How to elegantly handle two ISPs on a single box?

Taylor, Grant gtaylor at
Wed Apr 6 22:55:25 CEST 2005

> That will have me send out packets with source A to ISP B and vice
> versa which will have the packets killed by the ISPs reverse path
> filters.

Presuming that I got the IP addresses for ISP A matched up with the
interface for ISP A and vice versa for ISP B then all packets that go out to
the respective ISPs will have the correct sorce address.  ECMP is especialy
designed for situations where people have multiple default routes or
multiple internet connections.  Keep in mind that SNATing happens AFTER the
routing decition takes place in the kernel as the traffic is headed OUT the
physical interface.  With this in mind what ever interface the kernel
decides to send the traffic out will be SNATed with the appropriet IP for
that interface.

> This will NAT the first, third, fifth packet of a TCP session to
> and the second, fourth and sixth packet of the same
> session to I seriously doubt that the session will come up
> at all.

No it will not.  ECMP creates a pairing of source IP, source port,
destination IP, and destination port and maintains each pairing on one route
out for the duration of the session.  Or at least that is what it is suppose
to do.  This way you may have an SSH session from an internal client go out
ISP A and an HTTP request to the same destination system go out ISP B but
each TCP stream / conversation will alwayse go out the same interface that
it started going out. (There is a cache involved in the routing decition but
that is for how long the decition is remembered AFTER the strem terminates,
and is also tunable via /proc)

Grant. . . .

More information about the netfilter mailing list