|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|
|||
ping question
Hello everyone
I have a machine that is connected to two different ISP's. One of them is currently my default GW, the other one is unused. I need to constantly ping a known internet host (e.g. google) through each of these ISPs. I was pretty confident that a script that loops through 'ping -I interface_1 8.8.8.8' and 'ping -I interface_2 8.8.8.8' will do the job. But it turned out that my ping always transmits packets from the egress interface (that has the default route configure). This is useless for me - I cannot change the default gateway everytime the loop continues. My internet connection would suffer greatly from this. How can I ping an internet host from two different interfaces? Thank you in advance, Simeon PS. I am using OpenBSD 4.9, if this makes any difference. |
|
|||
maybe some trick with pf would do the job?
Last edited by zealer; 10th November 2011 at 04:10 PM. |
|
||||
You're going to have to add a route for the second NIC, I think, or set up ECMP as per FAQ 6.14.
See http://marc.info/?l=openbsd-misc&m=112672120932213 from 2005. Edited later to add: You may find the route-to PF rule option helpful for outbound ICMP echo requests. It should override the default route, though I am not certain. I've never used it. My personal choice would be to just use multipath routing and ifstated(8). Last edited by jggimi; 10th November 2011 at 04:43 PM. Reason: bunches of edits |
|
|||
Thank you again, jggimi
I am concerned about the ECMP, because the machine also does a NAT for the network behind... i.e. each time my BSD decides to use the other route, it will do a NAT with a different source address of the outgoing packets. I am afraid this will not be good, as users behind the NAT need a good and persistent connection. I tried reading the RFC 2992 for ECMP and there is something like a statement that the hash threshhold method will keep TCP connections' routes persistent, but i am not sure about it i will try reading the bpf man, although I got scared when I looked at the manual Thank you again jggimi, please feel free to share any other thoughts you might have here. Thanks! |
|
||||
Hmmm.... I've never tested ECMP with NAT, for all I know it works just fine.
If not, perhaps PF's NAT address pools can be used to provide the appropriate NAT connectivity? |
|
||||
There's an example configuration (and much discussion, before and after) in this thread on misc@...
http://marc.info/?t=128277520600001&r=1&w=2 |
|
|||
I must thank you, jggimi
I played around with pf + ECMP and actually I even have a better solution now. My first idea was to have a single ISP as GW, and constantly monitor both of the ISPs in case one of them goes down. If it was my primary - then I wanted to change it to the other one. But this is not worth the cost - I found found the wonderful PF's load-balancing, and now I set all my internal traffic to flow through both of the ISPs. One problem is that if one of the ISPs looses internet connection, the load-balancing still throws half of the connections to a black hole. Pings from the BSD itself did not work (no route to host: I have not set a primary route), so I added both of them as a ECMP route. This way I could ise the -I parameter correctly And the ECMP is only for the pings - all other connections coming from the internal networks are explicitly routed to only one of the primary routes. I don't know if anyone understood me, but for now I think it is a good idea Now I see denta's answer too. AWESOME!! It looks just like the thing i was looking for, now i can experiment a lot more! thanks denta, thanks jggimi, I learned some very useful (and probably very basic also) things from you two today. Can't wait to apply this new knowledge into some pseudo-practice I'll work & read on these topics and get back to you if I run into trouble. Thanks! |
|
|||
OpenBSD has an awesome feature called routing domains that might be usable in your scenario.
Lets say you wish to send pings through interface if_2 (which has ip address a.b.c.d), while your default route is through interface if_1. Try the following: Code:
# ifconfig if_2 rdomain 1 # route -T 1 add 0.0.0.0/0 a.b.c.d Now, to use the new routing domain: Code:
# route -T 1 exec ping <whatever host you needed to ping> Last edited by denta; 10th November 2011 at 09:23 PM. |
|
||||
Denta, your suggestion of using rdomain is one I had not thought of. They're relatively new, and something I have not yet experimented with. Excellent idea!
