Usage of Two Network Connections Load Balancing

25.20 · June 23, 2022, 10:30am

Hello I am looking for a way to use multiple internet connections to one computer. The initial scenario:

Line 1. low bandwidth, low ping
Line 2. high bandwidth, high ping

For downloads I would use line 2, so that I don’t have to wait for days, but to be able to play something on the computer I would use line 1 in parallel.

I myself use Linux → Arch → Manjaro

I have already come across possibilities to combine the lines,
as an example via hardware with load-balancer, or software-sided.
Unfortunately I didn’t find any information about the kind of balancing. Is round-robin used here, or would there be a possibility to send certain apps to a certain line?

zbe · June 23, 2022, 10:51am

How? Will you put 2 NICs in your computer, one for each WAN connection? Do you have a router with 2 separate WANs? Something else?

What kind? There is plenty of information, you just have to make it a bit clearer how you imagined it.

Used where?

It’s possible. Mangle packet/connection/route marking comes to mind. But it depends on how your network is supposed to look like.

I have to add that this is not Manjaro problem, but a general networking one.

25.20 · June 23, 2022, 11:36am

I try to use for example to nics, one is lan and one is wlan.

I mean that i not find a clear way how the packages transferred over the line.
Or in other words i do not find the way that i want to use,

What i have to change to come to the correct section?

Thank your for your answer i hope it is now more clearly.

zbe · June 23, 2022, 12:00pm

It is not.

This makes no sense. And we aren’t talking about examples.

I don’t think that you know what you want.

It’s like asking “I want to build something to live in, can someone help me?” and expect someone to give you instructions for every possible case.

25.20 · June 23, 2022, 12:09pm

Okay 2 Nics,
Connected to two Diffrent Gateways.
I want use both at one time.
I want to select if the connection from app x use nic 1,
the connection of app y should use nic 2.

The nic one is connected over my phone to the internet.
The nic two is connected over the copper wire to the internet.

So simply:
Connect to two internet gateways over two different nics and select for each app one nic to use.
Or define rules when a app has to use nic one or nic to.

zbe · June 23, 2022, 1:02pm

Ok so, one way at least:
You create a separate routing table for your phone network and then use mangle table in iptables firewall to route mark specific processes that you want forwarded to “phone network” routing table.

Another way: If app supports it, you could bind specific IP of desired NIC to be used by the app. (or you bind it with firejail for example)

25.20 · June 23, 2022, 1:13pm

Ok, but maybe i need first a way to use two different connections at same time?
And after that i can try your reply above

zbe · June 23, 2022, 1:24pm

Yes, that was my point before. You need to start from the bottom.

Also, my examples are very basic and crude. If I find some will, I’ll try it myself.

mithrial · June 23, 2022, 2:11pm

Thanks zbe for giving the hint with Firejail

I have tried it with
firejail --noprofile --net=wlp0s20f3 ping manjaro.org
and
firejail --noprofile --net=bond0 ping manjaro.org
and it worked!

(First is my wifi device, the second one ethernet.)

If you have a local DNS running on 127.0.0.1, it doesn’t work because in the sandbox, there is no DNS running on its localhost.
Then, you have to configure another DNS with --dns=1.1.1.1 (e.g.).

This is really nice!

(Note that firejail is much more powerful and accessing files might be maybe difficult but I don’t know.)

25.20 · June 24, 2022, 3:59pm

I am connect currently with my Lan device, the second one is the wifi.
I try to ping manjaro.org, this was the output.
Note wlp3s0 is the wifiy

firejail --noprofile --net=wlp3s0 ping manjaro.org
Parent pid 105521, child pid 105522

Interface MAC IP Mask Status
lo 127.0.0.1 255.0.0.0 UP
eth0-105521 28:b2:bd:b2:39:28 192.168.178.229 255.255.255.0 UP

Child process initialized in 1103.12 ms

Parent is shutting down, bye…

I think it is not working at, for example i can start firefox or chrome but no site is reachable.
It seems not to be the DNS-Server i try to add the dns arg (–dns=8.8.8.8), but it does not make a differenz.

It seems to be not a dns problem, the browser cant reach any ip-address.

zbe · June 24, 2022, 4:53pm

Well, routing applications (by name) wherever and whenever you feel like isn’t a trivial task. So it would help if you told us exactly what you would like to do/what is your intended use for this.

In regards to firejail, you probably need to run it as sudo for ping to work. And can’t remember if I used any special settings in firefox itself, but I have a working firejailed firefox that has a secondary IP bound to it (which is routed differently in router).

Even firewall (iptables) isn’t capable of distinguishing apps solely by their name/pid/command. You can do it for UID and GID, which I was just playing with (running app with sudo -g some_group ... which then uses different routing table). But in the end all these solutions feel hacky.

EDIT: Another way would be to use namespaces.

25.20 · June 24, 2022, 7:23pm

i want all apps that often need to download large files like steam to be bound to the nic with the large bandwidth. realtime application on the other hand should use the line (nic) with low bandwidth and a good ping.

For example:
I want that Chrome use the nic: enp0s20u1
I want that i can use Firefox to over nic wlp3s0

And i want use both apps together (at same time), so bound a app to a nic (etternet gateway), and use two nics together.

The apps are examples, you can put every app in that you want…

zbe · June 24, 2022, 7:55pm

Ok. But it depends on applications. For example if you are using qbittorrent, you can choose which interface or IP it should bind to right in its settings. If app supports it, that is quickest solution. You can do same with ping and traceroute btw (select interface).

Anyhow, need to do some more testing with VRFs to see what’s easiest.

zbe · June 26, 2022, 11:23am

Ok so, firstly, I’m going to assume few things.

wlp3s0 is your main internet over wifi.
enp0s20u1 is your phone via usb tethering.

We can separate phone connection/interface and put it in a VRF with its own routing table (this can be done multiple ways, eg. via ip command, but I’m assuming you are using NetworkManager, so we are doing it with nmcli):

# Create VRF connection
nmcli conn add type vrf con-name vrf0 ifname vrf0 table 10 ipv4.method disabled ipv6.method disabled

# Add enp0s20u1 connection to vrf
nmcli conn add type ethernet con-name enp0s20u1 ifname enp0s20u1 master vrf0 ipv4.method auto

# Start enp0s20u1 connection
nmcli conn up enp0s20u1

And this is basically it. Of course you can manually configure IPs, add routes, etc.

So now you can bind traceroute or ping to vrf0 interface:

ping -I vrf0 1.1.1.1
traceroute -i vrf0 -n google.com

But ok, you don’t need VRFs for that. You can just bind it to enp0s20u1 directly and it will work.

For programs that don’t support that, you have to use ip vrf exec vrf0 <program_name>
There is just one problem though. You need root privileges (or CAP_SYS_ADMIN and few other capabilities) to run this.

So one way around that is to run:

# Replace your_username with actual username
sudo ip vrf exec vrf0 runuser -u your_username -- firefox

If we are lazy, we can add this command to sudoers and allow us to run it without password:

/etc/sudoers.d/90-ip_vrf_exec:

# Replace your_username with actual username (twice)
your_username ALL=(ALL:ALL) NOPASSWD: /usr/bin/ip vrf exec vrf0 /usr/bin/runuser -u your_username -- *

and make a bash script, an alias, or something, to call it:
$HOME/.local/bin/runvrf:

#!/bin/bash
# Yes, I know, 'sudo' in a script...OMG
sudo /usr/bin/ip vrf exec vrf0 /usr/bin/runuser -u $(/usr/bin/whoami) -- "$@"

Run chmod 744 on it.

You can now start firefox, or run whole shell or whatever in vrf0

runvrf firefox
runvrf zsh

KEEP IN MIND: Some programs might not work properly (or at all) in a VRF (or you might need to run additional services in the same vrf).