Fault Tolerant Routing with Alpine Linux: Difference between revisions
m (→Initial Setup: clarify) |
m (added note re: rp_filter) |
||
Line 48: | Line 48: | ||
Next, turn them into simple routers by enabling ip forwarding (do this on each box): | Next, turn them into simple routers by enabling ip forwarding (do this on each box): | ||
echo 1 >> /proc/sys/net/ipv4/ip_forward | echo 1 >> /proc/sys/net/ipv4/ip_forward | ||
If you follow the ucarp section below, you'll also need to disable rp_filter (RFC3704 Ingress Filtering). Since this howto is designed for an internal router this should (or might not) be acceptable. Available options for this setting can be viewed at http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/networking/ip-sysctl.txt;hb=HEAD#l855. | |||
echo 0 >> /proc/sys/net/ipv4/conf/all/rp_filter | |||
== Install and start ucarp == | == Install and start ucarp == | ||
Line 110: | Line 113: | ||
* Do the above steps for each router | * Do the above steps for each router | ||
At this point, you should have connectivity from your border router through to hosts on the internal subnets. | At this point, you should have connectivity from your border router through to hosts on the internal subnets, and hosts on your subnets should be able to ping all interfaces on each router. | ||
{{Tip|Next section to be added will be for adding firewall rules to control traffic between the internal subnets and out to the border router}} | {{Tip|Next section to be added will be for adding firewall rules to control traffic between the internal subnets and out to the border router}} |
Revision as of 22:51, 18 July 2011
This material is work-in-progress ... Do not follow instructions here until this notice is removed. |
This document will explain how to setup a fault-tolerant router using Alpine Linux. It has been tested using Alpine Linux 2.2.2.
Hardware and Network Setup
The network used in this example is as follows:
- Will run (at least initially) IPv4
- Pre-existing border router that NATs from public IP(s) to the 10.0.0.0/8 network and has the address 10.0.0.1/24 on the transit network
- The border router will have a default route to the internal network via 10.0.0.2 (the virtual IP address of the routers being setup in this doc)
- A transit network between the border router and the fault-tolerant routers in this document will be on 10.0.0.0/24
- The routers will also connect several internal subnets on the network:
- 10.0.1.0/24
- 10.0.2.0/24
- 10.0.3.0/24
- It's assumed that 10.0.0.0/24 and 10.0.1.0/24 are connected via dedicated interfaces (eth0 and eth1, respectively), while 10.0.2.0/24 and 10.0.3.0/24 share an interface(eth2), but traffic is segregated using 802.1q vlan tagging, with 10.0.2.0/24 using vlan id 2, and 10.0.3.0/24 using vlan id 3.
- Finally, all computers in subnets 10.0.1.0/24, 10.0.2.0/24 and 10.0.3.0/24 are setup with a default gateway of 10.0.x.1
Two computers will be needed, with at three NICs in them (more if you are connecting more network segments together), and they will act as routers.
Initial Setup
First, setup Alpine on a USB key or CF card on both computers. Connect both computers initially to 10.0.0.0/24, and assign them ip addresses of 10.0.0.3/24 and 10.0.0.4/24 (for router1 and router2, respectively). Ensure that both machines are pingable.
Next, connect them both to 10.0.1.0/24, and assign them ip addresses of 10.0.1.2/24 and 10.0.1.3/24, respectively. Ensure that they can also ping each other.
Finally, get the last two networks connected (the ip addresses given are for router1, and these steps should be performed on router2 as well):
modprobe 8021q echo "8021q" >> /etc/modules cat >> /etc/network/interfaces << EOF auto eth2 iface eth2 inet manual up ip link set eth2 up up ifup eth2.2 || true up ifup eth2.3 || true down ifdown eth2.3 || true down ifdown eth2.2 || true down ip link set dev eth2 down iface eth2.2 inet static pre-up vconfig add eth2 2 address 10.0.2.2 netmask 255.255.255.0 post-down vconfig rem $IFACE iface eth2.3 inet static pre-up vconfig add eth2 3 address 10.0.3.2 netmask 255.255.255.0 post-down vconfig rem $IFACE EOF
Test that you can also ping between these interfaces.
Start ip forwarding
Next, turn them into simple routers by enabling ip forwarding (do this on each box):
echo 1 >> /proc/sys/net/ipv4/ip_forward
If you follow the ucarp section below, you'll also need to disable rp_filter (RFC3704 Ingress Filtering). Since this howto is designed for an internal router this should (or might not) be acceptable. Available options for this setting can be viewed at http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/networking/ip-sysctl.txt;hb=HEAD#l855.
echo 0 >> /proc/sys/net/ipv4/conf/all/rp_filter
Install and start ucarp
Ucarp will provide a virtual IP address for each subnet that the routers will share. That way, if either router fails, network connectivity stays up.
- Copy the scripts for each the interface:
apk add ucarp ln -s /etc/init.d/ucarp /etc/init.d/ucarp.eth0 ln -s /etc/init.d/ucarp /etc/init.d/ucarp.eth1 ln -s /etc/init.d/ucarp /etc/init.d/ucarp.eth2.2 ln -s /etc/init.d/ucarp /etc/init.d/ucarp.eth2.3 cp /etc/conf.d/ucarp /etc/conf.d/ucarp.eth0 cp /etc/conf.d/ucarp /etc/conf.d/ucarp.eth1 cp /etc/conf.d/ucarp /etc/conf.d/ucarp.eth2.2 cp /etc/conf.d/ucarp /etc/conf.d/ucarp.eth2.3
- edit the /etc/conf/ucarp.eth0 file:
REALIP= VHID=1 VIP=10.0.0.2 PASSWORD=Password
- edit the /etc/conf/ucarp.eth1 file:
REALIP= VHID=2 VIP=10.0.1.1 PASSWORD=Password
- edit the /etc/conf/ucarp.eth2.2 file:
REALIP= VHID=3 VIP=10.0.2.1 PASSWORD=Password
- edit the /etc/conf/ucarp.eth2.3 file:
REALIP= VHID=4 VIP=10.0.3.1 PASSWORD=Password
- Create etc/ucarp/vip-up-eth0.sh (and copy this script for each interface: vip-up-eth1.sh, vip-up-eth2.2.sh, vip-up-eth2.3.sh):
#!/bin/sh # Add the VIP address ip addr add $2/24 dev $1 for a in 330 440 550; do beep -f $a -l 100; done
- Create /etc/ucarp/vip-down-eth0.sh (and copy this script for each interface: vip-down-eth1.sh, vip-down-eth2.2.sh, vip-down-eth2.3.sh):
#!/bin/sh # Remove the VIP address ip addr del $2/24 dev $1 for a in 550 440 330; do beep -f $a -l 100; done
- Make the scripts executable
chmod +x /etc/ucarp/*.sh
- Start ucarp and save the changes
rc-update add ucarp.eth0 rc-update add ucarp.eth1 rc-update add ucarp.eth2.2 rc-update add ucarp.eth2.3 /etc/init.d/ucarp.eth0 start /etc/init.d/ucarp.eth1 start /etc/init.d/ucarp.eth2.2 start /etc/init.d/ucarp.eth2.3 start lbu commit
- Do the above steps for each router
At this point, you should have connectivity from your border router through to hosts on the internal subnets, and hosts on your subnets should be able to ping all interfaces on each router.