=== timeless_ is now known as timeless | ||
=== npgm_ is now known as npgm | ||
=== ]42[ is now known as [42] | ||
slyon | PeGaSuS: If you remove any gateway6 the IP addresses still stay the same. This settings is only about where outgoing packages are being send | 09:47 |
---|---|---|
neo7530 | Hi | 11:19 |
neo7530 | maybe someone can help me with an issue ? | 11:19 |
neo7530 | i have set up netplan with one physical nw-adapter and defined some virtual ip-addresses for a reverse proxy | 11:20 |
neo7530 | this works so far, but: when i request the website via the virtual ip, the proxy sents the request to the backend via an other ip, as i have requested | 11:22 |
neo7530 | eg: client => 192.168.0.2 => rev. proxy to 192.168.0.10 but the request to the backend will be via ip-address 192.168.0.1 | 11:23 |
kjetilho | what do you mean by virtual ip-address? probably best to put your netplan in a pastebin/gist | 11:27 |
neo7530 | network: | 11:28 |
neo7530 | ethernets: | 11:28 |
neo7530 | enp0s3: | 11:28 |
neo7530 | dhcp4: no | 11:28 |
neo7530 | addresses: [10.24.10.30/24,10.24.10.31/24,10.24.10.33/24] | 11:28 |
neo7530 | gateway4: 10.24.10.50 | 11:28 |
neo7530 | nameservers: | 11:28 |
neo7530 | addresses: [10.24.10.50] | 11:28 |
neo7530 | i have 3 addresses on one physical interface | 11:29 |
neo7530 | i make a request to 10.24.10.31 this will be forwarded via reverse-proxy to a backend-server | 11:30 |
neo7530 | but the request to the backend will be made via 10.24.10.30 | 11:30 |
neo7530 | and not via 10.24.10.31 as requested | 11:30 |
PeGaSuS | slyon: right. I've just tested and this seems to work: https://termbin.com/dm07 | 11:31 |
kjetilho | neo7530: I think you mean, not via, but with source address? | 11:31 |
kjetilho | (via implies a hop via a router) | 11:32 |
neo7530 | yep | 11:32 |
neo7530 | the request to the backend should be the same as my client sent the request to | 11:32 |
neo7530 | same ip, i mean | 11:33 |
kjetilho | right - you need source routing to enable this. ie. a route where you specify from: and table: | 11:34 |
kjetilho | table is just some integer to separate the routing from the default route table | 11:34 |
kjetilho | btw, one of my favourite commands when checking stuff like this is "ip route get A.B.C.D" - it will tell you what src address the kernel will use for a new connection there | 11:35 |
neo7530 | and how should i do this? i'm fairly new to netplan | 11:44 |
kjetilho | routes: | 12:08 |
kjetilho | - | 12:08 |
kjetilho | from: 10.24.10.31 | 12:08 |
kjetilho | to: 10.24.10.31 | 12:08 |
kjetilho | via: 10.24.10.31 | 12:08 |
kjetilho | table: 17 | 12:08 |
kjetilho | ehhh | 12:08 |
kjetilho | cut and paste error of your addresses | 12:09 |
kjetilho | to: 192.168.0.10 | 12:09 |
kjetilho | I think is what you wanted? | 12:09 |
neo7530 | hmmm | 12:10 |
neo7530 | local 10.24.10.31 dev lo table local src 10.24.10.30 uid 0 | 12:10 |
neo7530 | doesn't work | 12:15 |
kjetilho | you need to explain what you want again | 12:17 |
kjetilho | the components are not clear | 12:17 |
neo7530 | okay. client = 10.24.10.xxx reverse-proxy 10.24.10.31 backend 10.24.10.10 | 12:19 |
neo7530 | client request goes to *31 | 12:20 |
neo7530 | reverse-proxy talks to the backend via *30 but should use the *31 for communication | 12:21 |
neo7530 | same address outgoing as ingoing | 12:21 |
neo7530 | *30 *31 *33 are on the same physical interface | 12:22 |
