNMARK set 0x1
    MARK all -- anywhere anywhere MARK set 0x1

    Chain SETMARK2 (3 references)
    target prot opt source destination
    CONNMARK all -- anywhere anywhere CONNMARK set 0x2
    MARK all -- anywhere anywhere MARK set 0x2

    Chain SETMARK3 (3 references)
    target prot opt source destination
    CONNMARK all -- anywhere anywhere CONNMARK set 0x3
    MARK all -- anywhere anywhere MARK set 0x3

    Chain SETMARK4 (3 references)
    target prot opt source destination
    CONNMARK all -- anywhere anywhere CONNMARK set 0x4
    MARK all -- anywhere anywhere MARK set 0x4
    [root@localhost ~]#


    I had been creating the address to source from by hooking it to a dummy interface using ip addr add. This worked before
    I added the fourth packet marking group, but afterward I get an error saying that the IP cannot access the outside world. Pinging the new IP address also
    does not work.



    Is there something off with the marking table change that causes this? Or is there a better way to allow a particular set up
    source address to bypass the BALANCE and be directed to a particular outgoing interface?






    linux networking iptables







    share|improve this question







    New contributor




    Chris Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      Trying to Bypass a load Balancer



      Our system directs network traffic across a three way load balancer serving three cellular modems in normal operation. We use a program called speedtest_cli that measures the traffic. The idea is that the test packets will all use the same modem we specify, but it appears this is not so as
      I can see traffic on all modems during the test on a more or less idle system. So with the balancing measurements off, our traffic balancing is subpar.



      The speed test program allows you to specify an address to generate packets from, but this does not avoid the balancing of its packets which is done by marking network traffic using packet marking according to the load we want, then directing each bundle of marked packets to a particular modem.



      To bypass this marking, I wanted to make a fourth style of marking and then direct the speedtest_cli to source its packet from a particular IP address that would be marked differently from the others. Then presumably this bundle could be directed to the modem I want depending on which modem I want to speed test.



      Setmark4 is the fourth marking group which I intend to route to a particular modem during the test but when I added this marking i got errors starting the test. 



      Chain PREROUTING (policy ACCEPT)
      target prot opt source destination
      CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
      SETMARK4 all -- anywhere 10.7.1.0 ctstate NEW
      SETMARK1 all -- anywhere anywhere ctstate NEW
      SETMARK2 all -- anywhere anywhere ctstate NEW
      SETMARK3 all -- anywhere anywhere ctstate NEW
      PREBALANCE all -- 10.0.0.0/16 anywhere ctstate NEW

      Chain INPUT (policy ACCEPT)
      target prot opt source destination

      Chain FORWARD (policy ACCEPT)
      target prot opt source destination

      Chain OUTPUT (policy ACCEPT)
      target prot opt source destination
      CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
      SETMARK4 all -- 10.7.1.0 anywhere ctstate NEW
      SETMARK1 all -- anywhere anywhere ctstate NEW
      SETMARK2 all -- anywhere anywhere ctstate NEW
      SETMARK3 all -- anywhere anywhere ctstate NEW
      PREBALANCE all -- anywhere anywhere ctstate NEW

      Chain POSTROUTING (policy ACCEPT)
      target prot opt source destination
      TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1300
      CONNMARK all -- anywhere anywhere CONNMARK save

      Chain BALANCE (1 references)
      target prot opt source destination
      SETMARK4 all -- 10.7.1.0 anywhere
      SETMARK1 all -- anywhere anywhere statistic mode random probability 0.31999999983 connmark match 0x0
      SETMARK2 all -- anywhere anywhere statistic mode random probability 0.45999999996 connmark match 0x0
      SETMARK3 all -- anywhere anywhere statistic mode random probability 1.00000000000 connmark match 0x0