The OpenBSD Journal recently highlighted Joel Knight's article about rdomains, Virtualizing the OpenBSD Routing Table. Here's a link to the former, which has commentary and a link to the latter: http://undeadly.org/cgi?action=artic...panded&count=2 |
|
|||
Yes, thats the article that got me started playing around with rdomains too!
|
|
|||
Hi guys,
I ran into a problem. I did set up rdomain for one of the interfaces. Now ping to anywhere works from the desired interface. But there is a problem. As i already mentioned, i have two interfaces connecting to two ISPs. Both are UP, but there is a problem: after i set one of the interfaces in rdomain1, i can no longer SSH to that address. SSH only works on the other interface, which is still in rdomain0. I tried even connecting from the BSD to itself on the problematic interface, i get an instant connection refused. Problem is not in the ip address or in pf, as I tried reproducing on a VM here and got the same result (the interface that I set in rdomain1 is directly connected to PC) . Even with pfctl turned off, ssh session is sill refused. no luck with my searches... rdomains are poorly documented. I read up the link referring to rdomain setup, but it did not help me with the ssh thing I did found... something... that was pretty much my only 'finding': OBSD 4.7 release notes: Make it possible to set the rdomain in ssh(1)/sftp(1)/scp(1)/sshd(8) There is nothing regarding rdomains in ssh man though, I couldnt find any more info about this Any ideas? Thanks, Simeon Last edited by zealer; 14th November 2011 at 12:18 AM. Reason: add some info |
|
|||
Quote:
If you feel you have thoroughly exhausted all avenues for finding answers (source code?), post a thorough explanation on the misc@ mailing list. For those that have done their homework, misc@ can be a useful & illuminating resource. |
|
|||
Thanks ocicat, I will carry on with this knowledge from now on.
jggimi, I tried this, but got no luck. Besides, i ping from a machine which is unaware of routing domains. My current test env is: 192.168.2.100 - my PC 192.168.2.200 - virtual OBSD with all interfaces set to down, except vic2 , which is UP and RUNNING, in rdomain1. Everything looks fine on the .200 BSD... but it's not working. All code in this post is taken from the 192.168.2.200 BSD: Code:
#pfctl -d pfctl: pf not enabled #netstat -T 1 -r -n Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface 192.168.2/24 link#3 UC 2 0 - 4 vic2 192.168.2.100 e0:2a:82:e2:30:dd UHLc 0 2 - 4 vic2 192.168.2.202 00:0c:29:eb:cf:c2 UHLc 0 0 - 4 vic2 # #ping 192.168.2.100 PING 192.168.2.100 (192.168.2.100): 56 data bytes 64 bytes from 192.168.2.100: icmp_seq=0 ttl=127 time=0.824 ms 64 bytes from 192.168.2.100: icmp_seq=1 ttl=127 time=0.766 ms --- 192.168.2.100 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.766/0.795/0.824/0.029 ms # #ssh -vvv -p 1234 192.168.2.200 OpenSSH_5.8, OpenSSL 1.0.0a 1 Jun 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.2.200 [192.168.2.200] port 1234. debug1: connect to address 192.168.2.200 port 1234: Connection refused ssh: connect to host 192.168.2.200 port 1234: Connection refused # Ping is working back and forth, no problems with that. sshd w/ max level of debug on target does not even indicate any attempt to initiate the session: Code:
#/usr/sbin/sshd -p1234 -ddd debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 145 debug2: parse_server_config: config /etc/ssh/sshd_config len 145 debug3: /etc/ssh/sshd_config:99 setting Subsystem sftp /usr/libexec/sftp-server debug1: sshd version OpenSSH_5.8 debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type ECDSA debug1: private host key: #2 type 3 ECDSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-p1234' debug1: rexec_argv[2]='-ddd' debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 1234 on ::. Server listening on :: port 1234. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 1234 on 0.0.0.0. Server listening on 0.0.0.0 port 1234. Code:
