Hello. How is Net-ISP-Balance support for IPv6, including global prefix delegation?

Currently I have a Cisco RV340 load balancing 2 ISPs.

One modem I set as bridge and another I left in router mode. The bridged WAN is able to receive and pass global prefix using DHCP-PD to VLAN, whose DHCP server distributes. The other ISP (in route mode)'s WAN has DHCP-PD set, but VLAN's DHCP server says it's unaccessible.

Load balancing works nicely for IPv4 and even speedtest reports combined download speed. But for IPv6 my LAN devices receive only addresses from bridged ISP's global prefix and only use its bandwidth.

RV340 also seems to not support setting ULA together with DHCP-PD, as I've seen ppl using in other routers. This makes me unable to set fixed IPv6 addresses on LAN, as everytime ISP changes its global prefix I get all devices addresses changed too.

To sum things up, I use Pi-hole for local domains attribution, DNS server and DHCP server. I'm unable to make dnsmasq grab global prefix delegation from RV340 so it can distribute addresses for devices.

I'm then considering removing RV340 and setting up a Ubuntu or IPFire gateway, which would load balance both ISPs and handle DNS, DHCPv4 and DHCPv6 all together.

If anybody has done something like that or trying to, feel free to contact me and share configs and tools.

i have a webserver within the LAN i used the perl command to forward to the webser's ip, but still can't access the webserver from outside

assume my network is as follows
192.168.0.0/24 -> LAN
192.168.1.0/24 -> ISP1
192.168.2.0/24 -> ISP2

I added the rule as follows in 02.forward.pl
$B->forward(80 => '192.168.0.23'); # Webserver IP on LAN is 192.168.0.23

Please advise

Hi,

First of all, great software... Its really boring task to setup ISP balancing and your NET-ISP-Balance make it damm easy

When re-running load_balance.pl the MARK chain is not being cleaned, and consequently being duplicated:

load_balance.pl -d > commands.sh
# add set -x to commands.sh
+ iptables -t mangle -N MARK-ISP1
iptables: Chain already exists.
+ iptables -t mangle -A MARK-ISP1 -j MARK --set-mark 2
+ iptables -t mangle -A MARK-ISP1 -j CONNMARK --save-mark
+ iptables -t mangle -N MARK-ISP2
iptables: Chain already exists.

And when running:

# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
MARK-ISP2  all  --  anywhere             anywhere             ctstate NEW statistic mode random probability 1.00000000000
MARK-ISP1  all  --  anywhere             anywhere             ctstate NEW statistic mode random probability 0.50000000000
CONNMARK   all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED CONNMARK restore
MARK-ISP1  all  --  anywhere             anywhere             ctstate NEW
CONNMARK   all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED CONNMARK restore
MARK-ISP2  all  --  anywhere             anywhere             ctstate NEW
CONNMARK   all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED CONNMARK restore

Sorry not send a PR, but my Perl skill is zero :)

Thank you

Hi,

I'm trying to run the load_balance.pl script after following the online guide. However, when I run "su -c load_balance.pl", I get the following error: "Couldn't open /var/lib/lsm/DSL.state mode >: no such file or directory at /usr/local/bin/load_balance.pl line 284.".

Any ideas?

Really excited to try this out with client setups!

I get the following message trying to run perl ./Build.PL:

WARNING: the following files are missing in your kit:
        lsm/lsm.conf
        META.json
        META.yml
Please inform the author.

Proposal

We've designed a more complex perl framework for firewall rules. I've seen the custom scripts that you can add in Net::ISP::Balance. Yet, I've not noticed if we can connect a custom external script/tool instead of rules.

Proposal: adding hook.d/ folder in which you can

• insert a softlink to /home//custom.<sh|pl>
• create a script to execute the external program ...
  What do you think? Or is there already a strategy that I've missed out? Thank you very much.

BTW - I really like the net isp balance. Congrats, cheers and thanks to all contributors!

/etc/load_balance.pl DSL

iptables v1.6.0: Couldn't load target `MARK-DSL':No such file or directory

This also happens when I bring up a different connection

/etc/load_balance.pl LTE

iptables v1.6.0: Couldn't load target `MARK-DSL':No such file or directory

Nevertheless load balancing is working fine. What would cause this?

Sometime between July 26, 2021 and now (Oct 24, 2021), foolsm fails to start regardless of how it is executed, AND no debug information is generated to further understand and hint towards the issue. It simply dumps the help information and exits. To personify the new behavior, it acts like it wants to make life difficult. I suspect there is something either corrupting the foolsm flags when load_balance.pl executes the command, OR There is something buggy in my configuration file.

I checked the configuration file, and it seems to be good. For some reason the copy/paste functionality is not working. But, I was able to upload it: https://0x0.st/-dxH.conf

Version: CURRENT Master
OS: Debian Sid
Shell: Bash

Anything else needed, just let me know.

If I changed the weights on load balancing, when is then file re-read? when the connection changes?

When running 'dmesg' command, I get a few lines with the following output:

[ 106.188537] DROP-SPOOF: IN= OUT=eth0 SRC=10.0.0.5 DST=23.235.44.133 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14189 DF PROTO=TCP SPT=41842 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0

Should the system be dropping IP spoof? eth0 is LAN interface.

Hello @lstein,

I am trying to configure two wlan connections and run load_balance.pl but failed. Below is my configuration:

$ ifconfig

eth0      Link encap:Ethernet  HWaddr 4c:72:b9:31:f5:b3  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:20 Memory:fe200000-fe220000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:14654 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14654 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1873976 (1.8 MB)  TX bytes:1873976 (1.8 MB)

wlan0     Link encap:Ethernet  HWaddr 64:70:02:3b:90:43  
          inet addr:192.168.43.37  Bcast:192.168.43.255  Mask:255.255.255.0
          inet6 addr: fe80::6670:2ff:fe3b:9043/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:185939 errors:0 dropped:0 overruns:0 frame:0
          TX packets:131723 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:214728765 (214.7 MB)  TX bytes:16991765 (16.9 MB)

wlan1     Link encap:Ethernet  HWaddr c8:3a:35:ca:31:ad  
          inet addr:192.168.1.4  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::ca3a:35ff:feca:31ad/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:136 errors:0 dropped:0 overruns:0 frame:0
          TX packets:177 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14938 (14.9 KB)  TX bytes:23897 (23.8 KB)

/etc/network/balance.conf

## Net::ISP::Balance configuration file
## edit it as needed to describe your router setup

## This table defines the LAN and IP services.
## Uncomment by removing hash symbols (#) and then edit as needed

## service    device   role     ping-ip            weight
#CABLE        eth0     isp      173.194.43.95      1
#DSL          ppp0     isp      173.194.43.95      1
#LAN1         eth1     lan      
#LAN2         eth2     lan
WLAN0        wlan0    isp      216.58.196.14       2
WLAN1        wlan1    isp      216.58.196.14        1

## These options are passed to lsm, among others.
## the defaults are shown. To change them, uncomment
## and edit.

#warn_email=root@localhost
#interval_ms=1000
#max_packet_loss=15
#max_successive_pkts_lost=7
#min_packet_loss=5
#min_successive_pkts_rcvd=10
#long_down_time=120

# :isp = all ISPs
# :lan = all LANs
# default routing_group = :lan :isp
#forwarding_group=LAN1 :isp
#forwrding_group=LAN2 :isp

Debug output is:

