My post on split-routing on OpenWRT has been incredibly popular, and led to many people implementing split-routing, whether or not they had OpenWRT. While it's fun to have an exercise as a reader, it led to me having to help lots of newbies through porting that setup to a Debian / Ubuntu environment. To save myself some time, here's how I do it on Debian:
Background, especially for non-South Africa readers: Bandwidth in South Africa is ridiculously expensive, especially International bandwidth. The point of this exercise is that we can buy "local-only" DSL accounts which only connect to South African networks. E.g. I have an account that gives me 30GB of local traffic / month, for the same cost as 2.5GB of International traffic account. Normally you'd change your username and password on your router to switch account when you wanted to do something like an Debian apt-upgrade, but that's irritating. There's no reason why you can't have a Linux-based router concurrently connected to both accounts via the same ADSL line.
Firstly, we have a DSL modem. Doesn't matter what it is, it just has to support bridged mode. If it won't work without a DSL account, you can use the Telkom guest account. My recommendation for a modem is to buy a Telkom-branded Billion modem (because Telkom sells everything with really big chunky, well-surge-protected power supplies).
For the sake of this example, we have the modem (IP 10.0.0.2/24) plugged into eth0 on our server, which is running Debian or Ubuntu, doesn't really matter much - personal preference. The modem has DHCP turned off, and we have our PCs on the same ethernet segment as the modem. Obviously this is all trivial to change.
You need these packages installed:
You need ppp interfaces for your providers. I created
unit 1 makes a connection always bind to "ppp1". Everything else is pretty standard. Note that only the international connection forces a default route.
/etc/ppp/pap-secrets I added my username and password combinations:
You need custom iproute2 routing tables for each interface, for the source routing. This will ensure that incoming connections get responded to out of the correct interface. As your provider only lets you send packets from your assigned IP address, you can't send packets with the international address out of the local interface. We get around that with multiple routing tables. Add these lines to
Now for some magic. I create
/etc/ppp/ip-up.d/20routing to set up routes when a connection comes up:
That script loads routes from
/etc/network/routes-local-dsl. It also sets up source routing so that incoming connections work as expected.
Now, we need those route files to exist and contain something useful. Create the script
/etc/cron.daily/za-routes (and make it executable):
It downloads the routes file from cocooncrash's site (he gets them from
local-route-server.is.co.za, aggregates them, and publishes every 6 hours). Run it now to seed that file.
Now some International-only routes. I use IS local DSL, so SAIX DNS queries should go through the SAIX connection even though the servers are local to ZA.
/etc/network/routes-intl-dsl contains SAIX DNS servers and proxies:
Now we can tell
/etc/network/interfaces about our connections so that they can get brought up automatically on bootup:
For DNS, I use dnsmasq, hardcoded to point to IS & SAIX upstreams. My machine's
/etc/resolv.conf just points to this dnsmasq.
So something like
If you haven't already, you'll need to turn on ip_forward. Add the following to
/etc/sysctl.conf and then run
sudo sysctl -p:
Finally, you'll need masquerading set up in your firewall. Here is a trivial example firewall, put it in
/etc/network/if-up.d/firewall and make it executable. You should probably change it to suit your needs or use something else, but this should work:
I had an interesting discussion with “bonnyrsa” in #ubuntu-za today. He’d re-arranged his partitions with gparted, and copied and pasted his / partition, so that he could move it to the end of the disk.
However this meant that he now had two partitions with the same UUID. While you can imagine that this is the correct result of a copy & paste operation, it now means that your universally unique ID is totally non-unique. Not in your PC, and no even on it’s home drive.
Ubuntu mounts by UUID, so now how do we know which partition is being mounted?
However neither were correct.
Mounting /dev/sda4 (ro) produced “/dev/sda4 already mounted or /mnt busy”.
Aha, so we must be running from /dev/sda4.
/dev/sda2 mounted fine, but then wouldn’t unmount: “it seems /dev/sda2 is mounted multiple times”.
I got him to reboot, change /dev/sda2s UUID, and reboot again (sucks). Then everything was better.
This shouldn’t have happened. Non-unique UUIDs is a really crap situation to be in. It brings out bugs in all sorts of unexpected places. I think parted should (by default) change the UUID of a copied partition (although if you are copying an entire disk, it shouldn’t).
I’ve filed a bug on Launchpad, let’s see if anyone bites.
PS: All UUIDs in this post have been changed to protect the identity of innocent Ubuntu systems (who aren’t expecting a sudden attack of non-uniqueness).
Even before school, my future interests were clear: I tied-up the house with wires and made “electrical gadgets” out of old electrical junk. I remember being given my first battery, light bulbs, and wires. From there it was downhill.
My first computer was a HP 9816. It was a year older than me, had a 6800 Processor, 128k RAM, and an (external) pair of single sided 3.5” floppy drives.
It had a ROM BASIC board, and a set of VisiCalc floppies (with manual shutters), so I spent my time reading it’s comprehensive manuals, making mazes in Visicalc (out of #s), writing games in BASIC, and otherwise abusing the poor machine. It had really fun, easy graphics, which drew slowly enough that you could learn a lot. On the whole, a nice machine — I wish I knew what has happened to it and it’s pile of manuals…
From there, I migrated to a 386 with hercules graphics and DOS (that I shared with a friend). And eventually, Windows. I toyed with programming in BASIC, Visual Basic and Pascal. But mostly used my computers for gaming (and messing around with things). Most of the software I wrote around this time was in Psion OPL, on my inherited Series 3a.
