Net Balancer feature in 3.6

[francozamp]

Hi,
I recently installed and tested ZeroShell for Net Balancing to two WANs. It appears that, contrary to its initial implementation (probably up to ZS3.3) where consecutive TCP connections (also from the same host and to the same server) went through alternation of WANs – according to their wheights -, now in ZS3.6 the host is stick to a WAN.

The firewall rule I see is something like:

Routing table

root@zeroshell ~> ip route show

default

nexthop via 10.1.1.1  dev ETH00 weight 50

nexthop via 10.2.2.1  dev ETH01 weight 40

10.1.1.0/24 dev ETH00  proto kernel  scope link  src 10.1.1.10

10.2.2.0/24 dev ETH01  proto kernel  scope link  src 10.2.2.20

10.10.10.0/24 dev ETH02  proto kernel  scope link  src 10.10.10.1

192.168.137.0/24 dev ETH03  proto kernel  scope link  src 192.168.137.30

192.168.250.0/24 dev VPN99  proto kernel  scope link  src 192.168.250.254

iptables

root@zeroshell ~> iptables -L -nv -t mangle

[....]

Chain NB_CT_POST (2 references)

pkts bytes target     prot opt in     out     source               destination

87  6323 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            realm 0x66 MARK set 0x66

108  7853 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            realm 0x65 MARK set 0x65

483 37017 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save

[...]

I also checked the script /root/kerbynet.cgi/scripts/nb_setautomarking but without a particular understanding of its internal working.

After several testing, I confirmed that from the same client all connections went just throught the same WAN: this prevents to achieve the aggregate throughput on a single host/client e.g., using 2 TCP connections.

I understand there was a route persistence needed for stateful services (such as ecommerce carts or banking over HTTPS) for which different connections must come from the same IP, but having this now fixed is too limiting.

Maybe something like change WAN in alternation but according to the server? Like if I connect to google.com with WAN1, and my browser create 3-4 further TCP connections still to google.com they must go through the same WAN1, but if then on a new tab I go mns.com (or same address but different port), I must go through another WAN2.

What do you think about that? Did I get something wrong, or misconfigured? Thanks,

F.[/code]

[francozamp]

Hi,
after further testing, I realized balancing is working if either client IP and/or destination IP change.

It means that, if from the same client behind the LAN I access to the same server IP, I always traverse the same WAN. If from that very client I access to another server IP, the WAN alternates.

Different clients to the same server IP also alternates.

This shall fix the HTTPS/cookies problem, but I’d like to know if this algorithm can be customized and where the logic lays.

In fact, I’d like to specify rules based on bandwidth in use on the channel instead that only relative wheights (I’d like to use WAN2 only if capacity on WAN1 exceeds 80% of its limit that is specified in the QoS “Global Bandwidth” settings), and then also alternate WAN on the same client-server if necessary.

Thanks,

F.

[iulyb]

@francozamp wrote:

In fact, I’d like to specify rules based on bandwidth in use on the channel instead that only relative wheights (I’d like to use WAN2 only if capacity on WAN1 exceeds 80% of its limit that is specified in the QoS “Global Bandwidth” settings), and then also alternate WAN on the same client-server if necessary.

Basically this would require a new mode let’s name it ‘Overflow and fail-over’
I think the script you need to look at is nb_setnexthop.
You may need to change the script that once the bandwidth hit 80% then all new traffic will use next gateway. The next question you should answer is about logic used if you have 3 or more GW and how to deal after all GW are in overflow mode.

[Author]

Posts