Join Log in
Score:0
Dan Hendli avatar Ubuntu

How to access ubuntu server on two diferent public ips

cn flag
Dan Hendli

I'm strugling with the current problem:

Background info: Ubuntu 20.04 on dell R710

I have 2 diferent internet connections with 2 isp supplied routers. I've connected eno2 to isp1 router and get the 192.168.2.102 ip via permanent dhcp lease. I've connected eno3 to isp2 router and get the 192.168.88.254 ip via permanent dhcp lease.

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether d4:be:d9:ee:7b:75 brd ff:ff:ff:ff:ff:ff
3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether d4:be:d9:ee:7b:77 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.102/24 brd 192.168.2.255 scope global dynamic noprefixroute eno2
       valid_lft 41588sec preferred_lft 41588sec
    inet6 fe80::d6be:d9ff:feee:7b77/64 scope link
       valid_lft forever preferred_lft forever
4: eno3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether d4:be:d9:ee:7b:79 brd ff:ff:ff:ff:ff:ff
    inet 192.168.88.254/24 brd 192.168.88.255 scope global dynamic noprefixroute eno3
       valid_lft 486sec preferred_lft 486sec
    inet6 fe80::d6be:d9ff:feee:7b79/64 scope link
       valid_lft forever preferred_lft forever
5: eno4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether d4:be:d9:ee:7b:7b brd ff:ff:ff:ff:ff:ff
...

netstat -rn

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.88.1    0.0.0.0         UG        0 0          0 eno3
0.0.0.0         192.168.2.1     0.0.0.0         UG        0 0          0 eno2
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0 eno2
192.168.88.0    0.0.0.0         255.255.255.0   U         0 0          0 eno3

The problem is I can only access the server on only 1 (random) public IP at a time if outside the lan. If 77.xx.xx.158 (isp 2) can be accessed, 5.xx.xx.55 (isp 1) is inacessable and viceversa, random after each boot.

I need to be able to access the server on any of the public ips at any given time.

Thank you in advance for any posible solution.

31
0 + 0
FedKad avatar
cn flag
FedKad
This is normal, since packets may be routed through any of the two interfaces (and there is no preference). How do you "access" your server? If it is ssh, you may start one instance of ssh listening on a port say 22 and bound to one interface, and another instance listening to a different port (say 2222) and bound to the other interface.
1
Reply
Score:1
netbat avatar Ubuntu
br flag
netbat

You have two default routes in collision:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.88.1    0.0.0.0         UG        0 0          0 eno3
0.0.0.0         192.168.2.1     0.0.0.0         UG        0 0          0 eno2

This is abnormal situation. Your PC/server is confused because there is no exact rule for decision which of two interfaces should be used as a gateway to Internet. Routing decision depends on metrics set dynamically to interfaces or on other factors, which can change randomly. Therefore sometimes is preferred eno2 and sometimes eno3 interface as a main gateway.

I suppose incoming packets from outside to inside reach your server by right way according to IP address used as a destination (from outside user point of view).

  • SYN TCP packet sent from Internet to ISP1 public address goes in through eno2
  • SYN TCP packet sent from Internet to ISP2 public address goes in through eno3

You can check it using Wireshark or Tshark or tcpdump.

But response packet (SYN ACK TCP) is sent back ONLY via MAIN GATEWAY selected by system in the moment. Only one GW from two is preferred and second IS NOT USED at all in the same time (excluding you do some special setting). It means that connection targeted to one interface works fine, but second connection is responded through wrong interface. This situation is called "asymmetric routing". Packet goes in via eno3 and response leave via eno2 e.g.

Providers usually check and discard such packet because it looks like network attack. Source IP address does not match to network address of source interface.

Routing decisions of your server DOES NOT depend on interface used for incoming way of packets, but on actually preferred main outgoing gateway. Incoming way and outgoing way are different for some connection and that is reason of your problem.

Situation can be solved by advanced routing (e.g. policy based routing and special separate routing tables/rules for each interface). Search for iproute2 examples.

Maybe these links can help you:

https://www.thomas-krenn.com/en/wiki/Two_Default_Gateways_on_One_System

https://tweenpath.net/multiple-default-gateways-system/

0 + 0
Dan Hendli avatar
cn flag
Dan Hendli
Thank you! I'll be looking into this
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.