## Including rules from /etc/network/balance/pre-run/pre-run-script.pl ##
## Finished /etc/network/balance/pre-run/pre-run-script.pl ##
echo 0 > /proc/sys/net/ipv4/ip_forward
ip route flush all
ip rule flush
ip rule add from all lookup main pref 32766
ip rule add from all lookup default pref 32767
ip route flush table  1
ip route flush table  2
ip route add  192.168.43.0/24 dev wlan0 src 192.168.43.37
ip route add  192.168.1.0/24 dev wlan1 src 192.168.1.4
ip route add default scope global nexthop via 192.168.43.1 dev wlan0 weight 2 nexthop via 192.168.43.1 dev wlan1 weight 1 
ip route add table 1 default dev wlan0 via 192.168.43.1
ip route add table 1 192.168.43.0/24 dev wlan0 src 192.168.43.37
ip route add table 1 192.168.1.0/24 dev wlan1 src 192.168.1.4
ip rule add from 192.168.43.37 table 1
ip rule add fwmark 1 table 1
ip route add table 2 default dev wlan1 via 192.168.43.1
ip route add table 2 192.168.43.0/24 dev wlan0 src 192.168.43.37
ip route add table 2 192.168.1.0/24 dev wlan1 src 192.168.1.4
ip rule add from 192.168.1.4 table 2
ip rule add fwmark 2 table 2
## Including rules from /etc/network/balance/routes/01.local_routes ##
# enter any routing commands you might want to go in
# for example:
# ip route add 192.168.100.1 dev eth0 src 198.162.1.14

## Finished /etc/network/balance/routes/01.local_routes ##
## Including rules from /etc/network/balance/routes/02.local_routes.pl ##
## Finished /etc/network/balance/routes/02.local_routes.pl ##
iptables -F
iptables -X
iptables -t nat    -F
iptables -t nat    -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT    DROP
iptables -P OUTPUT   DROP
iptables -P FORWARD  DROP

iptables -N REJECTPERM
iptables -A REJECTPERM -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "REJECTED: "
iptables -A REJECTPERM -j REJECT --reject-with icmp-net-unreachable

iptables -N DROPGEN
iptables -A DROPGEN -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "GENERAL: "
iptables -A DROPGEN -j DROP

iptables -N DROPINVAL
iptables -A DROPINVAL -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "INVALID: "
iptables -A DROPINVAL -j DROP

iptables -N DROPPERM
iptables -A DROPPERM -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "ACCESS-DENIED: "
iptables -A DROPPERM -j DROP

iptables -N DROPSPOOF
iptables -A DROPSPOOF -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "DROP-SPOOF: "
iptables -A DROPSPOOF -j DROP

iptables -N DROPFLOOD
iptables -A DROPFLOOD -m limit --limit 1/minute  -j LOG --log-level 4 --log-prefix "DROP-FLOOD: "
iptables -A DROPFLOOD -j DROP

iptables -N DEBUG
iptables -A DEBUG  -j LOG --log-level 3 --log-prefix "DEBUG: "
iptables -t mangle -N MARK-WLAN0
iptables -t mangle -A MARK-WLAN0 -j MARK     --set-mark 1
iptables -t mangle -A MARK-WLAN0 -j CONNMARK --save-mark
iptables -t mangle -N MARK-WLAN1
iptables -t mangle -A MARK-WLAN1 -j MARK     --set-mark 2
iptables -t mangle -A MARK-WLAN1 -j CONNMARK --save-mark
iptables -t mangle -A PREROUTING -i wlan0 -s 192.168.43.0/24 -m conntrack --ctstate NEW -j MARK-WLAN0
iptables -t mangle -A PREROUTING -i wlan0 -s 192.168.43.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i wlan1 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j MARK-WLAN1
iptables -t mangle -A PREROUTING -i wlan1 -s 192.168.1.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j DROPPERM
iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT   -p tcp --tcp-flags SYN,ACK ACK -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK ACK -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROPFLOOD
iptables -A OUTPUT -o wlan0 -j ACCEPT
iptables -A OUTPUT -o wlan1 -j ACCEPT
iptables -A OUTPUT  -j DROPSPOOF
## Including rules from /etc/network/balance/firewall/01.accept ##
## This file contains iptables statements that add additional firewall rules

# allow incoming domain packets -- needed for DNS resolution
iptables -A INPUT   -p udp --source-port domain -j ACCEPT
# allow incoming NTP packets -- needed for net time protocol
iptables -A INPUT   -p udp --source-port ntp -j ACCEPT
## Finished /etc/network/balance/firewall/01.accept ##
## Including rules from /etc/network/balance/firewall/01.accept.pl ##
## Finished /etc/network/balance/firewall/01.accept.pl ##
## Including rules from /etc/network/balance/firewall/02.forward.pl ##
## Finished /etc/network/balance/firewall/02.forward.pl ##
echo 1 > /proc/sys/net/ipv4/ip_forward
## Including rules from /etc/network/balance/post-run/post-run-script.pl ##
## Finished /etc/network/balance/post-run/post-run-script.pl ##

Is there anything missing in the configuration?