#tcpdump -veni vic2 18:47:57.804226 e0:2a:82:e2:30:dd ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.2.200 tell 192.168.2.100 18:47:57.804763 00:0c:29:5e:0c:c4 e0:2a:82:e2:30:dd 0806 60: arp reply 192.168.2.200 is-at 00:0c:29:5e:0c:c4 18:47:57.804919 e0:2a:82:e2:30:dd 00:0c:29:5e:0c:c4 0800 66: 192.168.2.100.60086 > 192.168.2.200.1234: S [tcp sum ok] 3947530110:3947530110(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 6748, len 52) 18:47:57.806808 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 60: 192.168.2.200.1234 > 192.168.2.100.60075: R [tcp sum ok] 0:0(0) ack 3262175013 win 0 (DF) (ttl 63, id 43637, len 40) 18:47:57.806831 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 60: 192.168.2.200.1234 > 192.168.2.100.60075: R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 63, id 61113, len 40) 18:47:57.806842 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 60: 192.168.2.200.1234 > 192.168.2.100.60075: R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 63, id 11333, len 40) 18:47:57.806853 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 60: 192.168.2.200.1234 > 192.168.2.100.60086: R [tcp sum ok] 0:0(0) ack 3947530111 win 0 (DF) (ttl 63, id 57706, len 40) [...] 18:47:58.304057 e0:2a:82:e2:30:dd 00:0c:29:eb:cf:c2 0800 66: 192.168.2.100.60086 > 192.168.2.200.1234: S [tcp sum ok] 3947530110:3947530110(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 6752, len 52) 18:47:58.304076 00:0c:29:eb:cf:c2 00:0c:29:5e:0c:c4 0800 66: 192.168.2.100.60086 > 192.168.2.200.1234: S [tcp sum ok] 3947530110:3947530110(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 127, id 6752, len 52) 18:47:58.304084 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 70: 192.168.2.202 > 192.168.2.100: icmp: redirect 192.168.2.200 to host 192.168.2.200 (ttl 255, id 59465, len 56) 18:47:58.304878 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 60: 192.168.2.200.1234 > 192.168.2.100.60086: R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 63, id 30479, len 40) 18:47:58.803248 e0:2a:82:e2:30:dd 00:0c:29:eb:cf:c2 0800 62: 192.168.2.100.60086 > 192.168.2.200.1234: S [tcp sum ok] 3947530110:3947530110(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 128, id 6754, len 48) 18:47:58.803327 00:0c:29:eb:cf:c2 00:0c:29:5e:0c:c4 0800 62: 192.168.2.100.60086 > 192.168.2.200.1234: S [tcp sum ok] 3947530110:3947530110(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 127, id 6754, len 48) 18:47:58.803335 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 70: 192.168.2.202 > 192.168.2.100: icmp: redirect 192.168.2.200 to host 192.168.2.200 (ttl 255, id 1638, len 56) 18:47:58.803683 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 60: 192.168.2.200.1234 > 192.168.2.100.60086: R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 63, id 8998, len 40) Code:
#tcpdump -veni vic2 18:53:35.675038 e0:2a:82:e2:30:dd ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.2.200 tell 192.168.2.100 18:53:35.675264 00:0c:29:5e:0c:c4 e0:2a:82:e2:30:dd 0806 60: arp reply 192.168.2.200 is-at 00:0c:29:5e:0c:c4 18:53:35.675399 e0:2a:82:e2:30:dd 00:0c:29:5e:0c:c4 0800 66: 192.168.2.100.60152 > 192.168.2.200.1234: S [tcp sum ok] 1013717570:1013717570(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 7473, len 52) 18:53:38.674506 e0:2a:82:e2:30:dd 00:0c:29:5e:0c:c4 0800 66: 192.168.2.100.60152 > 192.168.2.200.1234: S [tcp sum ok] 1013717570:1013717570(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 7485, len 52) 192.168.2.200, as an SSH client, is connecting with no problems to other machines. But it does not accept any incoming connections. Can you help me figure out how to overcome this?? The only thing that comes to my mind is that, by default, rdomain1 routing table is not used at all. My first attempts to ping 192.168.2.200 were failing, until I typed "ping -V 1 192.168.2.200". Since then, pings succeed even without the -V. But this may be because arp requests are sent to rdomain 0 by default. Thank you in advance for your help, Simeon |
|
|||
OK, i figured it out.
In case anyone is interested: sshd should first be started in rdomain1. This can be done with the following: #route -T 1 exec ksh #/usr/sbin/sshd -dddp 1234 |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ping: sendto: No route to host | joostvgh | OpenBSD General | 2 | 29th April 2010 12:34 PM |
Can't Response Ping Request | widhi | OpenBSD General | 5 | 24th March 2010 10:40 PM |
OpenBSD 4.6 Install Complete, cannot ping | Jeff | OpenBSD Installation and Upgrading | 1 | 22nd October 2009 04:00 PM |
FreeBSD ping issue | wooki | FreeBSD General | 1 | 2nd October 2009 04:10 PM |
Cannot get new installed card to ping other machine | Johnny2Bad | FreeBSD Installation and Upgrading | 2 | 10th June 2008 08:54 PM |