Multi-home Linux Server Routing Issues

Discussion in 'HOWTO-Related Questions' started by agent2476, Jun 6, 2021.

  1. agent2476

    agent2476 New Member

    Fellow Members,

    I am seeking some help with solving a routing problem I’m having with Ubuntu (described in the next section). Figure 1, below, shows an example of the network configuration. I will use this diagram as a reference for my explanation. VLAN 2 is for server management. Traffic sent over VLAN 2 can reach the internet. So things such as server updates and application downloading can take place. Additionally, when I want to manage the server, I will also connect from VLAN 2. VLAN 1 is an isolated network. The NGFW provides DHCP and DNS (static entries for that network). No host on VLAN 1 can reach the internet nor communicate with other VLANs.
    [​IMG]
    Figure 1: Example network diagram

    The Problem
    I tried setting up this configuration with Ubuntu Server and got a ton of packet loss. After examining the traffic on both eth0 and eth1 using tcpdump, I noticed packets are being routed over the wrong interface. For example, if I ping the server from VLAN 2, the echo replies are being sent back via eth0 (VLAN 1). This means the firewall will drop the packets because they are not returning from the expected network. I tried defining routing rules to return traffic to the correct network, but no success so far.

    The Outcome I Want
    1. I want traffic originating from VALN 1 (eth0) to return via that interface.
    2. The same should be true for VLAN 2. Traffic originating from VLAN 2, should return via eth1.
    3. The operating system should use VLAN 2 as its default network for local traffic (this part seems to work ok).
    How can I accomplish this on Ubuntu or CentOS? I have the option of using any of the two operating systems as the server. The primary goal is to have traffic returning to its origin interface.

    Kind Regards,
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What is your network configuration now on that application server?
     
    agent2476 likes this.
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The behavior you want is for the most part the default behavior, so as @Taleman requested, what do you have configured in the server? Eg. output of 'ip addr' and 'ip route', what routing rules did you create, etc. Right off I would remove the gateway/default route on eth0, and you might check your firewalling on the server itself to ensure hosts on one vlan can't talk to the other vlan using the server as a router.
     
    agent2476 likes this.
  4. agent2476

    agent2476 New Member

    @Taleman and @Jesse Norell,

    Thank you for the quick response. After taking into consideration the following comments by Jesse, the problem was solved.
    • "The behavior you want is for the most part the default behavior"
    • "Right off I would remove the gateway/default route on eth0"
    Jesse, I recreated the setup in another virtualized environment and you're correct. By removing the gateway for VLAN 1 (eth0), the default configuration routed the packets to the correct interface. I ran tcpdump on both eth0 and eth1 while communicating with the server and I saw no routing anomaly or packet loss.
    • "you might check your firewalling on the server itself to ensure hosts on one vlan can’t talk to the other vlan using the server as a router"
    Jesse, you are very thorough. I took this into consideration from the beginning and the necessary security controls are in place to prevent that from happening.

    Thank you guys very much, you have helped me to resolve my problem.

    Kind Regards,
     
    Last edited: Jun 8, 2021
    ahrasis likes this.

Share This Page