Solved: Re: Can we do PBR on a server (Windows/Linux)?

mario_kmc · ‎02-05-2014

Hello all,

I'm facing a problem on multi-interface servers where they reply on the default gateway output interface regardless of where the request packets are received but keeping the request destination IP address as the source.

This of course is creating asymetric routing and firewall anti-spoofing is blocking packets.

Is there a way on Windows/Linux OS to make so that the reply packets are sent on the same interface they are received in?

Thank you all

Mario

Steve Fuller · ‎02-06-2014

Hi Mario,

I think the behaviour you're seeing is what RFC 1122 Requirements for Internet Hosts -- Communication Layers refers to as the Weak ES model, or more commonly, the weak host model. This is where the host may send a packet out an interface with a source IP address that is not assigned to the outgoing interface. A host does this because it considers an IP address as belonging to the host, and not to the interface on which the IP is assigned.

To change how your hosts operate you would need to look at changing them to use the strong host model. In this model the host will only send packets out an interface when the IP assigned to the interface matches the source IP address of the packet being sent.

For Microsoft Windows hosts there's an article Strong and Weak Host Models that goes into the details and explains how to change the way the host operates.

For Linux it's a little more complicated, but essentially you need to adjust a couple of sysctl kernel parameters, specifically arp_announce and arp_ignore. There's a fairly good discussion of this in section 28.4 and 28.5 of the Understanding Linux Network Internals book.

The posts I've seen on the subject suggest the following:

sysctl -w net.ipv4.conf.all.arp_ignore=1

sysctl -w net.ipv4.conf.all.arp_announce=2

Obviously have your server guys review these options to ensure they fully understand the implications in your environment to ensure they don't have any adverse effects.

Regards

View solution in original post

Steve Fuller · ‎02-06-2014

Hi Mario,

I think the behaviour you're seeing is what RFC 1122 Requirements for Internet Hosts -- Communication Layers refers to as the Weak ES model, or more commonly, the weak host model. This is where the host may send a packet out an interface with a source IP address that is not assigned to the outgoing interface. A host does this because it considers an IP address as belonging to the host, and not to the interface on which the IP is assigned.

To change how your hosts operate you would need to look at changing them to use the strong host model. In this model the host will only send packets out an interface when the IP assigned to the interface matches the source IP address of the packet being sent.

For Microsoft Windows hosts there's an article Strong and Weak Host Models that goes into the details and explains how to change the way the host operates.

For Linux it's a little more complicated, but essentially you need to adjust a couple of sysctl kernel parameters, specifically arp_announce and arp_ignore. There's a fairly good discussion of this in section 28.4 and 28.5 of the Understanding Linux Network Internals book.

The posts I've seen on the subject suggest the following:

sysctl -w net.ipv4.conf.all.arp_ignore=1

sysctl -w net.ipv4.conf.all.arp_announce=2

Obviously have your server guys review these options to ensure they fully understand the implications in your environment to ensure they don't have any adverse effects.

Regards

mario_kmc · ‎02-06-2014

Steve,

Thanks very much. Looks exactly like what I was looking for. Never head of host models but will have a try.

Didn't find information for Win 7 (where I want to test). Can I assume Win7 behavior is the same as Vista's?

Thanks

Steve Fuller · ‎02-06-2014

Hi Mario,

I believe that's the case, and indeed when I look at the configuration of a Windows 7 host I can see the Weak Host Sends|Receives are disabled. This is exactly as The Cable Guy states in his post as the default mode for the Windows Vista and Server 2003 stacks.

C:\Users\sfuller>netsh interface ipv4 show interface Ethernet

Interface Ethernet Parameters

----------------------------------------------

IfLuid : ethernet_7

IfIndex : 3

State : connected

Metric : 10

Link MTU : 1500 bytes

Reachable Time : 28000 ms

Base Reachable Time : 30000 ms

Retransmission Interval : 1000 ms

DAD Transmits : 3

Site Prefix Length : 64

Site Id : 1

Forwarding : disabled

Advertising : disabled

Neighbor Discovery : enabled

Neighbor Unreachability Detection : enabled

Router Discovery : dhcp

Managed Address Configuration : enabled

Other Stateful Configuration : enabled

Weak Host Sends : disabled

Weak Host Receives : disabled

Use Automatic Metric : enabled

Ignore Default Routes : disabled

Advertised Router Lifetime : 1800 seconds

Advertise Default Route : disabled

Current Hop Limit : 0

Force ARPND Wake up patterns : disabled

Directed MAC Wake up patterns : disabled

Regards