[RndTbl] Load-balancing / dual-WAN / multi-WAN routers or other solutions

[Adam Thompson]

On 2013-04-02 01:50, Trevor Cordes wrote:
> On 2013-03-31 Robert Keizer wrote:
>> Keep in mind that turning off rp filter means that packets which
>> match an IP for any interface will be accepted on all.
>
> Is that what it does?  I just remember multihome just would not work 
> at
> all until I set rp to 0.

"RP" stands for "Reverse Path".
The RP Filter filters out any traffic that could/should not reasonably 
have arrived on that interface, based on the routing tables.
So if you receive a packet from, say, 8.8.8.8, it will be dropped 
UNLESS there's an active route pointing to 8.8.8.8 out that interface.

> Also, I've found in my tests that the packets always come back to the
> correct modem.  I've never seen any randomness; packets coming back
> into the wrong modem.

That would be essentially impossible in your case.  It can and does 
happen with multihomed addresses that are portable, i.e. the same IP 
address(es) are reachable through more than one path (or ISP).

> I have no idea how iptables/netfilter and/or the kernel even would 
> react
> to such packets if they did exist.

With rp_filter=0, they would be accepted.
With rp_filter=1, they might be accepted, depending on your routing 
table.

> Either way, if it's not a security issue and if it all works as-is, 
> I'm
> not too concerned :-)

Well, a spoofing risk does exist but in a multi-homed scenario is 
almost irrelevant by design.  If you're simultaneously connected to Shaw 
and MTS, you could in theory filter Shaw's netblock on the MTS link (and 
vice-versa) on the assumption that the "best" route from any internal 
Shaw IP to you would be via the Shaw cable modem and never the MTS DSL 
modem.
It's a pretty small risk, IMHO.  The design of both networks makes it 
very difficult to do that kind of spoofing.

-Adam