Set Up Source-Based Routing

If your server has a second IP address from a different subnet delivered over a tagged VLAN, source-based routing ensures that traffic originating from that IP is routed through the correct gateway. Without source-based routing, all outgoing traffic uses the default gateway, causing asymmetric routing, which can lead to problems with firewalls and services.

warning

Asymmetric routing will be denied in our network in the future. Setting up source-based routing is therefore required when using additional IP addresses from a different subnet.

Prerequisites

• Subscription: Additional IPv4 Address from a different subnet
• VLAN <VLAN-ID> provisioned on the port by nine.ch support
• bond0 network interface

Netplan

Open /etc/netplan/55-interfaces.yaml in your preferred editor:

vi /etc/netplan/55-interfaces.yaml

A complete Netplan configuration with source-based routing over a tagged VLAN could look like this:

network:
  version: 2
  ethernets:
    eno1:
      dhcp4: false
      dhcp6: false
      accept-ra: false
    eno2:
      dhcp4: false
      dhcp6: false
      accept-ra: false
  bonds:
    bond0:
      addresses:
        - 198.51.100.10/24
      nameservers:
        addresses:
          - 217.150.241.5
          - 217.150.242.21
          - 178.209.45.7
        search:
          - nine.ch
      macaddress: 1f:2f:3f:4f:5f:6f # MAC address of the first interface (eno1)
      interfaces:
        - eno1
        - eno2
      parameters:
        mode: "802.3ad"
        mii-monitor-interval: "100"
        lacp-rate: "fast"
        transmit-hash-policy: "layer3+4"
      routes:
        - to: 0.0.0.0/0
          via: 198.51.100.1
  vlans:
    vlan<VLAN-ID>:
      id: <VLAN-ID>
      link: bond0
      addresses:
        - 203.0.113.10/24
      routes:
        - to: 203.0.113.0/24
          table: 100
          on-link: true
        - to: 0.0.0.0/0
          via: 203.0.113.1
          table: 100
      routing-policy:
        - from: 203.0.113.10/32
          table: 100
          priority: 100

Before applying the Netplan configuration, test it to ensure there are no syntax errors or network issues:

netplan try

If the test was successful and the configuration hasn't been applied yet using netplan try, apply it now:

netplan apply

And verify with:

ip rule show
ip route show table 100

For more information, see: man netplan

ifupdown (legacy)

tip

Please use Netplan if possible. This is provided for completeness only.

Ensure the vlan package is installed:

apt install vlan

Open /etc/network/interfaces in your preferred editor:

vi /etc/network/interfaces

Add the VLAN interface and source-based routing rules:

auto bond0
iface bond0 inet static
    hwaddress ether 1f:2f:3f:4f:5f:6f
    address 198.51.100.10
    netmask 255.255.255.0
    gateway 198.51.100.1
    bond_slaves eno1 eno2
    bond_primary eno1
    bond_mode 4
    bond_miimon 100
    bond_xmit_hash_policy layer3+4
    bond_lacp_rate 1

auto bond0.<VLAN-ID>
iface bond0.<VLAN-ID> inet static
    address 203.0.113.10
    netmask 255.255.255.0
    vlan-raw-device bond0
    up ip route add 203.0.113.0/24 dev bond0.<VLAN-ID> table 100
    up ip route add default via 203.0.113.1 table 100
    up ip rule add from 203.0.113.10/32 table 100 priority 100
    down ip rule del from 203.0.113.10/32 table 100 priority 100
    down ip route del default via 203.0.113.1 table 100
    down ip route del 203.0.113.0/24 dev bond0.<VLAN-ID> table 100

And restart the network:

systemctl restart networking

For more information, see: man interfaces