I am using raspberry pi 3B+ with Linux os
I will try to implement using the following website "http://lstein.github.io/Net-ISP-Balance/"
I use ppp0 device as Uc20G GSM module
I will follow the steps according to sites but in "perl ./Build.PL" it will generate error like

"root@raspberrypi:/home/pi/Net-ISP-Balance-master# perl ./Build.PL
Can't locate Module/Build.pm in @inc (you may need to install the Module::Build module) (@inc contains: /etc/perl /usr/local/lib/arm-linux-gnueabihf/perl/5.28.1 /usr/local/share/perl/5.28.1 /usr/lib/arm-linux-gnueabihf/perl5/5.28 /usr/share/perl5 /usr/lib/arm-linux-gnueabihf/perl/5.28 /usr/share/perl/5.28 /usr/local/lib/site_perl /usr/lib/arm-linux-gnueabihf/perl-base) at ./Build.PL line 5.
BEGIN failed--compilation aborted at ./Build.PL line 5."

I do not understand what is the problem
any suggests ??

Hello there, im trying to execute some custom scripts when the state of an ISP changes.
According to documentation, it says:
"...Run custom commands when an ISP goes up or down?
You will find a series of directories in $ETC_NETWORK/balance/lsm named "up.d", "down.d" and "long_down.d". "

But i cannot find those folders.

This is the output of the lsm folder:

pi@emp-raspib3:/ $ ls -lsa /etc/network/balance/lsm
total 16
4 drwxr-xr-x 2 root root 4096 Mar 22 02:58 .
4 drwxr-xr-x 7 root root 4096 Mar 22 03:19 ..
4 -r-xr-xr-x 1 root root  842 Mar 22 02:58 balancer_event_script
4 -r-xr-xr-x 1 root root 1386 Mar 22 02:58 default_script
pi@emp-raspib3:/ $

and if I search for those folders:

pi@emp-raspib3:/ $ sudo find / -type d | grep "long_down.d"
pi@emp-raspib3:/ $

Thank you! This is a very usefull tool :D

Hi, Great work!

In my configuration, I have two isp and one lan.
When second ISP fails then is back default getaway disappears in routing table

##syslog

Sep  7 17:01:34 worldway load_balance.pl[3543]: WAN2 (eth2) is now in state 'down'.
Sep  7 17:01:34 worldway load_balance.pl[3543]: ISP services currently marked up: WAN1

Sep  7 17:31:11 worldway load_balance.pl[3845]: WAN2 (eth2) is now in state 'long_down_to_up'.
Sep  7 17:31:11 worldway load_balance.pl[3845]: ISP services currently marked up: WAN1 WAN2
Sep  7 17:31:11 worldway load_balance.pl[3846]: WAN2 (eth2) is now in state 'up'.
Sep  7 17:31:11 worldway load_balance.pl[3846]: ISP services currently marked up: WAN1 WAN2

Hello,
In my configuration, I have two isp and one lan.
Both ISP have weight set to 1.

As I can see on the iptables generated:

iptables -t mangle -A PREROUTING -i br0 -m conntrack --ctstate NEW -m statistic --mode random --probability 1 -j MARK-ISP1
iptables -t mangle -A PREROUTING -i br0 -m conntrack --ctstate NEW -m statistic --mode random --probability 0.5 -j MARK-ISP2

Shouldn't they have the same probability ?

Another question: does CONNMARK work with udp ? (I guess not)
Or there is a possible configuration that make iptables select the same ISP automatically during udp communications (same source/destination) ?

Otherwise Great work and very easy to use !

