I have a LAN that uses a T1 for Internet connectivity. The service includes a firewall managed by the telco that provides MPLS connectivity to remote offices, NAT rules to destinations inside the LAN, and a few other things. I am trying to boost the Internet bandwidth while avoiding the cost of having to install another T1 circuit. A Comcast cable connection has recently been installed for this purpose. Ideally, I''d like to drop in a Shorewall box between the LAN and the managed firewall without having to change anything. It should be invisible to the clients and to the managed firewall. However, the bulk of the outgoing connections (from LAN clients) should be routed out the Comcast interface. I''ve configured Shorewall to use dual ISPs before and I''ve used it with two interfaces linked together in a bridge, but I haven''t done both of these things at the same time. Any tips, tricks, or gotchas? Or maybe is there a better way to accomplish the goals? Thank you. ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-dev2dev
On Thu, 2011-08-11 at 09:46 -0400, Jamie Begin wrote:> I have a LAN that uses a T1 for Internet connectivity. The service > includes a firewall managed by the telco that provides MPLS > connectivity to remote offices, NAT rules to destinations inside the > LAN, and a few other things. I am trying to boost the Internet > bandwidth while avoiding the cost of having to install another T1 > circuit. A Comcast cable connection has recently been installed for > this purpose. > > Ideally, I''d like to drop in a Shorewall box between the LAN and the > managed firewall without having to change anything. It should be > invisible to the clients and to the managed firewall. However, the > bulk of the outgoing connections (from LAN clients) should be routed > out the Comcast interface. > > I''ve configured Shorewall to use dual ISPs before and I''ve used it > with two interfaces linked together in a bridge, but I haven''t done > both of these things at the same time. Any tips, tricks, or gotchas? > Or maybe is there a better way to accomplish the goals? Thank you.This will be tricky because what you really want is a bridge, while Multi-ISP support only works on a router. So you will need to use Proxy ARP. Lets assume that on the Shorewall box: eth0 = Interface to telco firewall eth1 = Interface to Comcast cable modem (or Business Class Gateway Router) eth2 = Interface to LAN. w.x.y.z = IP address of telco firewall w.x.y.0/24 = Local LAN w.x.y.q/32 = Address assigned to eth0 w.x.y.r/24 = Address assigned to eth2 You will need to configure a static host route to w.x.y.z/32 out of eth0 and make w.x.y.z the default gateway for the Shorewall box. In /etc/shorewall/proxyarp: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT w.x.y.z - eth2 Yes Yes If the telco firewall also provides DNS services for the LAN, then you will have to run a DNS proxy or a DNS server on the Shorewall box. Caution: If the telco firewall is providing any other broadcast-based services (such as UPnP), then this scheme won''t work. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-dev2dev
Thanks for the quick suggestion, Tom. I''ll be giving it a shot this evening. Would using the ARP proxy config still allow me to load-balance across the connections and use LSM for failover? On Thu, Aug 11, 2011 at 10:16 AM, Tom Eastep <teastep@shorewall.net> wrote:> On Thu, 2011-08-11 at 09:46 -0400, Jamie Begin wrote: > > I have a LAN that uses a T1 for Internet connectivity. The service > > includes a firewall managed by the telco that provides MPLS > > connectivity to remote offices, NAT rules to destinations inside the > > LAN, and a few other things. I am trying to boost the Internet > > bandwidth while avoiding the cost of having to install another T1 > > circuit. A Comcast cable connection has recently been installed for > > this purpose. > > > > Ideally, I''d like to drop in a Shorewall box between the LAN and the > > managed firewall without having to change anything. It should be > > invisible to the clients and to the managed firewall. However, the > > bulk of the outgoing connections (from LAN clients) should be routed > > out the Comcast interface. > > > > I''ve configured Shorewall to use dual ISPs before and I''ve used it > > with two interfaces linked together in a bridge, but I haven''t done > > both of these things at the same time. Any tips, tricks, or gotchas? > > Or maybe is there a better way to accomplish the goals? Thank you. > > This will be tricky because what you really want is a bridge, while > Multi-ISP support only works on a router. So you will need to use Proxy > ARP. > > Lets assume that on the Shorewall box: > > eth0 = Interface to telco firewall > eth1 = Interface to Comcast cable modem (or Business Class > Gateway Router) > eth2 = Interface to LAN. > > w.x.y.z = IP address of telco firewall > w.x.y.0/24 = Local LAN > w.x.y.q/32 = Address assigned to eth0 > w.x.y.r/24 = Address assigned to eth2 > > You will need to configure a static host route to w.x.y.z/32 out of eth0 > and make w.x.y.z the default gateway for the Shorewall box. > > In /etc/shorewall/proxyarp: > > #ADDRESS INTERFACE EXTERNAL HAVEROUTE > PERSISTENT > w.x.y.z - eth2 Yes Yes > > If the telco firewall also provides DNS services for the LAN, then you > will have to run a DNS proxy or a DNS server on the Shorewall box. > > Caution: If the telco firewall is providing any other broadcast-based > services (such as UPnP), then this scheme won''t work. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Get a FREE DOWNLOAD! and learn more about uberSVN rich system, > user administration capabilities and model configuration. Take > the hassle out of deploying and managing Subversion and the > tools developers use with it. > http://p.sf.net/sfu/wandisco-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-dev2dev
On Aug 11, 2011, at 9:45 AM, Jamie Begin wrote:> Thanks for the quick suggestion, Tom. I''ll be giving it a shot this evening. Would using the ARP proxy config still allow me to load-balance across the connections and use LSM for failover? >Yes. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-dev2dev
Tom, I''ve had moderate success with this config. The main problem is with traffic coming across the T1/telco firewall and into the LAN. There is an IPSec endpoint within the LAN and some port-mapped rules on the telco firewall. Since Shorewall sits between the telco firewall and LAN, that traffic doesn''t know where to go once it reaches the Shorewall <---> Telco FW segment. It would seem that I''d almost have to set-up ARP proxying for every internal IP address that the telco firewall needs to talk to. Am I correct? Is there a cleaner way of doing this? Thanks! On Thu, Aug 11, 2011 at 1:33 PM, Tom Eastep <teastep@shorewall.net> wrote:> > On Aug 11, 2011, at 9:45 AM, Jamie Begin wrote: > > Thanks for the quick suggestion, Tom. I''ll be giving it a shot this > evening. Would using the ARP proxy config still allow me to load-balance > across the connections and use LSM for failover? > > > Yes. > > -Tom > > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > > ------------------------------------------------------------------------------ > Get a FREE DOWNLOAD! and learn more about uberSVN rich system, > user administration capabilities and model configuration. Take > the hassle out of deploying and managing Subversion and the > tools developers use with it. > http://p.sf.net/sfu/wandisco-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ EMC VNX: the world''s simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev