Multi-WAN (or multiple networks with gateways)

Development
1

Hey guys,

I think that it would be nice to have an option to use iproute2 (i.e., “4.2. Routing for multiple uplinks/providers”), (maybe via Netplan?) to manage multiple gateways per Machine, when adding many Networks/VLANs where each one have its own gateway configured.

LARTC Document about this:

https://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.html

It would be awesome to have a Linux with nftables as a gateway with multi-wan where all the http/https sessions works correctly.

NOTE: Don’t forget the: Feature to disable Interface Gateway when using multiple NICs :wink:

BTW, I’m trying to deploy a KVM Guest via MaaS Pod, where this VM will be a Linux Router/Firewall with nftables, also, this router will be the gateway for some of MaaS’ configured VLANs! Which causes confusion in MaaS, where it’s trying to deploy a Machine in a network with gateway where the gateway is the Machine itself!

Cheers!
Thiago

1 Like
2

I documented what could be achieved here, however, this will require some work on the MAAS side: https://bugs.launchpad.net/MAAS/+bug/1737428

Using multiple gateways requires either being very specific in terms of static routes, policy rules or having dynamic routing. Using kernel VRFs for sending requires application or automation changes to make sure sockets used for sending are bound to interfaces enslaved to VRF interfaces.

Meanwhile, for responding via the same path the traffic have been received policy rules that do not depend on remote subnets work quite well (cidr below is a subnet configured on a node, not a CIDR a client is connecting from):
https://git.launchpad.net/~canonical-bootstack/charm-policy-routing/tree/templates/service.j2
ExecStartPre=-/sbin/ip route add default via {{ gateway }} table {{ table }}
ExecStart=/sbin/ip rule add from {{ cidr }} table {{ table }} priority {{ priority }}
ExecStart=/sbin/ip rule add from {{ cidr }} to {{ cidr }} lookup main

The only case where is does not work is unbound udp sockets. It does work with bound and unbound TCP sockets and bound UDP sockets (DNS servers such as bind9 bind UDP sockets to all addresses to avoid this problem specifically).

What I found is that for many cases where sending traffic is needed one default gateway is enough in addition to a small amount of static routes.

The example given above might appear as a feature in MAAS soon.

2 Likes