Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| inbox:doc:multiple_wan_multiple_routers [2016/04/06 12:57] – [Concept: using less redirection] DorisLane | docs:guide-user:network:wan:multiple_wan_multiple_routers [2018/03/04 11:16] – ↷ Page moved from inbox:doc:multiple_wan_multiple_routers to docs:guide-user:network:wan:multiple_wan_multiple_routers bobafetthotmail | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Using multiple wan with multiple routers ====== | ||
| + | ===== Problem ===== | ||
| + | The concept is: we have two or more router and every router has one wan connection | ||
| + | active providing **one** public ip address.. | ||
| + | Every router is connected to the same internal network (for now on called **lan**), | ||
| + | and in the lan there are severs providing services. We want to ensure to be able to | ||
| + | connect to those services from every wan (therefore if one wan is down, we can use | ||
| + | another wan connection to reach the services). | ||
| + | For now load balancing and other stuff are not required. We want availability. | ||
| + | |||
| + | ===== Assumptions ===== | ||
| + | The connection from the ISP does not block any port. | ||
| + | |||
| + | ===== Concept: using a lot of redirections on the main gateway ===== | ||
| + | The scenario is the following: | ||
| + | < | ||
| + | router1 / lan gateway < | ||
| + | < | ||
| + | < | ||
| + | ... | ||
| + | < | ||
| + | </ | ||
| + | We don't want to increase the configuration in the lan network, | ||
| + | therefore we will use the router1 as gateway from every machine in the lan. | ||
| + | |||
| + | What we have to do is consider every additional router as a sort of " | ||
| + | even if we keep every router connected to the lan (for a fast switch in the case | ||
| + | that the router1 gives up). To do this we can observe that for the actual | ||
| + | implementation of tools, we can simply add ip addresses on the same interface. | ||
| + | |||
| + | Therefore if the lan interface is 192.168.1.1/ | ||
| + | an additional ip address on the same interface used for the lan. | ||
| + | (search for interface alias in this wiki) | ||
| + | For example the router 1 has 192.168.1.1 and it will have also 172.16.1.1/ | ||
| + | interface, the router2 can have 192.168.1.2/ | ||
| + | In this way we are creating, just by ip addresses, two logical network on the same | ||
| + | cabling of the lan, the 192.168.1.1/ | ||
| + | 172.16.1.1/ | ||
| + | |||
| + | Defined the network for the routers, we can work with redirects. If i want to reach the | ||
| + | service rdp 192.168.1.50: | ||
| + | on every wan interface. | ||
| + | On the router1 i will setup a rule like: "From the wan zone, if the | ||
| + | packet wants to reach the destination port 3389, do a DNAT redirect to the ip | ||
| + | 192.168.1.50" | ||
| + | of router1, will become 192.178.1.1: | ||
| + | |||
| + | The same on the router2, router3 and so on, but with an exception. | ||
| + | Since the gateway (that is, the IP destination to send the packets when | ||
| + | we the destination of the packet is not directly known) of the lan is the router1, | ||
| + | then we have to redirect the packets to the router1, therefore we will write rules like: | ||
| + | "From the wan zone, if the packet wants to reach the destination port 3389, do a DNAT redirect to the ip | ||
| + | 172.16.1.1" | ||
| + | |||
| + | In this way, whatever request is coming from the wan will be routed to the gateway of the lan. | ||
| + | On the router1 we have to redirect those already redirect request to the proper lan computer. | ||
| + | So on the router1 we have to add the redirect: "if a packet is coming from the ip 172.16.1.2, if the | ||
| + | packet wants to reach the destination port 3389, do a DNAT redirect to the ip | ||
| + | 192.168.1.50 mark the connection with a mark router2" | ||
| + | (the same for every other router, therefore 172.16.1.2 has the mark router2, | ||
| + | 172.16.1.3 has the mark router3 and so on) | ||
| + | |||
| + | Why do we need to mark the connection? Because the response from 192.168.1.50: | ||
| + | the same wan connection (therefore the same router), else the connection is disrupted (because, in terms | ||
| + | of wan addresses, the request is going to the wan address of the router2 , for example, | ||
| + | and it does not expect a response from the wan address of the router1). | ||
| + | If we keep track of the connection we can route the packets of that connection properly, | ||
| + | because we have a " | ||
| + | |||
| + | So when the response from 192.168.1.50: | ||
| + | the connection, and so we have to add an additional rule: | ||
| + | "if something is coming from the lan network 192.168.1.0/ | ||
| + | then mark the packet with the routing mark ToRouter2" | ||
| + | |||
| + | Why do we need to mark with the routing mark? To use the other router as gateways, **but only seen so by the router1**. | ||
| + | So, for every additional router in the lan network, we need a routing mark as written before. | ||
| + | |||
| + | Finally, we need the routing rule, that says: | ||
| + | "if the packet wants to go to 0.0.0.0/0 (the wan network, even if it is not so accurate), | ||
| + | and has routing mark router2, the gateway is 172.16.1.2 and the metric is 10" | ||
| + | |||
| + | And this has to be done for every other router. | ||
| + | |||
| + | The metric should be higher (that means: the routing rule will be checked after) than the default routing rule | ||
| + | of the router1, because the router1 itself is able to directly talk with the wan network. | ||
| + | |||
| + | In this way a packet of a certain connection coming from the wan address of the router2 will | ||
| + | do the following travel | ||
| + | < | ||
| + | to wan_address_router2: | ||
| + | router2 --> | ||
| + | redirect to 172.16.1.1: | ||
| + | router1 --> | ||
| + | mark connection as " | ||
| + | response from 192.168.1.50: | ||
| + | router1 --> | ||
| + | recognize the connection marked as " | ||
| + | choose the routing rule that matches because there is the routing mark --> | ||
| + | to 172.16.1.2 --> | ||
| + | router2 --> | ||
| + | to wan | ||
| + | </ | ||
| + | ==== Drawbacks ==== | ||
| + | The drawback is that for every service using a port | ||
| + | we have to set a redirect on router1, router2, router3 and so on, | ||
| + | plus we have to set a redirect on the router1 for every other router, | ||
| + | plus a rule for connection marking and a routing rule. | ||
| + | |||
| + | That is quite a lot of work if there are several services. | ||
| + | There should exist leaner methods and we should investigate them. | ||
| + | |||
| + | ===== Concept: using less redirection ===== | ||
| + | towrite | ||
| + | |||
| + | ===== Implementation on openwrt ===== | ||
| + | towrite | ||