      Chain PREBALANCE (2 references)
      target prot opt source destination
      RETURN all -- anywhere 10.0.0.0/16
      RETURN all -- anywhere anywhere connmark match ! 0x0
      RETURN all -- anywhere anywhere ctstate RELATED,ESTABLISHED
      BALANCE all -- anywhere anywhere

      Chain SETMARK1 (3 references)
      target prot opt source destination
      CONNMARK all -- anywhere anywhere CONNMARK set 0x1
      MARK all -- anywhere anywhere MARK set 0x1

      Chain SETMARK2 (3 references)
      target prot opt source destination
      CONNMARK all -- anywhere anywhere CONNMARK set 0x2
      MARK all -- anywhere anywhere MARK set 0x2

      Chain SETMARK3 (3 references)
      target prot opt source destination
      CONNMARK all -- anywhere anywhere CONNMARK set 0x3
      MARK all -- anywhere anywhere MARK set 0x3

      Chain SETMARK4 (3 references)
      target prot opt source destination
      CONNMARK all -- anywhere anywhere CONNMARK set 0x4
      MARK all -- anywhere anywhere MARK set 0x4
      [root@localhost ~]#


      I had been creating the address to source from by hooking it to a dummy interface using ip addr add. This worked before
      I added the fourth packet marking group, but afterward I get an error saying that the IP cannot access the outside world. Pinging the new IP address also
      does not work.



      Is there something off with the marking table change that causes this? Or is there a better way to allow a particular set up
      source address to bypass the BALANCE and be directed to a particular outgoing interface?






      linux networking iptables







      share|improve this question







      New contributor




      Chris Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      Trying to Bypass a load Balancer



      Our system directs network traffic across a three way load balancer serving three cellular modems in normal operation. We use a program called speedtest_cli that measures the traffic. The idea is that the test packets will all use the same modem we specify, but it appears this is not so as
      I can see traffic on all modems during the test on a more or less idle system. So with the balancing measurements off, our traffic balancing is subpar.



      The speed test program allows you to specify an address to generate packets from, but this does not avoid the balancing of its packets which is done by marking network traffic using packet marking according to the load we want, then directing each bundle of marked packets to a particular modem.



      To bypass this marking, I wanted to make a fourth style of marking and then direct the speedtest_cli to source its packet from a particular IP address that would be marked differently from the others. Then presumably this bundle could be directed to the modem I want depending on which modem I want to speed test.



      Setmark4 is the fourth marking group which I intend to route to a particular modem during the test but when I added this marking i got errors starting the test. 



      Chain PREROUTING (policy ACCEPT)
      target prot opt source destination
      CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
      SETMARK4 all -- anywhere 10.7.1.0 ctstate NEW
      SETMARK1 all -- anywhere anywhere ctstate NEW
      SETMARK2 all -- anywhere anywhere ctstate NEW
      SETMARK3 all -- anywhere anywhere ctstate NEW
      PREBALANCE all -- 10.0.0.0/16 anywhere ctstate NEW

      Chain INPUT (policy ACCEPT)
      target prot opt source destination

      Chain FORWARD (policy ACCEPT)
      target prot opt source destination

      Chain OUTPUT (policy ACCEPT)
      target prot opt source destination
      CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
      SETMARK4 all -- 10.7.1.0 anywhere ctstate NEW
      SETMARK1 all -- anywhere anywhere ctstate NEW
      SETMARK2 all -- anywhere anywhere ctstate NEW
      SETMARK3 all -- anywhere anywhere ctstate NEW
      PREBALANCE all -- anywhere anywhere ctstate NEW

      Chain POSTROUTING (policy ACCEPT)
      target prot opt source destination
      TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1300
      CONNMARK all -- anywhere anywhere CONNMARK save

      Chain BALANCE (1 references)
      target prot opt source destination
      SETMARK4 all -- 10.7.1.0 anywhere
      SETMARK1 all -- anywhere anywhere statistic mode random probability 0.31999999983 connmark match 0x0
      SETMARK2 all -- anywhere anywhere statistic mode random probability 0.45999999996 connmark match 0x0
      SETMARK3 all -- anywhere anywhere statistic mode random probability 1.00000000000 connmark match 0x0

