LARTC - May 2005 - Help PLEASE...Multi-Routing for ADSL on Linux: Request for pointers..

Hi all

I am a small business user running my IT infrastructure on Whitebox
linux (RHEL3 clone), with ADSL connectivity with a static ip, using
the ipcop firewall gateway (www.ipcop.org). I run my own web/mail
server as my website usage is not much and I cannot afford to lease a
dedicated server on the net, and leasing a shared server...I lose
control.

My DSL is prone to frequent outages and therefore I need a backup
link. Also, my DSL provider charges very high for usage, therefore I
want a lower cost connection.

Now in my area I have only one option for each requirement. Another
DSL provider who charges as high as the first one, but can be an
alternate provider, though issues dynamic iIPs only...this would do
for back up connection.

There''s another cable ISP (ethernet to home) that provides flat-rate
asscess but issues private IPs 172.16.x.x & 10.x.x.x and has a NAT
machine that does the address translation and has less that quarter
the speed of other two providers. He is not willing to give a live ip,
even on extra charge.

Now, I want to connect three DSL''s to my Internet gateway (ipcop
machine...again as I already have three LAN cards..no more slots
left), using one ethernet card connected to a four port switch where I
can terminate both the DSLs & cable internet connection. And to give
two static IPs (one public, one private) and one dynamic IP to my
ethernet card on the WAN side, using something like nexthop given in
the LARTC howto

Is this type os scenario:

1. Possible?
2. Easily maintainable? Especially on top an existing firewall distro,
that can be tweaked...maybe ipcop or some other, so that I don''t have
to individually keep up with all the security updates that are bound
to come. Suggestions on any firewall gateway distro that would be more
amenable to any such solution that is suggested. Or do I have to do it
fully?
3. Secure?

Please give some comments & pointers, with web URLs for further reading.

Also, I would like to bifurcate traffic, especially downloads using
ftp, rsync (and if possible http downloads too) to go through the
private ip flat rate link. Something that seperates traffic by ports.

Request routing Gurus help me please. Am on a shoestring budget and
can''t afford commercial hardware solutions that offer this kind of
functionality, IAC..don''t even know of one that is specifically for
low-cost DSL usage.

With best regards.
Sanjay.

> My DSL is prone to frequent outages and therefore I need a backup
> link. Also, my DSL provider charges very high for usage, therefore I
> want a lower cost connection.
Do you have Verizon or CentryTel?  That type of price scalping is *VERY* common
around here.
> Now in my area I have only one option for each requirement. Another
> DSL provider who charges as high as the first one, but can be an
> alternate provider, though issues dynamic iIPs only...this would do
> for back up connection.
> 
> There''s another cable ISP (ethernet to home) that provides
flat-rate
> asscess but issues private IPs 172.16.x.x & 10.x.x.x and has a NAT
> machine that does the address translation and has less that quarter
> the speed of other two providers. He is not willing to give a live ip,
> even on extra charge.
I like the idea of a cable modem as it is a different technology than DSL and
will be susceptible to different reasons for outages.  For example someone at
the local CO unplugging cables on the DLSAM could hit both your connections if
they are DSL, where as a if your backup connection was a cable modem you would
quite likely still be on the net.

I guess the difference in the connection would be if you can live with your
servers being off the net for a while and just have internal / LAN internet
access or if you need to still be able to serve content to the world.  Something
you might consider doing would be finding someone to offer backup MX and DNS
hosting for you.  (I know a couple of people, my self included, who would be
willing to help.)  If all you need is the former, I would strongly go with the
Cable Modem connection.
> Now, I want to connect three DSL''s to my Internet gateway (ipcop
> machine...again as I already have three LAN cards..no more slots
> left), using one ethernet card connected to a four port switch where I
> can terminate both the DSLs & cable internet connection. And to give
> two static IPs (one public, one private) and one dynamic IP to my
> ethernet card on the WAN side, using something like nexthop given in
> the LARTC howto
I don''t think that I would plug multiple INet connections in to a
(unmanaged layer 2) switch and then plug that switch in to a NIC for your
internet connectivity.  I am hopping that I read what you wrote wrong.  What you
*CAN* do is get a layer 2 manged switch that supports 802.1Q VLANs and assing a
VLAN to two ports on the switch, one of which is the port to your firewall and
the other to a particular INet connection.  If you use a 24 port managed switch
you could hook up 24 different DSL / Cable Modems to one NIC in a computer.  I
have done this with wonderful success!  Using this method you could easily have
multiple links via 802.1d bridging (STP) or bonding to make sure that you have a
connection from your system to managed switch even if a cable gets unplugged.
> Is this type os scenario:
> 
> 1. Possible?
Yes, very!
> 2. Easily maintainable? Especially on top an existing firewall distro,
> that can be tweaked...maybe ipcop or some other, so that I don''t
have
> to individually keep up with all the security updates that are bound
> to come. Suggestions on any firewall gateway distro that would be more
> amenable to any such solution that is suggested. Or do I have to do it
> fully?
Well, don''t run your services on the firewall.  Use an old
""white box as your firewall / gateway so that you don''t have
to worry about keeping it as up to date as it will not be serving any services
to the outside world and thus *MUCH* harder to hack.  This will allow you to run
your distro of choice on your servers, where you know how to keep it up to date.
Besides it is a bad idea run services that could be exploited on a firewall.
> 3. Secure?
Yes, I think this could be made extremely secure, or at least as secure as any
single internet connection.
> Please give some comments & pointers, with web URLs for further
reading.
I think you want to do some reading on setting up additional routing tables vi
the "ip route" command and then use some routing rules (set up via the
"ip rule" command) to define which traffic uses which routing table. 
Any Linux advanced routing document should go in to this.
> Also, I would like to bifurcate traffic, especially downloads using
> ftp, rsync (and if possible http downloads too) to go through the
> private ip flat rate link. Something that seperates traffic by ports.
This is doable, via different routeing tables for different types of traffic,
ssh, smtp, ftp, etc.
> Request routing Gurus help me please. Am on a shoestring budget and
> can''t afford commercial hardware solutions that offer this kind of
> functionality, IAC..don''t even know of one that is specifically
for
> low-cost DSL usage.
Can you afford to dedicate an old computer to this task?  If you really need it
could you buy a $300 layer 2 managed switch?  (D-Link DES-3226L
(http://dlink.com/products/?sec=0&pid=298) is what I used for my 8 cable
modem set up.)