FYI: To get IP Forwarding to work on Arch Linux see:

https://wiki.archlinux.org/index.php/Internet_sharing#Enable_packet_forwarding

Specifically you need to add the following:

IPForward=kernel

Hello,

I think that I saw a problem, when an ISP is come back Net-ISP-Balance still down
The reason seems logic, the default gateway for the "bad" ISP is gone so the ping still KO forever

OK:
0.0.0.0 192.168.8.1 0.0.0.0 UG 203 0 0 eth1
0.0.0.0 192.168.3.1 0.0.0.0 UG 204 0 0 usb0

The second KO:
0.0.0.0 192.168.8.1 0.0.0.0 UG 203 0 0 eth1

And If I restore the default route manually Net-ISP-Balance is happy and usb0 works again
Of course, I can use a local ping-ip (no gateway needed) but it's very limited ...

Is there a way to force outbound connection to use a certain link based on the destination host or IP?

First off, excellent software! I have Cable and DSL both routed through a Raspberry Pi3 with this setup. Took a little while to get the USB interfaces worked out correctly, but it is amazing how well it passes between interfaces (I had two kids on PS4s playing Fortnite, cable went down and seamlessly migrated to DSL without a hickup!). I have it set 5 to 1 Metrics favoring the faster 15MBit cable connection over the bonded 1MBit DSL and it seems to balance appropriately.

Ok so the problem is I'd like to bind certain requests to a single interface... specifically when I run CiscoVPN to run my corporate device remotely. It constantly logs me out whenever the underlying interface changes (making it impossible to work). So how might I route all traffic to a specific host (my corporate VPN) to DSL only for example, but let everything else balance over both interfaces?

Thanks again and keep up the good work!

Primarily using the brilliantly written program for failover between my primary wan and my backup.

Every time the primary wan goes down from loss of connectivity, which occurs fairly often due to geolocation, I receive the error that "The connection has been reset by the peer." Which is occurring often enough where it has become a real irritant. My previous router setup did not possess this problem, which was OPNsense. In order to mitigate this error from becoming to large of a problem, I have adjusted the setting to net.ipv4.tcp_keepalive_time, but this has had little effect on the issue.

Anyone know of some way to tweak some settings to prevent this from happening?

I have an internal LAN configuration that's slightly more complicated than either a simple device/ip/netmask with no gateway or a device/ip/netmask/gateway for all traffic. Specifically, the LAN is divided into part that requires no gateway and a part that does require a gateway because the latter is on a separate subnet and goes through a second router device to get there. Net-ISP-Balance is incorrectly concluding that all traffic has to go through that gateway and that results in it computing and using ip/netmask combinations that are broken.

On the LAN, the directly accessible segment is on 192.168.11.x. The secondary subnet segment is on 192.168.10.x. The internet gateway device sitting between the ISP nodes and the main LAN is IP 192.168.11.20. And the secondary subnet router on the internal LAN is at 192.168.11.23. I have things configured such that the LAN itself is configured as 192.168.10.0/23, which includes both subnets. And there is a static gateway route for 192.168.10.0/24 to that 192.168.11.23 device for that subnet. This allows all computers on either subnet to see and communicate with all devices on either subnet as if they were all on the same subnet, making the secondary gateway transparent (this is all needed because the secondary subnet is connected via a WiFi access point instead of a wired Ethernet cable and so can't just be bridged, as only traffic bound for the WiFi negotiating client gets correctly routed there -- i.e. the other gateway itself).

Dumping the route tables for when things are correctly configured and working:

$ ip route show all
default via 10.161.170.65 dev enp3s0 proto static metric 101 
169.254.0.0/16 dev enp3s0 scope link metric 1000 
10.161.170.64/26 dev enp3s0 proto kernel scope link src 10.161.170.112 metric 101 
192.168.10.0/24 via 192.168.11.23 dev enp1s0 proto static metric 102 
192.168.10.0/23 dev enp1s0 proto kernel scope link src 192.168.11.20 metric 102 

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.161.170.65   0.0.0.0         UG    101    0        0 enp3s0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enp3s0
10.161.170.64   0.0.0.0         255.255.255.192 U     101    0        0 enp3s0
192.168.10.0    192.168.11.23   255.255.255.0   UG    102    0        0 enp1s0
192.168.10.0    0.0.0.0         255.255.254.0   U     102    0        0 enp1s0

enp1s0 is the LAN. enp3s0 is one of the ISP WAN connections. The other ISP WAN is currently down in this output, as I am mainly trying to sort out the routing on the LAN side.

