Issue in network routing when load balancing a network system
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
Trying to Bypass a load Balancer
Our system directs network traffic across a three way load balancer serving three cellular modems in normal operation. We use a program called speedtest_cli that measures the traffic. The idea is that the test packets will all use the same modem we specify, but it appears this is not so as
I can see traffic on all modems during the test on a more or less idle system. So with the balancing measurements off, our traffic balancing is subpar.
The speed test program allows you to specify an address to generate packets from, but this does not avoid the balancing of its packets which is done by marking network traffic using packet marking according to the load we want, then directing each bundle of marked packets to a particular modem.
To bypass this marking, I wanted to make a fourth style of marking and then direct the speedtest_cli to source its packet from a particular IP address that would be marked differently from the others. Then presumably this bundle could be directed to the modem I want depending on which modem I want to speed test.
Setmark4 is the fourth marking group which I intend to route to a particular modem during the test but when I added this marking i got errors starting the test.
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
SETMARK4 all -- anywhere 10.7.1.0 ctstate NEW
SETMARK1 all -- anywhere anywhere ctstate NEW
SETMARK2 all -- anywhere anywhere ctstate NEW
SETMARK3 all -- anywhere anywhere ctstate NEW
PREBALANCE all -- 10.0.0.0/16 anywhere ctstate NEW
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
SETMARK4 all -- 10.7.1.0 anywhere ctstate NEW
SETMARK1 all -- anywhere anywhere ctstate NEW
SETMARK2 all -- anywhere anywhere ctstate NEW
SETMARK3 all -- anywhere anywhere ctstate NEW
PREBALANCE all -- anywhere anywhere ctstate NEW
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1300
CONNMARK all -- anywhere anywhere CONNMARK save
Chain BALANCE (1 references)
target prot opt source destination
SETMARK4 all -- 10.7.1.0 anywhere
SETMARK1 all -- anywhere anywhere statistic mode random probability 0.31999999983 connmark match 0x0
SETMARK2 all -- anywhere anywhere statistic mode random probability 0.45999999996 connmark match 0x0
SETMARK3 all -- anywhere anywhere statistic mode random probability 1.00000000000 connmark match 0x0
Chain PREBALANCE (2 references)
target prot opt source destination
RETURN all -- anywhere 10.0.0.0/16
RETURN all -- anywhere anywhere connmark match ! 0x0
RETURN all -- anywhere anywhere ctstate RELATED,ESTABLISHED
BALANCE all -- anywhere anywhere
Chain SETMARK1 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x1
MARK all -- anywhere anywhere MARK set 0x1
Chain SETMARK2 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x2
MARK all -- anywhere anywhere MARK set 0x2
Chain SETMARK3 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x3
MARK all -- anywhere anywhere MARK set 0x3
Chain SETMARK4 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x4
MARK all -- anywhere anywhere MARK set 0x4
[root@localhost ~]#
I had been creating the address to source from by hooking it to a dummy interface using ip addr add. This worked before
I added the fourth packet marking group, but afterward I get an error saying that the IP cannot access the outside world. Pinging the new IP address also
does not work.
Is there something off with the marking table change that causes this? Or is there a better way to allow a particular set up
source address to bypass the BALANCE and be directed to a particular outgoing interface?
linux networking iptables
New contributor
add a comment |Â
up vote
0
down vote
favorite
Trying to Bypass a load Balancer
Our system directs network traffic across a three way load balancer serving three cellular modems in normal operation. We use a program called speedtest_cli that measures the traffic. The idea is that the test packets will all use the same modem we specify, but it appears this is not so as
I can see traffic on all modems during the test on a more or less idle system. So with the balancing measurements off, our traffic balancing is subpar.
The speed test program allows you to specify an address to generate packets from, but this does not avoid the balancing of its packets which is done by marking network traffic using packet marking according to the load we want, then directing each bundle of marked packets to a particular modem.
To bypass this marking, I wanted to make a fourth style of marking and then direct the speedtest_cli to source its packet from a particular IP address that would be marked differently from the others. Then presumably this bundle could be directed to the modem I want depending on which modem I want to speed test.
Setmark4 is the fourth marking group which I intend to route to a particular modem during the test but when I added this marking i got errors starting the test.