I was getting just a little peeved with my MS Windows desktop. When one has a 500MiB HDD, fitting Windows 98, Office, and Visual Studio on it and still having a productive machine is difficult. It was obvious that there were big problems with Windows (and Microsoft software in general). I became very Anti-Microsoft, although I knew of no alternatives and hypocritically stuck with the Microsoft way of life.
At the local computer trade show, my friends and I would paste “Microsoft Sucks!” stickers (provided by a nearby labelling store’s demonstration printers ;-) all over the Microsoft stand. We’d also torment the Microsoft demonstrators and shout support when they asked “Who uses Lotus 1-2-3?” — basically, we where their worst nightmare…
Quite soon after my family capitulated to Internet access, I heard about Linux, and started to read about it online. I avidly read anything I could get my hands on, and tried a few shell accounts (BSD presumably), but never got anywhere near installing it myself.
One day, a computer technician was working on the school office PCs (which I considered to be my domain) and we chatted. He asked me if I used Linux, and offered to get me a CD. I’ve still got it — RedHat 5.1.
I installed it, played around with it for a while, and then abandoned it. For the next couple years after, I would try it again every now and again, especially when I could get my hands on a newer version, but never too seriously, because I didn’t have a decent internet connection, know how to program C, or have any real Linux-using friends. And of course, playing XBill only keeps you entertained for so long…
Later, I got involved in building my school’s Computer Room (from a pile of spare parts and dead PCs, plus the insurance payout for 2 stolen [dead] PCs). I knew that this would be a good place to use Linux, because I could share the dial-up internet connection more reliably, and run a local mail server. It would make much better use of our very limited resources.
So, in the holidays I took the fastest machine home, scavenged some more RAM, and taught myself how to configure everything from scratch.
When I came across the sendmail.cf file, I got really frightened and switched to qmail. The same happened when I looked into BIND, and I used djbdns.
After about 6 months of administering this machine (still RH), I hit my first “dependency hell.” At about this point I was getting involved in our LUG, and Tom gave me a copy of Debian woody — I have never looked back!
Of course the next step was to network my home — this taught me almost everything else that I needed to know to be a Linux admin… I still have the same server that I started with (well same Debian install, case, and motherboard - everything else has died along the way).
With the release of Ubuntu Breezy, I decided that it was worth a look at, and installed it on my mother’s LTSP server and my laptop.
This wasn’t all bliss, Ubuntu is still a little rough on the edges (although less so than Debian, and in different places). However, I was pretty happy with it. That doesn’t mean that I run it on my main desktop, but I do on my laptops, and I install it on other people’s machines where possible.
To get a project I’m involved in, ibid, into Debian and Ubuntu, I got started on Debian Development. I am a Debian Developer, maintaining a handful of packages, and do some Universe gardening in Ubuntu.
Now I only use Linux (and only Debian +derivatives). I maintain several networks under the guise of Hybrid, and co-maintain our LUGs servers (mailing lists, ftp/rsync mirror, and a freedom toaster).
I’m very happy with my software choices, and look forward to a Linuxy future :-)
I’m now sitting in Arniston, on a horribly slow GPRS connection, after *camp, which was this weekend, at AIMS. It was a BarCamp-like “unconference”, organised by the geekdinner crowd. I put off having the weekend at Arniston for *camp, and for me, I think that was worth it.
The event was really good. I haven’t been very involved in the organising, and didn’t come prepared with a talk (just equipment). At the start, it felt like there were never going to be enough talks to keep us going, but as soon as it started, it began rolling, and continued for 2 days. The talks were varied, from technical, to psychological, to practical. I was really impressed. The quality of the talks was quite high - I was rarely bored (although I did have IRC distractions).
As usual, I had Jonathan Carter’s camera, and videoed everything. I’m going to go home to around 8 hours of video that needs editing, synchronizing, encoding, and uploading to archive.org. It’ll take a while, guys, be patient.
Today, I got involved with setting up the lab for practical demos. We had 9 PCs lent, and needed Ubuntu on them. Of course, the natural approach is netinstall - I’m familiar with netinstalling Ubuntu, and it is a great way to set up a pile of computers. However, we ran into problem after problem.
routerDHCP option. This seemed to break dnsmasq - PCs stopped accepting leases and DHCPDECLINED them. I’ve never seen that before. So I had to route through my laptop - no biggie.
So, lesson for next time, test your netboot setup in advance, don’t assume that a mirror will be in working shape. We should have set up the lab on day one, for use on day 2.
The upshot of this is that I didn’t see any talks today (excepting a practical in the lab, on scribus, once it was up). I’ll have to watch the videos later.
Now, I’m going to enjoy a few days in Arniston, and then come home to graduate.
Quick post. If you have multiple IP addresses (i.e. a range) assigned to you server, and you want to listen on all of them (i.e. multiple SSL sites), then rather than using the ancient eth0:1 syntax, you can hack
/etc/network/interfaces to use iproute2 properly.
Assuming the IP 10.2.3.4, with the extra range of 10.5.4.110-10.5.4.118 (yes these extra ranges often ignore class-boundries):
Yes, it’s ugly as shit, but I can’t think of a neater way to do it.
Update: Better solution