      Chain PREBALANCE (2 references)
      target prot opt source destination
      RETURN all -- anywhere 10.0.0.0/16
      RETURN all -- anywhere anywhere connmark match ! 0x0
      RETURN all -- anywhere anywhere ctstate RELATED,ESTABLISHED
      BALANCE all -- anywhere anywhere

      Chain SETMARK1 (3 references)
      target prot opt source destination
      CONNMARK all -- anywhere anywhere CONNMARK set 0x1
      MARK all -- anywhere anywhere MARK set 0x1

      Chain SETMARK2 (3 references)
      target prot opt source destination
      CONNMARK all -- anywhere anywhere CONNMARK set 0x2
      MARK all -- anywhere anywhere MARK set 0x2

      Chain SETMARK3 (3 references)
      target prot opt source destination
      CONNMARK all -- anywhere anywhere CONNMARK set 0x3
      MARK all -- anywhere anywhere MARK set 0x3

      Chain SETMARK4 (3 references)
      target prot opt source destination
      CONNMARK all -- anywhere anywhere CONNMARK set 0x4
      MARK all -- anywhere anywhere MARK set 0x4
      [root@localhost ~]#


      I had been creating the address to source from by hooking it to a dummy interface using ip addr add. This worked before
      I added the fourth packet marking group, but afterward I get an error saying that the IP cannot access the outside world. Pinging the new IP address also
      does not work.



      Is there something off with the marking table change that causes this? Or is there a better way to allow a particular set up
      source address to bypass the BALANCE and be directed to a particular outgoing interface?






      linux networking iptables




      linux networking iptables






      share|improve this question







      New contributor




      Chris Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      Chris Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      Chris Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 6 hours ago









      Chris Smith

      11




      11




      New contributor




      Chris Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Chris Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Chris Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );






          Chris Smith is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f474374%2fissue-in-network-routing-when-load-balancing-a-network-system%23new-answer', 'question_page');

          );

          Post as a guest






















          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          Chris Smith is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          Chris Smith is a new contributor. Be nice, and check out our Code of Conduct.












          Chris Smith is a new contributor. Be nice, and check out our Code of Conduct.











          Chris Smith is a new contributor. Be nice, and check out our Code of Conduct.













           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f474374%2fissue-in-network-routing-when-load-balancing-a-network-system%23new-answer', 'question_page');

          );

          Post as a guest
































































          -

          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
          Read more

          Bahrain

          Image
          For other uses, see Bahrain (disambiguation). Sovereign island state in the Persian Gulf Kingdom of Bahrain مملكة البحرين   (Arabic) Mamlakat al-Baḥrayn Flag Coat of arms Anthem:  نشيد البحرين الوطني Bahrainona Our Bahrain Location of   Bahrain    (circled in red) Capital and largest city Manama 26°13′N 50°35′E  /  26.217°N 50.583°E  / 26.217; 50.583 Official languages Arabic Ethnic groups (2010 [1] ) 50.7% Arab (46% Bahrani, 4.7% other Arabs) 45.5% Asian 1% European 1.2% Others Religion Islam Demonym(s) Bahraini Government Unitary constitutional monarchy • King Hamad bin Isa Al Khalifa • Crown Prince Salman bin Hamad bin Isa Al Khalifa • Prime Minister Khalifa bin Salman Al Khalifa Legislature National Assembly • Upper house Consultative Council • Lower house Council of Representatives Independence • Declared Independence [2] 14 August 1971 • from United Kingdom [1] 15 August 1971 • Admitted to the United Nations 21 September 1971 • Kingdom of Bahrain 14 February 2002
          Read more

          Postfix configuration issue with fips on centos 7; mailgun relay

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine. I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing? Any help would be appreciated! postconf -n: alias_database = hash:/etc/alia
          Read more