I’m looking for any advice people here may have regarding a traffic setup I’m trying to do to see if anyone has any suggestions for a better or cleaner way to do this routing. I’m trying to route traffic from a location to the internet via one of two routes to my Internet backhaul. If possible, I’d like to classify rthe traffic via mangle rules. However, at the same time I need the traffic coming back to the location to be routed via straight IP, which means setting up multiple subnets at the location. Finally, I’d like to avoid NAT if at all possible because some hosts at the location should be reachable from outside sources, and I’d prefer to not have it via nat traversal/port forwarding/etc if at all possible. The traffic, while following preferred paths, should fall over to use the other path if the preferred path is unavailable.
Additionally, each interface is connected to a OSPF routed network, though each interface is going to be connected into a different area. I’d also like the route via this location NOT to be advertised via OSPF, which means that the location should serve as two OSPF endpoints and not as a node connecting the two locations.
With those caveats, the best way I’ve found to do this is to do the following. Assume traffic from 192.168.100.0/24 is preferred to route via path A and 192.168.101.0 is preferred to route via path B.
Site LAN:
VLAN 100 - 192.168.100.0/24 VLAN 101 - 192.168.101.0
\ /
ether5
|
RB450G
10.0.0.0/29 / \ 10.0.0.8/29
ether1 ether2
| |
Path A Path B
ospf area 1 ospf area 0
| |
\ /
OSPF ABR
|
Internet router
Set the location’s router up to run two OSPF instances, one on ether1 and one on ether2. They should be set to only redistribute connected routes as type 1 with a metric of 200.
/routing ospf instance
set viaA disabled=no distribute-default=never in-filter=ospf-in metric-bgp=\
auto metric-connected=200 metric-default=1 metric-other-ospf=auto \
metric-rip=20 metric-static=200 name=viaA out-filter=ospf-out \
redistribute-bgp=no redistribute-connected=as-type-1 \
redistribute-other-ospf=no redistribute-rip=no redistribute-static=no \
router-id=192.168.100.1
add disabled=no distribute-default=never in-filter=ospf-in metric-bgp=auto \
metric-connected=200 metric-default=1 metric-other-ospf=auto metric-rip=\
20 metric-static=200 name=viaB out-filter=ospf-out redistribute-bgp=no \
redistribute-connected=as-type-1 redistribute-other-ospf=no \
redistribute-rip=no redistribute-static=no router-id=192.168.101.1
/routing ospf area
set viaA area-id=0.0.0.1 disabled=no instance=viaA name=viaA type=default
add area-id=0.0.0.0 disabled=no instance=viaB name=viaB type=default
Set up each ospf instance with its preferred source network and /29 bridge networks:
/routing ospf network
add area=viaA disabled=no network=10.0.0.0/29
add area=viaB disabled=no network=10.0.0.8/29
add area=viaA disabled=no network=192.168.100.0/24
add area=viaB disabled=no network=192.168.101.0/24
Set up the appropriate IPs:
/ip address
add address=10.0.0.1/29 disabled=no interface=ether1 network=10.0.0.0
add address=10.0.0.9/29 disabled=no interface=ether2 network=10.0.0.8
add address=192.168.101.1/24 disabled=no interface=vlan101 network=192.168.101.0
add address=192.168.100.1/24 disabled=no interface=vlan100 network=192.168.100.0
This setup effectively makes each ospf instance advertise its preferred local network at metric 1 and its nonpreferred local network at metric 200 into the ospf fabric. Thus, the network is aware of two routes to the local networks, via path a and b, and routes through the preferred path when available and the nonpreferred path when nescessary.
Finally, on the local router I’ve set up mangle rules to tag traffic from each local interface and route marked traffic to 0.0.0.0/0 via the preferred path. As the check-ping setting on the static route is insufficient for checking if the static route should stay in place (an intermediate node along the path may go down but the next immediate gateway will still ping,) I’ve got a script that looks for ospf-derived default routes via the immediate gateways in the routing tables and disables the static route when there is no dynamic route along the same gateway. The ospf derived dynamic routes then serve as a catchall to route all tagged traffic that doesn’t get routed via a static route through to 0.0.0.0/0 when a path goes down.
However, there’s a couple caveats I don’t like about this:
[*] As I’m using OSPF on the internal interfaces, I must segment the broadcast domains and interfaces on the internal LANS (via binding to seperate interfaces, vlan trunking to the local switch, or other similar methods) to avoid the OSPF instances from seeing each other on the internal lan and closing the routing loop. I’d prefer if I could run the local traffic on the same broadcast LAN and simply direct it to one of the two gateways. Multiple instances also can not run on the same interface; only one instance can bind to an interface at a time. However, as far as I can tell there’s no way around doing this as I’m reliant on getting the disparate OSPF metrics via the native network/redistributed external network trickery I’m doing. I may be missing something.
[*] I’d prefer to not have to sort my internal traffic by the IP I throw each host in. Preferably I’d like to sort granulary by type of traffic. However, I can’t see any way to do that save NATting the traffic via the external interfaces. Aside from not wanting to NAT the traffic, it doesn’t seem like this is actually possible – NATting is per-interface and when the nonpreferred network roams over the NAT stack will just discard all the traffic as it doesn’t handle that IP.
[*] Every connected route is going to be redistributed. I can’t add any networks to the local LAN and not advertise them via the network at large as it’s going to be advertising external routes in the OSPF fabric for every single network connected to the router. This isn’t a problem at the moment, but it does limit my flexibility down the road.
Given this configuration and the goals, can anyone point to a cleaner or better way to handle this traffic sorting & routing?