kjetilho | so backend is your value for to | 12:29 |
kjetilho | and reverse-proxy your values for from and via | 12:29 |
kjetilho | there might be a better method to make .31 preferred generally - you don't really need a specific exception rule here, it seems | 12:31 |
neo7530 | ip route get 10.24.10.10 | 12:35 |
neo7530 | 10.24.10.10 dev enp0s3 src 10.24.10.30 uid 0 | 12:35 |
neo7530 | makes no difference | 12:35 |
neo7530 | routes: | 12:35 |
neo7530 | - to: 10.24.10.10 | 12:35 |
neo7530 | from: 10.24.10.31 | 12:35 |
neo7530 | via: 10.24.10.31 | 12:35 |
neo7530 | table: 101 | 12:35 |
kjetilho | oh. I thought netplan added the ip rule automatically :-( | 12:44 |
kjetilho | "15:01 <kjetilho> btw, I just set up source based routing with Netplan - so simple I hardly could believe it :)" - it was too good to be true ... | 12:44 |
neo7530 | maybe i should use iptables for this | 12:46 |
neo7530 | :/ | 12:46 |
kjetilho | ahhh - I need to add routing-policy! | 12:48 |
kjetilho | you, too. | 12:48 |
kjetilho | routing-policy: | 12:48 |
kjetilho | - from: 10.24.10.31 | 12:48 |
kjetilho | table: 101 | 12:49 |
neo7530 | ahh, i try this | 12:49 |
kjetilho | the from: in the routes is probably superfluous, then | 12:50 |
neo7530 | nope, makes no difference | 12:52 |
neo7530 | this is odd :/ | 12:52 |
kjetilho | hrm, no ip rules installed here either | 12:57 |
kjetilho | hrm, it does work for me though - but I don't understand how, since ip rule does not list any new rules | 13:54 |
kjetilho | slyon: ^ how does routing-policy work behind the scenes? | 13:54 |
kjetilho | now I'm not sure if routing-policy is needed for my case after all. it's a bit awkward to test since a reboot is required. | 13:56 |
kjetilho | (I mean, applying config will not clean up random stuff added earlier) | 13:56 |
slyon | kjetilho: behind the scenes netplan generates a [RoutingPolicyRule] section inside a .network file for systemd | 14:04 |
kjetilho | sorry for being a n00b, but I can't find anything like this (I'm on Ubuntu Focal) | 14:08 |
kjetilho | that is, no units of type network at all. | 14:09 |
kjetilho | right, they end up in /run/systemd/network | 14:16 |
kjetilho | and right², the from-parameter in a route ends up as PreferredSource in the .network file | 14:16 |
slyon | correct, /run/systemd/networkd/10-netplan-*.network | 14:17 |
kjetilho | perhaps my netplan version is too old - 0.101 | 14:18 |
kjetilho | grep -i policy /run/systemd/network/* → nada | 14:18 |
slyon | 0.101 is the latest version. But the "from" parameter should end up as "From=...", see https://paste.ubuntu.com/p/ydTWpBq9yS/ | 14:18 |
kjetilho | the from in a route, not routing policy | 14:19 |
slyon | ah yes, then you're right | 14:20 |
slyon | did you run 'netplan generate' before? to produce the latest files. Also this only applies only if using the 'networkd' renderer (the default). Do you use NetworkManager renderer? | 14:20 |
kjetilho | doh. I was running netplan apply ~kjetilho/login-osl2.yaml | 14:20 |
kjetilho | that really should cause an error | 14:20 |
kjetilho | (or preferably - work) | 14:21 |
kjetilho | there we go, I got ip rules :) | 14:22 |
slyon | nice! | 14:22 |
kjetilho | (after copying my file to /etc/netplan | 14:22 |
kjetilho | I do wonder if PreferredSource is sufficient for me | 14:23 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!