perfsonar-user - Re: [perfsonar-user] Routing?
Subject: perfSONAR User Q&A and Other Discussion
List archive
- From: Brian Candler <>
- To: Peter Laws <>,
- Subject: Re: [perfsonar-user] Routing?
- Date: Mon, 29 Feb 2016 14:00:28 +0000
- Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=r/wxWx 1zvMow+Jza71/4vtFVHtPu8r4A+aMvIJUfAp+3eAd8xGT1qFV3g6LdzkUNL6JYKN HblqQ98bJxtB+ASP8BOjypRfhueweYudP4QEQ6qqmuQbFu1Q6k0iHAoRpxR1chfV 5JZDjHb72o2fSbcE7YUQk8FZlBNVg6yEcNPlA=
On 26/02/2016 22:58, Peter Laws wrote:
I've finally got my node properly configured and I've got both inside
and outside interfaces on it. I realized today (after it was pointed
out to me :) that I didn't have routing quite right on the inside. I
added the usual /etc/sysconfig/network-scripts/route-eth0 entries all
appears well ... but then I came across this
<http://docs.perfsonar.net/manage_dual_xface.html#host-routing-table-configuration>
that wants me to use the
/opt/perfsonar_ps/toolkit/scripts/mod_interface_route command instead.
Do I need to do that? Or will the regular CentOS (6.7) way be OK?
Depend on what you are trying to achieve, and what your network looks like.
Let's say you have this:
RTR
| 192.0.2.1
|
| 192.0.2.10(public)
+-+
| | perfsonar node
+-+
| 10.0.0.10 (private)
|
| 10.0.0.1
RTR
You have a default route pointing to 192.0.2.1, and static routes pointing to all internal addresses (e.g. 10.0.0.0/8. 172.16.0.0/12, 192.168.0.0/16) via 10.0.0.1
That will work fine from a routing point of view, since you know that if anyone sends a packet to the 10.0.0.10 address, it must have come from another private address; and therefore the response will be sent to a private address, and so the response will follow those static routes.
(Bear in mind of course, that anyone who breaks into your Perfsonar node from the outside network will then have full reign over your internal network - if someone else is responsible for network security policy in your network you may make them very unhappy by bypassing their firewall. Personally I'd prefer to build two separate Perfsonar nodes, although if you can connect to a private net which is on the 'outside' of your normal firewall that would be OK)
Where it breaks down is if you have, say, this:
RTR
| 192.0.2.1
|
| 192.0.2.10 (for owamp)
+-+
| | perfsonar node
+-+
| 192.0.2.20 (for iperf)
|
| 192.0.2.17
RTR
Anyone on the Internet should be able to reach you on either interface. You can't simply have two default routes though - well you can, but it won't work the way you expect. What you want is that if someone sends you a packet to address 192.0.2.10, the response you send (with source 192.0.2.10) will go out of the top interface; but conversely, if someone send you a packet to address 192.0.2.20, the response will go out of the bottom interface.
This requires policy routing, and that's what the magic scripts are for.
Regards,
Brian.
- [perfsonar-user] Routing?, Peter Laws, 02/26/2016
- Re: [perfsonar-user] Routing?, Brian Candler, 02/29/2016
- Re: [perfsonar-user] Routing?, Peter Laws, 02/29/2016
- Re: [perfsonar-user] Routing?, Brian Candler, 02/29/2016
Archive powered by MHonArc 2.6.16.