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
SETMARK4 all -- anywhere 10.7.1.0 ctstate NEW
SETMARK1 all -- anywhere anywhere ctstate NEW
SETMARK2 all -- anywhere anywhere ctstate NEW
SETMARK3 all -- anywhere anywhere ctstate NEW
PREBALANCE all -- 10.0.0.0/16 anywhere ctstate NEW
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
SETMARK4 all -- 10.7.1.0 anywhere ctstate NEW
SETMARK1 all -- anywhere anywhere ctstate NEW
SETMARK2 all -- anywhere anywhere ctstate NEW
SETMARK3 all -- anywhere anywhere ctstate NEW
PREBALANCE all -- anywhere anywhere ctstate NEW
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1300
CONNMARK all -- anywhere anywhere CONNMARK save
Chain BALANCE (1 references)
target prot opt source destination
SETMARK4 all -- 10.7.1.0 anywhere
SETMARK1 all -- anywhere anywhere statistic mode random probability 0.31999999983 connmark match 0x0
SETMARK2 all -- anywhere anywhere statistic mode random probability 0.45999999996 connmark match 0x0
SETMARK3 all -- anywhere anywhere statistic mode random probability 1.00000000000 connmark match 0x0
Chain PREBALANCE (2 references)
target prot opt source destination
RETURN all -- anywhere 10.0.0.0/16
RETURN all -- anywhere anywhere connmark match ! 0x0
RETURN all -- anywhere anywhere ctstate RELATED,ESTABLISHED
BALANCE all -- anywhere anywhere
Chain SETMARK1 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x1
MARK all -- anywhere anywhere MARK set 0x1
Chain SETMARK2 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x2
MARK all -- anywhere anywhere MARK set 0x2
Chain SETMARK3 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x3
MARK all -- anywhere anywhere MARK set 0x3
Chain SETMARK4 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x4
MARK all -- anywhere anywhere MARK set 0x4
[root@localhost ~]#
I had been creating the address to source from by hooking it to a dummy interface using ip addr add. This worked before
I added the fourth packet marking group, but afterward I get an error saying that the IP cannot access the outside world. Pinging the new IP address also
does not work.
Is there something off with the marking table change that causes this? Or is there a better way to allow a particular set up
source address to bypass the BALANCE and be directed to a particular outgoing interface?
linux networking iptables
New contributor
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Trying to Bypass a load Balancer
Our system directs network traffic across a three way load balancer serving three cellular modems in normal operation. We use a program called speedtest_cli that measures the traffic. The idea is that the test packets will all use the same modem we specify, but it appears this is not so as
I can see traffic on all modems during the test on a more or less idle system. So with the balancing measurements off, our traffic balancing is subpar.
The speed test program allows you to specify an address to generate packets from, but this does not avoid the balancing of its packets which is done by marking network traffic using packet marking according to the load we want, then directing each bundle of marked packets to a particular modem.
To bypass this marking, I wanted to make a fourth style of marking and then direct the speedtest_cli to source its packet from a particular IP address that would be marked differently from the others. Then presumably this bundle could be directed to the modem I want depending on which modem I want to speed test.
Setmark4 is the fourth marking group which I intend to route to a particular modem during the test but when I added this marking i got errors starting the test.
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
SETMARK4 all -- anywhere 10.7.1.0 ctstate NEW
SETMARK1 all -- anywhere anywhere ctstate NEW
SETMARK2 all -- anywhere anywhere ctstate NEW
SETMARK3 all -- anywhere anywhere ctstate NEW
PREBALANCE all -- 10.0.0.0/16 anywhere ctstate NEW
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
SETMARK4 all -- 10.7.1.0 anywhere ctstate NEW
SETMARK1 all -- anywhere anywhere ctstate NEW
SETMARK2 all -- anywhere anywhere ctstate NEW
SETMARK3 all -- anywhere anywhere ctstate NEW
PREBALANCE all -- anywhere anywhere ctstate NEW
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1300
CONNMARK all -- anywhere anywhere CONNMARK save
Chain BALANCE (1 references)
target prot opt source destination
SETMARK4 all -- 10.7.1.0 anywhere
SETMARK1 all -- anywhere anywhere statistic mode random probability 0.31999999983 connmark match 0x0
SETMARK2 all -- anywhere anywhere statistic mode random probability 0.45999999996 connmark match 0x0
SETMARK3 all -- anywhere anywhere statistic mode random probability 1.00000000000 connmark match 0x0
Chain PREBALANCE (2 references)
target prot opt source destination
RETURN all -- anywhere 10.0.0.0/16
RETURN all -- anywhere anywhere connmark match ! 0x0
RETURN all -- anywhere anywhere ctstate RELATED,ESTABLISHED
BALANCE all -- anywhere anywhere
Chain SETMARK1 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x1
MARK all -- anywhere anywhere MARK set 0x1
Chain SETMARK2 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x2
MARK all -- anywhere anywhere MARK set 0x2
Chain SETMARK3 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x3
MARK all -- anywhere anywhere MARK set 0x3
Chain SETMARK4 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x4
MARK all -- anywhere anywhere MARK set 0x4
[root@localhost ~]#
I had been creating the address to source from by hooking it to a dummy interface using ip addr add. This worked before
I added the fourth packet marking group, but afterward I get an error saying that the IP cannot access the outside world. Pinging the new IP address also
does not work.
