[LINUX] Policy-based routing on machines with multiple NICs

Introduction

I specialize in databases, especially PostgreSQL (?), But if requested, I also set up the network while studying with a sticker. This time, for a Linux machine with multiple NICs, a machine with only one NIC will communicate with both NICs.

What does that mean

Please see the following figure. 001.png

The blue LAN is the segment of 192.168.10.0/24 and the green LAN is the segment of 192.168.20.0/24.

Machine A has two NICs, each of which is connected to blue and green.

Machine B has only one NIC and is only connected to the green LAN.

In other words, with this network configuration, we want to do something like the following figure.

002.png

Asymmetric routing

Actually, with this network configuration, I can't do what I want to do. Even if I skip the ping, it doesn't come back. Why does that happen? Describes what happens to the communication from machine B to machine A.

First, Machine B doesn't know where the IP address "192.168.10.2" is not on the same segment. In such a case, go to the default gateway for inquiry.

0003.png

The gateway relays from the routing information to the network at the destination address.

004.png

When it reaches machine A, machine A tries to reply from NIC0, which is the same segment as the green segment to which the source machine B is connected, instead of the received NIC1. ** ** 005.png

If you reply from NIC0, the received route and the transmitted route will be different ** asymmetric routing **. And Linux prohibits this by default, and no reply is returned to machine B.

Two measures

There are two possible countermeasures.

Allow asymmetric routing

One is to allow asymmetric routing. However, asymmetric routing can spoof the machine, so it's a good idea to allow it. I won't cover how to do this in this article, but if you want to allow it, try searching for ** rp_filter **.

Set static routing

Click here for the favorite of this article. In short, what's wrong with the behavior of machine A is that it was received by NIC1 but is trying to reply from NIC0. Then, if it is received by NIC1, you can force it to return from NIC1. The setting method is ** static routing **.

Static routing setting procedure

I would like to set up something called policy-based routing.

Add to routing table file

Add the following two lines to / etc / iproute2 / rt_tables.

100     rule01
101     rule02

Create a rule file

Under the / etc / sysconfig / network-scripts directory, create a rule file to apply to each of the NIC0 and NIC1 interfaces.

# vi rule-nic0
from 192.168.20.2/32 table rule02 priority 200
# vi rule-nic1
from 192.168.10.2/32 table rule01 priority 100

Create a routing file

Also under the / etc / sysconfig / network-scripts directory, create a routing file to apply to each of the NIC0 and NIC1 interfaces.

# vi route-nic0
192.168.20.0/24 dev nic0 table rule02
default via 192.168.20.254 dev nic0 table rule02
# vi route-nic1
192.168.10.0/24 dev nic1 table rule01
default via 192.168.10.254 dev nic1 table rule01

Reboot the network

# systemctl restart network

Now, if the settings are correct, you should be able to achieve your original purpose! Thank you for your hard work!

Digression

Please see the following figure.

006.png

Such communication is within the same segment and can be done without any problems. Apart from that, you may be wondering if Machine A has been reached and you need to bother to communicate from a different network segment.

** I think so too. ** **

But ** I have no choice but to do it if I'm told to do it. ** **

It is still a mystery even after it is over, what kind of purpose was done to do such a thing.

Recommended Posts

Policy-based routing on machines with multiple NICs
Multiple selections with Jupyter
Multiple file processing with Kivy + Matplotlib + Draw Graph on GUI