Merge branch 'revert-anycast'

Revert the anycast-routing because we observed strange issues with anycast-routing: - High packetloss - low bandwidth with iperf while speedtest worked fine - low bandwidth with speedtest on one router while a speedtest on an other router worked fine - unusable IPv6 - DNS-Problems - weird random behavior I myself observed only low bandwidth-issues but anycast seems to do more harm than good.
freifunktrier · Oct 30, 2015 · 3579db8 · 3579db8
2 parents 1e35b12 + c980f45
commit 3579db8
Show file tree

Hide file tree

Showing 11 changed files with 8 additions and 63 deletions.
diff --git a/configs/0-common/interfaces.d/fftr-gateway-anycast.conf b/configs/0-common/interfaces.d/fftr-gateway-anycast.conf
diff --git a/configs/draco/bird6.conf b/configs/draco/bird6.conf
@@ -179,10 +179,10 @@ template bgp prefered_uplink_peers {
 
 #to router advertisments
 protocol radv {
-    interface "fftr-gw-anycast" {
+    interface "br-fftr" {
 	prefix 2001:bf7:fc0f::/64 {};
         rdnss {
-            ns 2001:bf7:fc0f::10;
+            ns 2001:bf7:fc0f::11;
         };  
         #dnssl {
         #    domain "bremen.freifunk.net";

diff --git a/configs/draco/dhcpd.conf b/configs/draco/dhcpd.conf
@@ -6,8 +6,8 @@ subnet 10.172.0.0 netmask 255.255.0.0 {
     # monitor: 80% 90% Y Freifunk Range
     authoritative;
     range 10.172.6.0 10.172.63.254;
-    option domain-name-servers 10.172.0.10;
-    option routers 10.172.0.10;
+    option domain-name-servers 10.172.0.11, 10.172.0.12, 10.172.0.13;
+    option routers 10.172.0.11;
 }
 include "/etc/dhcp/static.conf";
 
diff --git a/configs/draco/interfaces.d/bat0.conf b/configs/draco/interfaces.d/bat0.conf
@@ -8,7 +8,6 @@ iface bat0 inet6 manual
   post-up brctl addif br-fftr $IFACE
   post-up batctl it 10000
   post-up batctl gw server
-  post-up batctl bl 1
   post-up /sbin/ip rule add from all fwmark 0x1 table 42
   pre-down brctl delif br-fftr $IFACE || true
   down ip link set $IFACE down

diff --git a/configs/draco/interfaces.d/fftr-gateway-anycast.conf b/configs/draco/interfaces.d/fftr-gateway-anycast.conf
diff --git a/configs/salem/bird6.conf b/configs/salem/bird6.conf
@@ -178,10 +178,10 @@ template bgp prefered_uplink_peers {
 
 #to router advertisments
 protocol radv {
-    interface "fftr-gw-anycast" {
+    interface "br-fftr" {
 	prefix 2001:bf7:fc0f::/64 {};
         rdnss {
-            ns 2001:bf7:fc0f::10;
+            ns 2001:bf7:fc0f::13;
         };  
         #dnssl {
         #    domain "bremen.freifunk.net";

diff --git a/configs/salem/dhcpd.conf b/configs/salem/dhcpd.conf
@@ -6,8 +6,8 @@ subnet 10.172.0.0 netmask 255.255.0.0 {
     # monitor: 80% 90% Y Freifunk Range
     authoritative;
     range 10.172.128.0 10.172.191.254;
-    option domain-name-servers 10.172.0.10;
-    option routers 10.172.0.10;
+    option domain-name-servers 10.172.0.13, 10.172.0.11, 10.172.0.12;
+    option routers 10.172.0.13;
 }
 include "/etc/dhcp/static.conf";
 
diff --git a/configs/salem/interfaces.d/bat0.conf b/configs/salem/interfaces.d/bat0.conf
@@ -4,7 +4,6 @@ iface bat0 inet6 manual
   post-up brctl addif br-fftr $IFACE
   post-up batctl it 10000
   post-up batctl gw server
-  post-up batctl bl 1
   post-up /sbin/ip rule add from all fwmark 0x1 table 42
   pre-down brctl delif br-fftr $IFACE || true
   down ip link set $IFACE down

diff --git a/configs/salem/interfaces.d/fftr-gateway-anycast.conf b/configs/salem/interfaces.d/fftr-gateway-anycast.conf
diff --git a/iptables.sh b/iptables.sh
@@ -2,7 +2,6 @@
 NIC_PUBLIC=eth0
 NIC_VPN=tun0
 NIC_BRIDGE=br-fftr
-NIC_ANYCAST=fftr-gw-anycast
 NIC_IC=icvpn
 ALFRED_JSON=""
 
