ARTICLE

Ask Dr. UN*X Continued
Contributed by Brian Wilson in Network on 2006-03-13 16:04:08
Page 6 of 8

How can I have two default routes?

This is where advanced routing comes into play (finally!). With advanced routing, you can have as many routing tables as you need; in this case you need to add just one for the new DSL line.

First, add a name for the new routing table to the file /etc/iproute2/rt_tables. You can append it to the file with command "echo 2 dsl2 >> /etc/iproute2/rt_tables". 

# echo 2 dsl2 >> /etc/iproute2/rt_tables
# cat /etc/iproute2/rt_tables             list the file contents
#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
2 dsl2                          the line you just added

Earlier I mentioned that typing "ip route" is a shortcut for the longer command "ip route show table main". Well, to list the new routing table you have to use the long form: "ip route show table dsl2" If you enter this command right now, you will see the new table is empty.

You really only need to add the new default route to the new table; the old "main" table will continue to handle everything else. You will see why in a minute. Once again, here is the existing "main" table. 

# ip route show table main
63.63.63.0/29 dev eth0  proto kernel  scope link  src 63.63.63.1
30.31.32.0/29 dev eth1  proto kernel  scope link  src 30.31.32.1
default via 63.63.63.6 dev eth0

Add the new default route to table dsl2 and then look at the (short) table. 

# ip route add default via 30.31.32.6 dev eth1 table dsl2
# ip route show table dsl2

default via 30.31.32.6 dev eth1    the whole table is just one line

But the new table is not used yet!

You need to learn one more command, "ip rule"

A routing table tells where packets should go (its destination). You need to be able to tell the kernel to use a different table, based on where a packet is from (its source address).

The existing ip ruleset is very simple, look at it now. 

# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

You need to add just one new rule: 

# ip rule add from 30.31.32.1 lookup dsl2 prio 1000

This command says "add a rule" to handle the case when a packet has a "from" pattern of "30.31.32.1"; use the routing table called "dsl2", and assign the rule a priority level of "1000". Now relist the rules. In this example, the "pattern" only needs to match one address but if you build a Linux router, you could set patterns that would match different sets of addresses. 

# ip rule
0:      from all lookup local
1000:   from 30.31.32.1 lookup dsl2
32766:  from all lookup main
32767:  from all lookup default

The kernel searches the ip rules in order, starting with the lowest priority and continuing through each rule and routing table until the packet has been routed successfully.

Your default ruleset will always have a 'local' table with 'all' as the match pattern. The local table handles traffic that is supposed to stay on the local machine, and broadcast traffic.

Our new rule comes next, with a priority of 1000. I picked this number to make adding other rules before and after ours easy later on.

After our rule comes the 'main' table, which is the one that is manipulated by the old 'route' command. Finally comes the 'default' table. I don't know the official purpose of default, it's empty on all the systems I have set up. There is a 'default' route in the table 'main', so no traffic ever gets to the table 'detault'.

Caveats

When you are playing with multiple routing tables, you have to remember to add the 'table' portion to the command. I have only forgotten about 1000 times now. It can be mystifying when rules change in the wrong table (main). And of course, you are sure to confuse things when learning and lock yourself out if you are remotely logged in. The changes happen FAST. Use a console connection.

Another tip. Routes are cached. This means that if you update a routing table and nothing seems to happen, don't get frustrated, just flush the cache. You can make several changes at once and then flush the cache at the end so that the changes effectively all happen simultaneously. This is handy when working on a running router.

The flush command I use is "ip route flush table cache". Be very careful with the flush command!! Enter it wrong and you will remove all routing rules, instantly cutting off your networks.



Article Index
Ask Dr. UN*X Continued
Just what is routing?
Where do the IP addresses come from?
Revealing your routing tables
Adding the second line
How can I have two default routes?
Making the new commands sticky
Further resources
 
Discussion(s)
Great intro - but I've having an annoyi
Written by brighton36 on 2006-03-18 00:52:00
I've been using a multipath routing setup for my office for a while now. SO far, its been largely ok. The problem is that with some types of traffic my connections that should be established, oddly cease to be . SSH and IM are the two biggies. Its very frustrating. My guess is that the route tables are cleaned up, and the existing , established connection is attempted to connect out the alternate line that it was previously set at. Does anyone have this problem? Any ideas as to how to fix this? I've seen a number of other people ask in different forums, but no great solutions have been forthcoming.
Discuss! Reply!

thanks!
Written by kris on 2006-04-07 18:16:47
I just want to thank you people for writing so comprehensive and knowledgeable. All the other guides have been great; will read this one in a bit.

thanks for the effort! :)
Discuss! Reply!

good, simple info
Written by richard on 2006-03-27 20:36:27
Good to see a simple exlanation of what's going on. I'm setting up two ADSL connections to service my network through a router running FC4. I've got the routes part working (i hope) but I'm wondering how I can firewall both connections. I get the second ADSL modem today so I can see if the routing is working but I would appreciate some help on what I need to do re the firewall. I'm currently using firewall=iptables which is working fine but only has settings for one external and one internal interface. Can I set up a second external interface in the one script and duplicate the rules as required or should I set up a second firewall script? Any tips welcome
Discuss! Reply!