As you can see in that last entry, anything for 192.168.10.0/23 (i.e. both subnets) goes to interface enp1s0. But things for 192.168.10.0/24 (i.e. the secondary subnet) goes to the gateway at 192.168.11.23. But that is ONLY traffic bound to that secondary subnet. Net-ISP-Balance is incorrectly deciding that all traffic on enp1s0 should go to gateway 192.168.11.23. Here's the commands it's trying if you run it in debug mode:

ip route add  192.168.10.0/24 dev enp1s0 src 192.168.11.20
ip route add  10.161.170.64/26 dev enp3s0 src 10.161.170.112
ip route add default via 10.161.170.65 dev enp3s0
ip route flush table 1
ip route add table 1 default dev enp3s0 via 10.161.170.65
ip route add table 1 192.168.10.0/24 dev enp1s0 src 192.168.11.20
ip route add table 1 10.161.170.64/26 dev enp3s0 src 10.161.170.112
ip rule add from 10.161.170.112 table 1
ip rule add oif enp3s0 table 1
ip rule add fwmark 1 table 1

As you can see, the netmask ranges it is computing are incorrect and not consistent even with the IP address of the interface. That first line should be: ip route add 192.168.10.0/23 dev enp1s0 src 192.168.11.20, using the 255.255.254.0 netmask instead of 255.255.255.0, as the IP 192.168.11.20 is otherwise not consistent with the mask it's trying to use.

I've been putting some debug print statements in the script to get a better idea of what it's seeing and to figure out what is happening. Here's the output through the stages of interface_info:

Find virtual interfaces:
vdev: lo block: 127.0.0.0/8 addr: 127.0.0.1
vdev: enp1s0 block: 192.168.10.0/23 addr: 192.168.11.20
vdev: enp3s0 block: 10.161.170.64/26 addr: 10.161.170.112

Find existing routes:
vdev: enp3s0 nets: (default)  gws: 10.161.170.65
vdev: enp1s0 nets: 192.168.10.0/24 gws: 192.168.11.23

Interfaces:
dev: lo
vdev: lo
running: 1
gw: 127.0.0.1
net: 127.0.0.0/8
ip: 127.0.0.1

dev: enp1s0
vdev: enp1s0
running: 1
gw: 192.168.11.23
net: 192.168.10.0/24
ip: 192.168.11.20

dev: enp3s0
vdev: enp3s0
running: 1
gw: 10.161.170.65
net: 10.161.170.64/26
ip: 10.161.170.112

The problem seems to be that it's confused by the extra static route that routes the 192.168.10.0/24 traffic to the extra 192.168.11.23 gateway. It found the correct block when it was enumerating the virtual interfaces, but then incorrectly picked the netmask and gateway of the static route when computing the overall interface, as that net for enp1s0 should be 192.168.10.0/23 instead of /24 and there shouldn't be a gateway (or the gateway should be showing as 192.168.11.20, or the interface itself).

At the moment, I haven't found the best solution for this. It seems it needs to clue in on the static keyword in the route table and perhaps compare the netmasks of each gateway on each interface to the IP for the interface itself. But that's not totally trivial in the current code.

Since this is somewhat fixed network topology for my setup and isn't dynamically changing, my current workaround is to just manually set up these LAN routes and interface configurations rather than having it automagically figure it out. But it is a shortcoming that needs to be fixed in Net-ISP-Balance, since as it is it's broken and results in a nonworking configuration -- hence my filing this issue.

Hello,

Related to http://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=89aef8921bfbac22f00e04f8450f6e447db13e42 there is no route cache with recent kernels, unfortunately http://lartc.org/howto/lartc.rpdb.multiple-links.html is based on route cache method

This will balance the routes over both providers. The weight parameters can be tweaked to favor one provider over the other.

