Before I start with the nightmare setup I''d like to say I''ve read all the docs I could get my hands on along with looking at commercial products (Cisco router, checkpoint firewall, and Vicomsoft Internet Gateway) trying to get this to work with very limited success. My setup: Ethernet Internet Connection 207.152.31.185/24 gw 207.152.31.1 (T1 connection) DSL Ethernet Connection 216.254.12.42/24 gw 216.254.12.42 (256k SDSL) LAN Ethernet Connection 192.168.181.254/24 (NAT''d) Behind the "firewall" machine sits a number of boxes: 192.168.181.252 - Internal DNS and squid proxy server. 192.168.181.251 - External DNS server and external webserver 192.168.181.250 - Internet DNS and external webserver 192.168.181.1-10 - DHCP windows clients Now I have some basic port transaltion going on to get the webservers alias''d to the internet connections and such but nothing overly fancy. Keep inmind that I can _not_ use any routing protocals via either of these connections. Here is what I need to do: 1> Setup traffic shaping to allow the windows clients behind the NAT to browse the internet using both internet connections. An important part of this is that incoming traffic _must_ be answered through the NAT via the same ip address that it came in on. (NOTE: This is the major problem with Vicomsoft Internet Gateway software as it will just pick either of the 2 internet connections to reply on, and therefore a number of things - most importantly games that use UDP packets - stop working correctly or have a huge amount of packet loss due to packets being answered with a different source ip than the host connected on). 2> Setup a fail over method so that if either internet connection were to fail it would start routing all outbound traffic over that link. 3> Allow simple port translation so that I can alias 207.152.31.185 port 22 to 192.168.181.251 port 22. So the question is can Linux using Advanced routing be used to solve these problems? If so could you please point me to an example setup? If not do you know of _any_ possible solution to get this setup working? Again, I''m sorry if I''ve missed this reading the HOWTO please point me in the right direction. ------------------- JayC Daniel Senior Security Engineer Security Integration HCAHealthcare 615-344-6988 jay.daniel@hcahealthcare.com
On Mon, 15 Jan 2001, Daniel Jay wrote: [snip]> Ethernet Internet Connection 207.152.31.185/24 gw 207.152.31.1 (T1 > connection) > DSL Ethernet Connection 216.254.12.42/24 gw 216.254.12.42 (256k SDSL) > LAN Ethernet Connection 192.168.181.254/24 (NAT''d)[snip]> Now I have some basic port transaltion going on to get the webservers > alias''d to the internet connections and such but nothing overly fancy. Keep > inmind that I can _not_ use any routing protocals via either of these > connections. Here is what I need to do: > > 1> Setup traffic shaping to allow the windows clients behind the NAT to > browse the internet using both internet connections. An important part of > this is that incoming traffic _must_ be answered through the NAT via the > same ip address that it came in on. (NOTE: This is the major problem with > Vicomsoft Internet Gateway software as it will just pick either of the 2 > internet connections to reply on, and therefore a number of things - most > importantly games that use UDP packets - stop working correctly or have a > huge amount of packet loss due to packets being answered with a different > source ip than the host connected on). > > 2> Setup a fail over method so that if either internet connection were > to fail it would start routing all outbound traffic over that link. > > 3> Allow simple port translation so that I can alias 207.152.31.185 > port 22 to 192.168.181.251 port 22. > > So the question is can Linux using Advanced routing be used to solve these > problems? If so could you please point me to an example setup? If not do > you know of _any_ possible solution to get this setup working? Again, I''m > sorry if I''ve missed this reading the HOWTO please point me in the right > direction.Yes. Linux using Advanced Routing can be used to solve these problems, but for problem 2: at the IP level there is no way to figure out wether or not a link is down. Ofcourse, you can approximate problem 2, but you have no guarantees that the problem lies with the link and not with the servers you test your connectivity against, or the infrastructure to those servers beyond your direct link. There have been some postings on the mailing list on exactly the kind of setup you want. Look into the threads ''Can''t use two links on a linux box'' and ''Can''t use two links on a linux box - correction/addition'' in the archives at http://mailman.ds9a.nl/pipermail/lartc/2000q4/thread.html Doei, Arthur. (Maybe I should ''steal'' some of my boss'' time to write this stuff up for the HOWTO...) -- /\ / | arthurvl@sci.kun.nl | Work like you don''t need the money /__\ / | A friend is someone with whom | Love like you have never been hurt / \/__ | you can dare to be yourself | Dance like there''s nobody watching
On Tue, 16 Jan 2001, Arthur van Leeuwen wrote:> > 2> Setup a fail over method so that if either internet connection were > > to fail it would start routing all outbound traffic over that link.> Yes. Linux using Advanced Routing can be used to solve these problems, but > for problem 2: at the IP level there is no way to figure out wether or not a > link is down. Ofcourse, you can approximate problem 2, but you have no > guarantees that the problem lies with the link and not with the servers you > test your connectivity against, or the infrastructure to those servers > beyond your direct link.What happens if you use the bonding driver and one of the two parts of the link goes down? Is that transparent? (Ofcourse this is not a solution you want if your fallback is some expensive slow line, but if the lines are equal in costs (or it doesn'' cost more at all to have the fallback ''online'' all the time) this might be a solution. Paul
On Tue, 16 Jan 2001, Paul Wouters wrote:> On Tue, 16 Jan 2001, Arthur van Leeuwen wrote: > > > > 2> Setup a fail over method so that if either internet connection were > > > to fail it would start routing all outbound traffic over that link. > > > Yes. Linux using Advanced Routing can be used to solve these problems, but > > for problem 2: at the IP level there is no way to figure out wether or not a > > link is down. Ofcourse, you can approximate problem 2, but you have no > > guarantees that the problem lies with the link and not with the servers you > > test your connectivity against, or the infrastructure to those servers > > beyond your direct link. > > What happens if you use the bonding driver and one of the two parts of the > link goes down? Is that transparent?What bonding driver? And no, a link failing is *not* transparent. It will lead to intermittent connectivity problems, as the multipath routing code will randomly keep selecting the failed link as well as the one still working. You will have to do active monitoring. Yes, polling. Unfortunately. Let''s all hope for IPv6 and true NUD... Doei, Arthur. -- /\ / | arthurvl@sci.kun.nl | Work like you don''t need the money /__\ / | A friend is someone with whom | Love like you have never been hurt / \/__ | you can dare to be yourself | Dance like there''s nobody watching
I saw the example from ''Can''t use two links on a linux box -
correction/addition'' but there were a couple of differences in his
setup tha
concerned me, first was he was only running NAT on 1 of his 2 connections.
My second and more important concern with using NAT and Linux is how do you
make sure that if X computer starts a UDP connection with the outside world
that all traffic on that connection comes from the same outside IP address
(be it the dsl line or the T1 line)?
-----Original Message-----
From: Arthur van Leeuwen [mailto:arthurvl@sci.kun.nl]
Sent: Tuesday, January 16, 2001 3:39 AM
To: Daniel Jay
Cc: ''lartc@mailman.ds9a.nl''
Subject: Re: [LARTC] Advanced routing question.
On Mon, 15 Jan 2001, Daniel Jay wrote:
[snip]
Yes. Linux using Advanced Routing can be used to solve these problems, but
for problem 2: at the IP level there is no way to figure out wether or not a
link is down. Ofcourse, you can approximate problem 2, but you have no
guarantees that the problem lies with the link and not with the servers you
test your connectivity against, or the infrastructure to those servers
beyond your direct link.
There have been some postings on the mailing list on exactly the kind of
setup you want. Look into the threads ''Can''t use two links on
a linux box''
and ''Can''t use two links on a linux box -
correction/addition'' in the
archives at http://mailman.ds9a.nl/pipermail/lartc/2000q4/thread.html
Doei, Arthur. (Maybe I should ''steal'' some of my
boss'' time to write this
stuff up for the HOWTO...)
--
/\ / | arthurvl@sci.kun.nl | Work like you don''t need
the
money
/__\ / | A friend is someone with whom | Love like you have never been
hurt
/ \/__ | you can dare to be yourself | Dance like there''s nobody
watching