Grant. . . .

Grant

Thanks for your response.

On 5/24/05, Taylor, Grant <gtaylor@riverviewtech.net> wrote:
> Do you have Verizon or CentryTel?  That type of price scalping is *VERY*
common around here.
> 
I am wayyy out in India. Broadband & DSLs are still hightech around
here & quite expensive. e.g. I am being charged around 45 USD for one
GB extra bandwidth consumption on my 256 kbps ADSL connection.

> I guess the difference in the connection would be if you can live with your
servers being off the net for a while and just have internal / LAN internet
access or if you need to still be able to serve content to the world.  Something
you might consider doing would be finding someone to offer backup MX and DNS
hosting for you.  (I know a couple of people, my self included, who would be
willing to help.)  If all you need is the former, I would strongly go with the
Cable Modem connection.
Yes, thats what I was planning to do, as soon as I get my setup..up &
working.
> I don''t think that I would plug multiple INet connections in to a
(unmanaged layer 2) switch and then plug that switch in to a NIC for your
internet connectivity.  I am hopping that I read what you wrote wrong.
Well..I can be real dumb...thats exactly what I wrote.
>What you *CAN* do is get a layer 2 manged switch that supports 802.1Q
VLANs and assing a VLAN to two ports on the switch, one of which is
the port to your firewall and the other to a particular INet
connection.  If you use a 24 port managed switch you could hook up 24
different DSL / Cable Modems to one NIC in a computer.  I have done
this with wonderful success!  Using this method you could easily have
multiple links via 802.1d bridging (STP) or bonding to make sure that
you have a connection from your system to managed switch even if a
cable gets unplugged.
> 
Hmmm...point taken..thanks..will do this.
> > Is this type os scenario:
> >
> > 1. Possible?
> 
> Yes, very!
> 
One point validated ;-) thanks.
> > 2. Easily maintainable? Especially on top an existing firewall distro,
> > that can be tweaked...maybe ipcop or some other, so that I
don''t have
> > to individually keep up with all the security updates that are bound
> > to come. Suggestions on any firewall gateway distro that would be more
> > amenable to any such solution that is suggested. Or do I have to do it
> > fully?
> 
> Well, don''t run your services on the firewall.  Use an old
""white box as your firewall / gateway so that you don''t have
to worry about keeping it as up to date as it will not be serving any services
to the outside world and thus *MUCH* harder to hack.  This will allow you to run
your distro of choice on your servers, where you know how to keep it up to date.
Besides it is a bad idea run services that could be exploited on a firewall.
> 
No, I have a seperate firewall box on my network. I don''t run any
services on it and use it only for port forwarding to the DMZ server.
I use a linux firewall distro (www.ipcop.org) not a full linux distro.

My question actually was that my present firewall is a sort of
appliance. I put the CD in, boot with it...it gets automatically
installed...i just assign the ips & go to the web interface and setup
port forwarding etc...and I''m done...every new release...same thing
happens.

Now, under the scenario of multiple routes using iproute2...should 
use such existing firewalls and run iproute2 on top of it or do I have
to roll my own gateway on linux. What''s advisable? & easier for my
kind of admin.a follower ;-)

> I think you want to do some reading on setting up additional routing tables
vi the "ip route" command and then use some routing rules (set up via
the "ip rule" command) to define which traffic uses which routing
table.  Any Linux advanced routing document should go in to this.
> 
Thanks...will check.
> > Also, I would like to bifurcate traffic, especially downloads using
> > ftp, rsync (and if possible http downloads too) to go through the
> > private ip flat rate link. Something that seperates traffic by ports.
> 
> This is doable, via different routeing tables for different types of
traffic, ssh, smtp, ftp, etc.
> 
Hmm...thanks buddy...you just enrolled me back into school.
> > Request routing Gurus help me please. Am on a shoestring budget and
> > can''t afford commercial hardware solutions that offer this
kind of
> > functionality, IAC..don''t even know of one that is
specifically for
> > low-cost DSL usage.
> 
> Can you afford to dedicate an old computer to this task? 
Am already running my firewall on a dedicated PIII-550. Can dedicate
that machine or even another one..that''s something I already have.
> If you really need it could you buy a $300 layer 2 managed switch?  (D-Link
DES-3226L (http://dlink.com/products/?sec=0&pid=298) is what I used for my 8
cable modem set up.)
> 
Thanks...will check it out.

Thank you once more...you have been a lot of help.
With regards.
Sanjay.

P.S: List replied directly to your address...so cc''d the list but
what''s the etiquette on this list..does the thread go private after
the initial mail or does one remove the sender''s address and put the
list address back in...so why not make the list put in the list
address as reply address. What I have done will cause two mails to be
sent to you....anyone?