Note that balancing will not be perfect, as it is route based, and routes are cached. This means that routes to often-used sites will always be over the same provider.

So my question is, there is an impact for Net-ISP-Balance ? There are broken TCP sessions, no ?
Eg: I mean, a cnx to HTTPS website with ISP1 suddenly moved to ISP2

As the subject says. All other parts of the installation seem to work -- but I saw this: (Every 5 minutes)

/var/log/messages:Mar 9 08:48:29 xxxxxxxxxxx foolsm[16215]: plugin_export.c: plugin_export_munin: failed to open file /var/lib/foolsm/config.rtt for write

With a bit of exploration, the reason was that the foolsm folder did not exist. I created the folder by hand and a few minutes later it was populated with a variety of data files.

Note: Load balancing works fine across three ISP interfaces with or without the existence of this folder.

Linux version 4.18.0-348.12.2.el8_5.x86_64 ([email protected]) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-3) (GCC)) #1 SMP Wed Jan 19 17:53:40 UTC 2022

When using a vpn and Net-ISP on balanced mode all traffic goes out a single interface. Tried removing the iptables entry that send packets to the same interface but they are added back automatically. Would be nice to have the option to remove this that way traffic going to the same host can be distributed over all interfaces. However I understand that this would only be plausible for situations where all traffic is going to a single endpoint such as a vpn/proxy

I have a situation where it would be nice to have load balancing, but for one of the ISPs I'd like to just have failover for it in case all others are down, because it's charged differently and it's expensive.

Can I do that with Net-ISP-Balance?

Also, thanks for the project!

Is there a way to support dual PPPoE connections with this system? I've got it working using two VDSL modem/routers but then I'm doing dual NAT which isn't ideal!

I've got both individual PPPoE connections working with modems (both on separate interfaces) but as PPPoE doesn't have a default gateway as such I think something isn't setting the routes up for the ping check.

I've tried manually using 8.8.8.8 as one ping check, the other PPPoE connection using 8.8.4.4 and adding multiple routes for this like:

ip route add 8.8.8.8 dev ppp0
ip route add 8.8.4.4 dev ppp1

This means that a ping -I ppp0 8.8.8.8 works, as does a ping -I ppp1 8.8.4.4 works - and I see LSM thinking the connection is up briefly, but then I get a mail to root that it's gone down and it appears to remove my custom route overrides for this.

For now I'll go back to dual-NATting but it would be awesome if I can get this working with PPPoE instead!

Now Net-ISP-Balance is not compatible with Network Manager.
Thus, it cannot be used on many operating systems where the network infrastructure works through NetworkManager

Hi!

Impressive project! I've been trying to accomplish something similar with just iptabels and its not easy!

I have a bit of a special case that I'm trying to achieve and would love your input.

Basically I have just the one ISP connection reachable via my Pfsense router, but multiple OpenVPN connection i´d like to load balance over. I also need to run NAT/MASQUERADE on the IPs I receive on the OpenVPN interfaces. I know you have provisions for running multiple OpenVPN over multiple ISP connections but my first and admittedly sloppy testing couldn't get it up and running. I get:

load_balance.pl
No ISP services seem to be up. Restoring routing tables and firewall.
RTNETLINK answers: File exists
RTNETLINK answers: File exists
......
RTNETLINK answers: File exists
RTNETLINK answers: Network is unreachable
Starting lsm link status monitoring daemon

I can give the server (VM) running Net-ISP-Balance multiple virtual interfaces if needed but preferably they all need to be on the same subnet (my LAN).

Hi,
Is it possible to install a openvpn client on the router so that all traffic going-out-of/coming-to the LAN be sent through that client tunnel. If possible how could it be configured

Thanks

Designate one or more ISPs as failover-only. They are not used for load balancing.

Hoi!

I am setting up my dual-isp router, but still using only one of the internet connections while doing that.

For some reasons the --debug is not working. It acts like a verbose, meaning all the rules and routes are getting dumped to stdout, but they are still executed and the lsm is started.