Is there something off with the marking table change that causes this? Or is there a better way to allow a particular set up
source address to bypass the BALANCE and be directed to a particular outgoing interface?
linux networking iptables
New contributor
Trying to Bypass a load Balancer
Our system directs network traffic across a three way load balancer serving three cellular modems in normal operation. We use a program called speedtest_cli that measures the traffic. The idea is that the test packets will all use the same modem we specify, but it appears this is not so as
I can see traffic on all modems during the test on a more or less idle system. So with the balancing measurements off, our traffic balancing is subpar.
The speed test program allows you to specify an address to generate packets from, but this does not avoid the balancing of its packets which is done by marking network traffic using packet marking according to the load we want, then directing each bundle of marked packets to a particular modem.
To bypass this marking, I wanted to make a fourth style of marking and then direct the speedtest_cli to source its packet from a particular IP address that would be marked differently from the others. Then presumably this bundle could be directed to the modem I want depending on which modem I want to speed test.
Setmark4 is the fourth marking group which I intend to route to a particular modem during the test but when I added this marking i got errors starting the test.
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
SETMARK4 all -- anywhere 10.7.1.0 ctstate NEW
SETMARK1 all -- anywhere anywhere ctstate NEW
SETMARK2 all -- anywhere anywhere ctstate NEW
SETMARK3 all -- anywhere anywhere ctstate NEW
PREBALANCE all -- 10.0.0.0/16 anywhere ctstate NEW
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
CONNMARK all -- anywhere anywhere ctstate RELATED,ESTABLISHED CONNMARK restore
SETMARK4 all -- 10.7.1.0 anywhere ctstate NEW
SETMARK1 all -- anywhere anywhere ctstate NEW
SETMARK2 all -- anywhere anywhere ctstate NEW
SETMARK3 all -- anywhere anywhere ctstate NEW
PREBALANCE all -- anywhere anywhere ctstate NEW
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1300
CONNMARK all -- anywhere anywhere CONNMARK save
Chain BALANCE (1 references)
target prot opt source destination
SETMARK4 all -- 10.7.1.0 anywhere
SETMARK1 all -- anywhere anywhere statistic mode random probability 0.31999999983 connmark match 0x0
SETMARK2 all -- anywhere anywhere statistic mode random probability 0.45999999996 connmark match 0x0
SETMARK3 all -- anywhere anywhere statistic mode random probability 1.00000000000 connmark match 0x0
Chain PREBALANCE (2 references)
target prot opt source destination
RETURN all -- anywhere 10.0.0.0/16
RETURN all -- anywhere anywhere connmark match ! 0x0
RETURN all -- anywhere anywhere ctstate RELATED,ESTABLISHED
BALANCE all -- anywhere anywhere
Chain SETMARK1 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x1
MARK all -- anywhere anywhere MARK set 0x1
Chain SETMARK2 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x2
MARK all -- anywhere anywhere MARK set 0x2
Chain SETMARK3 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x3
MARK all -- anywhere anywhere MARK set 0x3
Chain SETMARK4 (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK set 0x4
MARK all -- anywhere anywhere MARK set 0x4
[root@localhost ~]#
I had been creating the address to source from by hooking it to a dummy interface using ip addr add. This worked before
I added the fourth packet marking group, but afterward I get an error saying that the IP cannot access the outside world. Pinging the new IP address also
does not work.
Is there something off with the marking table change that causes this? Or is there a better way to allow a particular set up
source address to bypass the BALANCE and be directed to a particular outgoing interface?
linux networking iptables
linux networking iptables
New contributor
New contributor
New contributor
asked 6 hours ago
Chris Smith
11
11
New contributor
New contributor
add a comment |Â
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Chris Smith is a new contributor. Be nice, and check out our Code of Conduct.
Chris Smith is a new contributor. Be nice, and check out our Code of Conduct.
Chris Smith is a new contributor. Be nice, and check out our Code of Conduct.
Chris Smith is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f474374%2fissue-in-network-routing-when-load-balancing-a-network-system%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password