Hello,
My Network Setup:
In my network, there are two locations, referred to as City A and City B. These locations are connected through DC CHR Routers (DC1, DC2, etc.) using L2TP tunnels. Static IP blocks have been defined between these locations:
IP blocks for City A:
10.6.0.0/29
10.6.1.0/29
10.6.3.0/29
IP blocks for City B:
10.38.0.0/29
10.38.1.0/29
10.38.3.0/29
L2TP tunnels between the DC CHR Routers in both cities are properly established. These tunnels are working correctly, and there are no issues with ping packets. Static routes have been configured within the DC CHR Routers, and traffic is being forwarded to City A or City B based on specific port numbers.
Objective of My Project:
My system has been under heavy DDoS and other attacks, and I want to restructure it to ensure high availability. During attacks, I redirect my domains to other DC CHR Routers. While manually redirecting works without issues, my goal is to keep all routers active at the same time while balancing the load. Additionally, I want to distribute the load evenly during attacks to minimize downtime.
The Issue I’m Facing:
I do not encounter any issues when routing traffic through any single DC CHR Router. However, when I attempt to activate all DC CHR Routers simultaneously and perform load balancing, the traffic is not routed correctly. At this point, I believe there might be an error in my mangle rules.
While traffic from DC1 CHR continues without issue, I cannot access the 192.168.251.xx IP addresses using the other CHR routers. When tested with traceroute, the traffic stops at the tunnel IP address for City A (10.6.1.1) and doesn’t go further. However, when I switch the route to DC CHR2, the problem is resolved. During an attack, I drop all traffic (except whitelisted IPs) to City A and City B through the active DC CHR. This prevents my city routers from becoming saturated.
My System Requirements:
No NAT: I cannot use NAT because my customers need to authenticate using their public IP addresses. Additionally, I am required to log all incoming IP addresses on my system, which means I cannot use NAT as it would hide the original IP addresses.
Traffic Routing: All traffic directed to devices in City A or City B must return through the same DC CHR Router it originally passed through. For example, if the traffic passes through DC1, it must return via DC1.
Static Routing and Port Forwarding: In the DC CHR Routers, static NAT rules have been set up to forward traffic to the correct city (City A or City B) based on port numbers. Incoming traffic is routed to the relevant location based on the assigned port.
Load Balancing: I want to route traffic through each DC CHR Router simultaneously while balancing the load. The goal is to achieve this with minimal downtime and distribute the load evenly.
Request for Assistance:
I believe there might be an issue with my mangle rules, and I am encountering problems with my current configuration. I am seeking suggestions on how to activate all DC CHR Routers at the same time and implement load balancing, especially during attacks. I am willing to share my current mangle rules and configurations to get expert advice.
Summary:
Incoming connections must not be NATed, and original public IP addresses must be preserved.
Due to my logging requirements, incoming IP addresses must be recorded as-is.
I aim to activate all DC CHR Routers simultaneously and balance the load.
I suspect there may be errors in my mangle rules, and I need guidance on how to resolve this.
While DC1 CHR continues to work fine, I cannot access 192.168.251.xx addresses through other CHR routers. Traceroute shows that traffic stops at the City A tunnel IP address (10.6.1.1). The problem is resolved when the route is switched to DC CHR2.
Any suggestions or recommendations from the community would be greatly appreciated. Thank you!