@@ -141,30 +140,19 @@ addrule -A OUTPUT -p ALL -o $NIC_IC -m state --state ESTABLISHED,RELATED -j ACCE
 # Allow mesh --> VPN
 addrule -A FORWARD -i $NIC_BRIDGE -o $NIC_VPN -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1334
 addrule -A FORWARD -i $NIC_BRIDGE -o $NIC_VPN -j ACCEPT
-addrule -A FORWARD -i $NIC_ANYCAST -o $NIC_VPN -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1334
-addrule -A FORWARD -i $NIC_ANYCAST -o $NIC_VPN -j ACCEPT
 # Allow existing connections to find their way back
 addrule -A FORWARD -i $NIC_VPN -o $NIC_BRIDGE -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1334
 addrule -A FORWARD -i $NIC_VPN -p ALL -o $NIC_BRIDGE -m state --state ESTABLISHED,RELATED -j ACCEPT
-addrule -A FORWARD -i $NIC_VPN -o $NIC_ANYCAST -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1334
-addrule -A FORWARD -i $NIC_VPN -p ALL -o $NIC_ANYCAST -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 # Allow mesh <--> IC
 addrule -A FORWARD -i $NIC_BRIDGE -o $NIC_IC -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1334
 addrule -A FORWARD -i $NIC_BRIDGE -o $NIC_IC -j ACCEPT
 addrule -A FORWARD -i $NIC_IC -o $NIC_BRIDGE -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1334
 addrule -A FORWARD -i $NIC_IC -o $NIC_BRIDGE -j ACCEPT
 
-addrule -A FORWARD -i $NIC_ANYCAST -o $NIC_IC -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1334
-addrule -A FORWARD -i $NIC_ANYCAST -o $NIC_IC -j ACCEPT
-addrule -A FORWARD -i $NIC_IC -o $NIC_ANYCAST -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1334
-addrule -A FORWARD -i $NIC_IC -o $NIC_ANYCAST -j ACCEPT
-
 # Allow mesh <--> mesh
 addrule -A FORWARD -i $NIC_BRIDGE -o $NIC_BRIDGE -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1334
 addrule -A FORWARD -i $NIC_BRIDGE -o $NIC_BRIDGE -j ACCEPT
-addrule -A FORWARD -i $NIC_ANYCAST -o $NIC_ANYCAST -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1334
-addrule -A FORWARD -i $NIC_ANYCAST -o $NIC_ANYCAST -j ACCEPT
 
 # Usefull ICMP-Stuff
 for i in destination-unreachable echo-reply echo-request time-exceeded; do
@@ -196,27 +184,20 @@ addrule -A INPUT -p UDP --dport 53 -i $NIC_IC -j ACCEPT
 addrule -A INPUT -p TCP --dport 53 -i $NIC_IC -j ACCEPT
 addrule -A INPUT -p UDP --dport 53 -i $NIC_BRIDGE -j ACCEPT
 addrule -A INPUT -p TCP --dport 53 -i $NIC_BRIDGE -j ACCEPT
-addrule -A INPUT -p UDP --dport 53 -i $NIC_ANYCAST -j ACCEPT
-addrule -A INPUT -p TCP --dport 53 -i $NIC_ANYCAST -j ACCEPT
 
