Routing based on source IP address
tszshingt opened this issue · 0 comments
I am looking for some recommendations to do simple source-based routing with Faucet. I am using Open vSwitch and dealing with virtual machines (or containers) (VMs) at the moment. Here is what I need:
- I have two routers to access the internet: Router A and Router B
- I have an external process to decide whether each VM will access internet through Router A, through Router B, or have no internet at all. This decision is dynamic and could change over time.
- Each VM should only see a fixed gateway for internet. The external process will not be able to update the route table inside the VM.
- Ideally, the external process will only need to update the Faucet config file to implement the routing changes.
I don't see a native option to do source-based routing in Faucet. I came up with the following 2 options. They seem to work based on my testing. But I am looking for some feedback in terms of performance and reliability, and also if there are better and simpler ways to achieve what I need in Faucet.
For internet-bound packets, update the eth_src
and eth_dst
fields and output the packet to the port connected to the router. Enable inter-VLAN routing so that the VM can receive the return packet.
This is simple to configure, but the down side is that I need to hard code the MAC addresses of Router A and Router B. I need to have another process to detect when the routers' MAC addresses change (which should be rare but it could happen) and update the config file accordingly.
The following is a snippet of the config file to route traffic to Router A.
routers:
router-1:
vlans: [Local, RouterA, RouterB]
acls:
route-internet:
- rule:
eth_type: 0x0800
ipv4_src: 10.0.1.1
eth_dst: "00:00:00:00:00:01"
actions:
output:
- pop_vlans: True
- set_fields:
- eth_src: "00:00:00:00:AA:01" # MAC of VLAN 100 Faucet MAC
- eth_dst: "AA:AA:AA:AA:AA:AA" # MAC of Router A
- port: 2 # port for Router A
Set up two Linux namespaces (with different route tables) for routing to either Router A or Router B. For internet-bound packets, direct the next-hop to either vRouterA or vRouterB. Linux route table will handle the routing accordingly (both outbound and return packets). Inter-VLAN routing in Faucet is not needed. Instead, inter-VLAN routing is done through the route tables in these two Linux namespaces.
This does not rely on hard-coded MAC addresses, but now I have to make sure these two Linux namespaces are working. There are also more components which could cause issues.
The following is a snippet of the config file to route traffic to Router A.
acls:
route-internet:
- rule:
eth_type: 0x0800
ipv4_src: 10.0.1.1
eth_dst: "00:00:00:00:00:01"
actions:
output:
- set_fields:
- eth_dst: "00:00:00:00:01:99" # MAC of vRouterA in Linux namespace
allow: 1
Thank you!