While this is only a minor bug, it is still tremendously annoying, since I have to take down everything by hand and start my normal internet again.

blue skies
Jan

Hi guys!
I installed this soft in my debian distro but i don't know how uninstall this...
Please, help me because i use my PC for work.
Thanks in advance!
Regards

Helo there! Thanks for this amazing tool.
I have Cable Internet (ISP1) and 3G modem (ISP2) routed through a Raspberry Pi3b with this setup.

When Cable Internet (ISP1) goes down, 3G modem (ISP2) gets active and it works well.
But when Cable Internet (ISP1) is back online, the active connection keeps using 3G modem (ISP2).

There is a setting to rapidly route internet back to ISP1 when its back online?

Thanks!

Hi, has anyone tried this website: http://www.bing.com/translator/?

When you use that website, you might have a error message in red:

We are experiencing some service problems. Refresh page or try again later

Other site that I have problems is: http://www.dailymotion.com/video/x24gmtq_l-arc-en-ciel-vivid-colors_music
The video loses the connection or it don't have the reply of the video getting the 403 error.

Have you the same problems with those sites?.

After executing load_balancer.py gateway (no internet acces from lan) not works but load balancing works from router host.

I have no idea what i'm missing.

System: Linux home-server 4.13.0-1-amd64 #1 SMP Debian 4.13.4-1 (2017-10-01) x86_64 GNU/Linux

balance.conf.txt
interfaces.txt
route-iptables-commands.txt

Using ddclient on the host/router with Net-ISP-Balance, you can specify an interface in the configuration file to update DNS records. I use it for Cloudflare.

Maybe I can write a wiki article about this.

Hello and thank you for your work!

The documentation at point
...Allow machines on the LAN to access the control interface of a cable and/or DSL modem attached to the router?
states:
Create the file /etc/network/balance/routes/01.modem_route.pl containing the following:
$B->add_route('192.168.1.1/32'=>'eth2',1);

Unfortunately doing this add rules for both ip route and iptables before iptables initialization, so rules are cleared out with the result of working routing but broken firewall rules.
This also applies to local routes.
I've managed to circumvent the problem by manually run a script on post-run.

I think it could be great to move both ip route and iptables initialization just after pre-run as it could solve all these problems imo. What do you think?

Have a nice day,
Eduard Roccatello

Trying to get the multi-openvpn recipe working from the documentation - did commit 77af414 break this?

    $self->_collect_interfaces_retry();
    if ($self->isp_services) {
        $self->pre_run_rules();

From what I can tell isp_services does not contain tun0/tun1 because they have not been brought up yet by the pre_run_rules script and collect_interfaces can't mark them as containing a valid device. So it always just exits with no isp interfaces and quits without trying to bring up the tun's.

Something like

    $self->pre_run_rules();
    $self->_collect_interfaces_retry();
    if ($self->isp_services) {

gets me closer but I have to admit to not understanding the code well enough yet to figure out what needs to be done to get the routing working after that. tun0 and tun1 don't have predictable addresses when they come up so I can't just add a custom route.

Hi,

i've got a warning message when building using Build.PL :

perl ./Build.PL
WARNING: the following files are missing in your kit:
        META.json
        META.yml
Please inform the author.

Created MYMETA.yml and MYMETA.json
Creating new 'Build' script for 'Net-ISP-Balance' version '1.18'``

Build essential and perl v5.20.2 are installed.

I'm working on a Raspberry PI with Raspbian Jessie if it can help.

it's only a warning and files are created but I was told to infomr the author :)

Hello,
I have an issue with the balanced mode. I read in the balance. conf file that when we are in balanced mode and a link is down the other will still be able to forward the packets. But when I tried to simulate this, I can't ping anything anymore. I also reused load_balance. pl and the ping was going through again for a short period of time.
If you need further explanations about my configuration or the network we deployed I'm available.
Thanks in advance

Lots of Linux distros are transitioning to nftables from iptables. It would be useful to include instructions supporting nftables.

These iptables rules that should have nftables counterparts:

# iptables -P FORWARD ACCEPT
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE