Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
High lag observed on my first droplet on Banglore DC . Shows ping response more than 1 sec on avg with packet loss. Question Question
Connecting to a digital ocean Private Network Question Question

Question

Send outbound traffic over floating IP

Posted January 25, 2018 24.2k views
NetworkingUbuntu 16.04

Is it possible to route outbound traffic from a droplet through its floating IP. I.e., make http requests from the droplet that appear to originate from the floating IP?

Add a comment
enewel3
By:
enewel3

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
High lag observed on my first droplet on Banglore DC . Shows ping response more than 1 sec on avg with packet loss. Question Question
Connecting to a digital ocean Private Network Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
7 answers
asb January 25, 2018

The short answer is yes. The longer answer is that it depends on the software you are using to make the request. It needs to expose some way of binding to a particular interface. If it does, you’ll need to find what we call the “anchor IP” and use it. The easiest way to find the anchor IP is to inspect your Droplet’s metadata. From the Droplet, run:

  • curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/address

In my case, it returns 10.10.0.8 If you wanted to make your request with curl you could then use:

  • curl --interface 10.10.0.8 https://example.com

Or with wget you would use:

  • wget --bind-address=10.10.0.8 https://example.com

In both cases, example.com would now see the request as coming from my Floating IP not my Droplet’s IP address.

Check out this tutorial for more info on Floating IPs: How To Use Floating IPs on DigitalOcean In particular, see the section on “Droplet Anchor IPs.”

Reply Report
scull7 January 13, 2020

The following worked for me on ubuntu:

Find the IPv4 gateway anchor:

curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/gateway | xargs route add default gw

If you’re concerned about copy / pasting random things (and you should be); the Floating IP gateway documentation can be found here:

https://developers.digitalocean.com/documentation/metadata/#interface-anchor_ipv4-gateway

Reply Report
apexinvesting January 22, 2019

Step 1. Run this command to get the gateway for the floating IP

curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/address

Step 2. Run this command to make all outgoing connections appear to come from your floating IP, where $gatewayip$ is the ip obtained from the previous command:

route add default gw $gatewayip$

Someone could make a script to automate that in one shot.

Reply Report
  • robinwilson May 7, 2019

    I tried this but this killed all network activity to and from the droplet.
    I then ran 

    route add default gw NON-FLOATING IP

    Whilst this fixed networking again I then realised the IP I just added was still listed and the non-floating IP was listed twice so I ran this 3 times to remove all entries:

    route del default gw NON-FLOATING IP/FLOATING IP

    Then added it again with:

    route add default gw NON-FLOTING IP

    Now I am back to where I started though and cannot get Ubuntu to use the floating IP for SMTP as attempting to bind to that address causes AMAVIS to block the outgoing messages.

    Reply Report
  • ericscott May 13, 2019

    That command returns the anchor ip address not the gateway. You need to run the following to get the gateway:

    curl -s 169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/gateway
    Reply Report
    • robinwilson May 15, 2019

      Thanks I thought there might have been something wrong with the instructions above. Your command worked and I was also able to get the netmask that way too.

      However whatever I do, outbound connections from my Ubuntu server always show the droplet IP and not the floating IP. If I can’t direct outbound traffic through the floating IP then it seems to be of little value for redundancy/resilience/maintenance as whilst I can set incoming connections to the floating IP, as outbound connections have a different source IP things like mail servers don’t work as get blacklisted.

      I set the DNS of about 30 domains to the floating IP with the idea I could quickly swap these if I needed to switch to a backup server (without doing 1 by 1 from the DO control panel) but maybe I am misunderstanding what floating IPs are for?

      Reply Report
      • ericscott May 20, 2019

        On a droplet you should have 2 IP addresses. The instance IP and the anchor IP. The default gateway is set to the gateway on the instance IP network.

        I was able to follow these steps to direct outbound traffic through the floating IP:

        1. Get the Anchor IP gateway:

          curl -s 169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/gateway

        2. Set the default gateway to the Anchor IP gateway:

          route add default gw <ANCHOR IP GATEWAY>

        3. Remove the instance IP gateway:

          route del default gw <INSTANCE IP GATEWAY>

        Check outbound IP address (this should return your Floating IP):

        curl icanhazip.com
        Reply Report
        • robinwilson June 2, 2019

          Thanks for the reply Eric but I still can’t get it to report the IP as anything other than the instance IP. Posting IPs as set up a test droplet and have deleted it again.
          Instance IP: 159.65.84.202
          Floating IP: 139.59.203.32

          Running the check currently shows the 159 address as expected:

          curl -4 icanhazip.com = 159.65.84.202

          I then run the command to get the gateway IP:

          curl -s 169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/gateway = 10.16.0.1

          I then add a new default gateway using this address:

          sudo route add default gw 10.16.0.1

          I then try to remove the other existing default gateway and get an error

          sudo route del default gw 159.65.80.0 = SIOCDELRT: No such process

          This is what route displays (after the successful add command):

          root@rwshostingtest:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    0      0        0 ens3
default         _gateway        0.0.0.0         UG    0      0        0 ens3
10.16.0.0       0.0.0.0         255.255.0.0     U     0      0        0 ens3
10.16.0.0       _gateway        255.255.0.0     UG    0      0        0 ens3
10.131.0.0      0.0.0.0         255.255.0.0     U     0      0        0 ens4
10.131.0.0      10.131.0.1      255.255.0.0     UG    0      0        0 ens4
159.65.80.0     0.0.0.0         255.255.240.0   U     0      0        0 ens3

          The curl command still returns the other IP:

          curl -4 icanhazip.com = 159.65.84.202

          So still can’t get this to work

          This command was a success:

          ip route del 159.65.80.0/20

          But then ip route still lists the instance IP.

          Reply Report
          • robinwilson June 2, 2019

            Ok I’ve worked it out at last and got it working.

            First you need to get the gateway IP

            curl -s 169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/gateway

            Then add this as a new default gateway:

            route add default gw <ANCHOR IP GATEWAY>

            Then run route -n to see the networks:

            route -n

            This displays the routing table:

            0.0.0.0         10.16.0.1       0.0.0.0         UG    0      0        0 ens3                                                                                                                                       0.0.0.0         159.65.80.1     0.0.0.0         UG    0      0        0 ens3                                                                                                                                       10.16.0.0       0.0.0.0         255.255.0.0     U     0      0        0 ens3                                                                                                                                       10.16.0.0       10.16.0.1       255.255.0.0     UG    0      0        0 ens3                                                                                                                                       10.131.0.0      0.0.0.0         255.255.0.0     U     0      0        0 ens4                                                                                                                                       10.131.0.0      10.131.0.1      255.255.0.0     UG    0      0        0 ens4

            From this I can then work out the command I need to run to delete this second line:

            route del -net 0.0.0.0 gw 159.65.80.1 netmask 0.0.0.0 dev ens3

            Now the curl command shows the floating IP:

            root@rwshostingtest:~# curl -4 icanhazip.com                                                                                                                                                                       139.59.203.32

            I think this demonstrates working with floating IPs could do to be a bit easier on DO (so this was handled in the control panel) or at least documented how to switch. Also if I was to need to quickly change the IP for failover I think I would still have to follow these steps or something similar.

            Reply Report
          • ComputerUser November 16, 2019

            Your posted reply below does not work for me unfortunately, after I run the commands the droplet cannot connect to the public internet. I’m on Ubuntu 18.04, do you know what has changed since then and how I can send outbound traffic through the floating IP?

            Reply Report
basz February 11, 2019

@apexinvesting
Hi, running route add default gw ip-number kills the current ssh connection and afterwards, it seems I am unable to log in again.

Reply Report
ray.moncada March 8, 2019

here you go, This is the answer you are looking for: https://blog.programster.org/openvpn-digitalocean-ip-alias

Reply Report
robinwilson December 1, 2019

@ComputerUser I was on 18.10 I believe when I was trying this. However as I could not get system services to use the floating IP I gave up on it and switched back to the main IP.
It would have saved so much time not having to update DNS on a load of domains and just switch the floating IP between servers but when your email is being received on the floating IP but sent out on the main IP this does not work and leads to the mail server being blacklisted. DO did agree it was too difficult to work with floating IPs and recommended giving up on them until they worked better (e.g. so the server saw it as the primary IP ).
Floating IPs could be a great feature for disaster recovery features (i.e. switch the IP from one server to another without having to edit a load of DNS entries and wait for the cache to update) but it seems they are not there yet.

Reply Report
hiphipjorge2 April 23, 2020

It’s crazy that I would think this would be such an essential, important feature of floating ips and yet it’s nearly impossible. After fighting this for about 2 or 3 ours on Ubuntu (Tried pretty much everything here, I could not get it to work).

What I ended up doing is using Squid proxy to handle this. If anyone is interested, here’s a bash script to setup Squid locally (with authentication) and have it route traffic through the floating IP (the line with tcp_outgoing_address $GATEWAY ev is basically where the magic happens).

Hopefully DO can shed some light on how to do this properly soon.

Reply Report
  • eris April 26, 2020

    Floating IPs were really only designed for inbound traffic, not outbound traffic, so none of these solutions are actively supported by our teams. They could break in the future because this isn’t an official feature we support.

    Right now, the best workaround to have outbound traffic go through a floating IP would be to set up some special routing rules, like so:

    ANCHOR_GW="10.10.0.1"
L3_MAC="fe:00:00:00:01:01"
ip neigh add $ANCHOR_GW lladdr $L3_MAC dev eth0
ip neigh #This command is to verify that the route exists
ip route del default #this command will break your Droplets networking temporarily until you run the next one
ip route add default via $ANCHOR_GW
ip route #you would run this command to confirm that you have routing through your anchor IP address.

    Here, you’d replace the 10.10.0.1 address with your anchor gateway you’d get by running the following command on your Droplet:

    curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/gateway

    Again, this is not a supported feature, so doing this is entirely at your own risk. It may break in the future, and we don’t recommend this sort of setup.

    Reply Report
    • eduardodmz November 8, 2021

      @eris this was asked more than a year ago, and I wonder if this is still the case.

      We are considering migrating our infrastructure to DO but we have at least 5 providers that have ip access lists. We have to specify an IP address that they have to add to their auth system.

      As per your comment, this seems to be currently the only way and even so is not recommended or could change.

      We don’t want to bet our infrastructure on something that could change at anytime.

      So I have to ask, is your suggestion still the best way to have a unified outbound ip? We would have N droplets, all of them should exit from the same ip.

      Reply Report

Related

Looking for something else?

Ask a new question Search for more help