 # Allow HTTP from IC and Mesh
 addrule -A INPUT -p UDP --dport 80 -i $NIC_IC -j ACCEPT
 addrule -A INPUT -p TCP --dport 80 -i $NIC_IC -j ACCEPT
 addrule -A INPUT -p UDP --dport 80 -i $NIC_BRIDGE -j ACCEPT
 addrule -A INPUT -p TCP --dport 80 -i $NIC_BRIDGE -j ACCEPT
-addrule -A INPUT -p UDP --dport 80 -i $NIC_ANYCAST -j ACCEPT
-addrule -A INPUT -p TCP --dport 80 -i $NIC_ANYCAST -j ACCEPT
 
 addrule -A INPUT -p TCP --dport 443 -i $NIC_IC -j ACCEPT
 addrule -A INPUT -p TCP --dport 443 -i $NIC_BRIDGE -j ACCEPT
-addrule -A INPUT -p TCP --dport 443 -i $NIC_ANYCAST -j ACCEPT
 
 # Allow INPUT and OUTPUT Bridge Interface
 #TODO: remove this rules, add allow rules for established+related connections, ping, speedtest, 80tcp, 53udp/tcp, router-advertisement-zeug, ntp
 addrule -A INPUT -i $NIC_BRIDGE -j ACCEPT
 addrule -A OUTPUT -o $NIC_BRIDGE -j ACCEPT
-addrule -A INPUT -i $NIC_ANYCAST -j ACCEPT
-addrule -A OUTPUT -o $NIC_ANYCAST -j ACCEPT
 
 #DHCP out to serve our clients
 addrule -A INPUT  -p UDP -i $NIC_BRIDGE --sport 68 --dport 67 -j ACCEPT
@@ -307,11 +288,6 @@ addrule6 -A FORWARD -i $NIC_BRIDGE -o $NIC_IC -p tcp --tcp-flags SYN,RST SYN -j
 addrule6 -A FORWARD -i $NIC_IC -o $NIC_BRIDGE -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1314
 addrule6 -A FORWARD -i $NIC_BRIDGE -o $NIC_BRIDGE -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1314
 
-addrule6 -A FORWARD -i $NIC_ANYCAST -o $NIC_VPN -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1314
-addrule6 -A FORWARD -i $NIC_VPN -o $NIC_ANYCAST -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1314
-addrule6 -A FORWARD -i $NIC_ANYCAST -o $NIC_IC -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1314
-addrule6 -A FORWARD -i $NIC_IC -o $NIC_ANYCAST -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1314
-addrule6 -A FORWARD -i $NIC_ANYCAST -o $NIC_ANYCAST -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1314
 
 ip6tables-save -c > $counterfile
 

diff --git a/setup-routes.sh b/setup-routes.sh
@@ -4,28 +4,18 @@ if ! grep -q VPN /etc/iproute2/rt_tables; then
 	echo 10 VPN >> /etc/iproute2/rt_tables
 fi
 
-if ! grep -q anycast /etc/iproute2/rt_tables; then
-	echo 11 anycast >> /etc/iproute2/rt_tables
-fi
-
 #remove rule if it exists to prevent filling the table with dublicates
 ip rule del iif br-fftr table VPN
 ip -6 rule del iif br-fftr table VPN
 
 #Packets from mesh are routet via VPN, not via main uplink
 ip rule add iif br-fftr table VPN
 ip -6 rule add iif br-fftr table VPN
-ip rule add iif fftr-gw-anycast table VPN
-ip -6 rule add iif fftr-gw-anycast table VPN
 
 #route otherwise unroutable IP-Adresses via VPN and not via main uplink
 ip -6 rule add from 2001:bf7:fc00::/44 table VPN
 ip rule add from 10.172.0.0/16 table VPN
 
-#the anycast-mesh-ip is routed via the anycast-mac
-ip rule add from 10.172.0.10/32 table anycast
-ip route add table anycast 10.172.0.0/16 dev fftr-gw-anycast
-
 #172.31.240.0/20 is just pushed to the VPN, rest is routed via 172.31.240.1
 #ip route add default via 172.31.240.1 dev tun0 table VPN
 #ip route add 172.31.240.0/20 dev tun0 table VPN
@@ -34,6 +24,3 @@ ip route add table anycast 10.172.0.0/16 dev fftr-gw-anycast
 echo 1 > /proc/sys/net/ipv4/ip_forward
 echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 
-#enable correct anycast-arp-handling
-sysctl -w net.ipv4.conf.all.arp_filter=1
-