Randy Wallace
2006-Dec-24 15:38 UTC
RE: Question regarding Split Access description (Adam Neat)
IMHO, i believe that it would be more realistic to have one router providing
load balancing/dead gateway to one/several subnet(s). otherwise, each
server/user would have to do their own load balancing for each subnet!
that,
or you would need 3 routers, one for each subnet and a linux router doing the
load balancing in the middle.
with 3 routers, the load balancing configurations shouldn''t change,
just ip addresses
there is a discussion of how to use DNAT (port forwarding) at
http://www.ssi.bg/~ja/dgd-usage.txt
with dead gateway detection
xx.xx.xx.x1/32--->SHDSL#1
(wan0)/ xx.xx.xx.x2/32
server(s) ------> Switch -------> (lan0) Linux
Router --
ex. LAMP Server ip 192.168.1.1/28 (wan1)\
ip 192.168.1.2/28
yy.yy.yy.y1/32--->SHDSL#2
gw 192.168.1.1
yy.yy.yy.y2/32
ip rule add prio 10 table main
ip rule add prio 20 from xx.xx.xx.x1/32 table 20
ip route append default via xx.xx.xx.x2 dev wan0 src xx.xx.xx.x1 table 20
ip rule add prio 30 from yy.yy.yy.y1/32 table 30
ip route append default via yy.yy.yy.y2 dev wan1 src yy.yy.yy.y1 table 30
ip rule add prio 100 from 192.168.1.0/28 table 100
ip route add default table 100 \
nexthop via xx.xx.xx.x1 dev wan0 \
nexthop via yy.yy.yy.y1 dev wan1
the key is using 192.168.1.1 as the gateway
ipTables masq and dnat rules could take care of src and dest ip addressing
to xx.xx.xx.x1 and yy.yy.yy.y1. i prefer keeping some routing in iptables as a
firewall advantage.
iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o wan1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d xx.xx.xx.x1 --dport 80 \
-j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -p tcp -d yy.yy.yy.y1 --dport 80 \
-j DNAT --to-destination 192.168.1.2
DNS Records, at godaddy.com for example, should specify both xx.xx.xx.x1
and yy.yy.yy.y1 for the LAMP. then you would have a path to both
SHDSL connections from the internet for one domain.
this makes the most sense to me, but isn''t the only solution, the only
fault
i can see is that there is one major point of failure.
Adam Neat
2006-Dec-26 12:46 UTC
RE: RE: Question regarding Split Access description (Adam Neat)
Randy - thanks for the reply - it was a big help.
I agree with your points - the single router approach would be easier, but
I''m conscious of availability.
My thinking is that with a 3 node approach (1 node for Provider 1 uplink, 1
node for provider 2 uplink, and the 3rd router for the internal core
router), if one of the border routers go down we loose half the
connectivity; we''d also look to run a standard active-standby LVS node
to
provide HA on the single core router.
At this stage, we''re leaning towards the three node approach but
we''re not
100% sure if this will work with the configuration I outlined below.
Provider 1 Provider 2
| |
SDSL SDSL
| |
Border Rtr 1 Border Rtr 2
| |
+--------+ +-----+
+--Core Rtr 1--+
|
+--------------+--------------+
| | |
Server1 Server 2 Server 3
As I noted above, core router 1 would be HA''d in an active standby.
Cheers
Adam
-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl]
On Behalf Of Randy Wallace
Sent: Monday, 25 December 2006 2:39 AM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] RE: Question regarding Split Access description (Adam Neat)
IMHO, i believe that it would be more realistic to have one router providing
load balancing/dead gateway to one/several subnet(s). otherwise, each
server/user would have to do their own load balancing for each subnet!
that,
or you would need 3 routers, one for each subnet and a linux router doing
the
load balancing in the middle.
with 3 routers, the load balancing configurations shouldn''t change,
just ip addresses
there is a discussion of how to use DNAT (port forwarding) at
http://www.ssi.bg/~ja/dgd-usage.txt
with dead gateway detection
xx.xx.xx.x1/32--->SHDSL#1
(wan0)/ xx.xx.xx.x2/32
server(s) ------> Switch -------> (lan0) Linux
Router --
ex. LAMP Server ip 192.168.1.1/28
(wan1)\
ip 192.168.1.2/28
yy.yy.yy.y1/32--->SHDSL#2
gw 192.168.1.1
yy.yy.yy.y2/32
ip rule add prio 10 table main
ip rule add prio 20 from xx.xx.xx.x1/32 table 20
ip route append default via xx.xx.xx.x2 dev wan0 src xx.xx.xx.x1 table 20
ip rule add prio 30 from yy.yy.yy.y1/32 table 30
ip route append default via yy.yy.yy.y2 dev wan1 src yy.yy.yy.y1 table 30
ip rule add prio 100 from 192.168.1.0/28 table 100
ip route add default table 100 \
nexthop via xx.xx.xx.x1 dev wan0 \
nexthop via yy.yy.yy.y1 dev wan1
the key is using 192.168.1.1 as the gateway
ipTables masq and dnat rules could take care of src and dest ip addressing
to xx.xx.xx.x1 and yy.yy.yy.y1. i prefer keeping some routing in iptables
as a
firewall advantage.
iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o wan1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d xx.xx.xx.x1 --dport 80 \
-j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -p tcp -d yy.yy.yy.y1 --dport 80 \
-j DNAT --to-destination 192.168.1.2
DNS Records, at godaddy.com for example, should specify both xx.xx.xx.x1
and yy.yy.yy.y1 for the LAMP. then you would have a path to both
SHDSL connections from the internet for one domain.
this makes the most sense to me, but isn''t the only solution, the only
fault
i can see is that there is one major point of failure.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc