Shorewall users - Jan 2007 - multiISP on single interface

I was wondering if there''s a way to include multiple
DSL lines on a single physical interface. 
I just ran out of ethernet cards and need to connect
more lines, hopefully without having to setup a second
shorewall gateway.
If I don''t have any options then I will of course
configure a second server but I wanted to here from
this list first.

I have 4 ethernet interfaces and no space for more and
5 DSL lines.
3 DSLs would be for remote RDP access only (remote
users in group n would connect through Provider n''s
public IP to the same Terminal Server in LAN/LOC zone
via DNAT).
1 DSL would be for HTTP and co.
1 DSL would be for E-MAIL, etc.
So the 3 DSLs for RDP might as well have the same
ruleset.
I was thinking of connecting the 3 DSL modems to a
single ethernet interface through a switch and
configure aliases for eth0:

DSL1---
DSL2---\       DSL4    DSL5
DSL3----\       |     /
        eth0  eth1  eth2
              eth3
                |
              LAN

After reading
http://www.shorewall.net/Multiple_Zones.html
and
http://www.shorewall.net/MultiISP.html
I deduce that the above configuration isn''t possible
mainly because I can''t correctly define the gateway
column in the providers file (my knowledge of
iptables/netfilter is very limited).

Is this right and thus need to setup a second
shorewall?


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Mon, Jan 08, 2007 at 05:07:47AM -0800, Vieri Di Paola
wrote:
> I was wondering if there''s a way to include multiple
> DSL lines on a single physical interface. 
> I just ran out of ethernet cards and need to connect
> more lines, hopefully without having to setup a second
> shorewall gateway.
> If I don''t have any options then I will of course
> configure a second server but I wanted to here from
> this list first.
> 
A second server would probably be overkill.  Just get yourself some
multi-port NICs.  Intel and 3Com both make 2- and 4-port NICs.

Regards,

-Roberto

-- 
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Roberto C. Sanchez wrote:
> On Mon, Jan 08, 2007 at 05:07:47AM -0800, Vieri Di Paola wrote:
>   
>> I was wondering if there''s a way to include multiple
>> DSL lines on a single physical interface. 
>> I just ran out of ethernet cards and need to connect
>> more lines, hopefully without having to setup a second
>> shorewall gateway.
>> If I don''t have any options then I will of course
>> configure a second server but I wanted to here from
>> this list first.
>>
>>     
> A second server would probably be overkill.  Just get yourself some
> multi-port NICs.  Intel and 3Com both make 2- and 4-port NICs.
>
> Regards,
>
> -Roberto
>
>   
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
Lets take little bit different approach...

Why you do not upgrade your lines speed...?!

If you have ADSL upload is 800K switching to HDSL will give you 2M ~ 3 ADSL
And VHDSL is 30M.
You may consider also taking Ethernet 10M and keep one DSL as backup.
Probably the price tag will not change much.

-- 
Hristo Benev
IT Manager

WAVEROAD
Partners in Telecommunications

514-935-2020 x225 T
514-935-1001 F
www.waveroad.ca
hristo.benev@waveroad.ca



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Mon, Jan 08, 2007 at 05:07:47AM -0800, Vieri Di Paola
wrote:
> I was wondering if there''s a way to include multiple
> DSL lines on a single physical interface. 
I think you can do this with PPPoE-forwarding modems (no PPP
termination on the modem at all - *just* a modem which copies the
PPPoE packets to and from the ethernet interface), and rp-pppoe on the
firewall - so you get ppp0, ppp1, ... interfaces on the firewall
(which are your true internet interfaces), and the ethernet interface
is used only to carry the encapsulated PPPoE packets to the modem.

As far as I am aware, it''s possible to use multiple modems on one
interface in this manner, and it gives you the ability to discriminate
between them on the firewall. But fair warning - I only believe this
to be possible, I''ve never tried it. I use PPPoE in this fashion
(because modems that terminate the PPP session must act as routers,
and they are always lousy routers and truly abysmal NAT devices), but
only with a single modem on each interface.

Of course, if you live in one of the handful of countries that only
implements true PPPoA, that''s no help to you at all (note that some
countries advertise PPPoA but actually implement both, because the
sales people don''t talk to the engineering people - we have that here
in the UK).

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Andrew Suffield wrote:
> On Mon, Jan 08, 2007 at 05:07:47AM -0800, Vieri Di Paola wrote:
>> I was wondering if there''s a way to include multiple
>> DSL lines on a single physical interface. 
> 
> I think you can do this with PPPoE-forwarding modems (no PPP
> termination on the modem at all - *just* a modem which copies the
> PPPoE packets to and from the ethernet interface), and rp-pppoe on the
> firewall - so you get ppp0, ppp1, ... interfaces on the firewall
> (which are your true internet interfaces), and the ethernet interface
> is used only to carry the encapsulated PPPoE packets to the modem.
In germany such modems first was standard. These has 1 DSL-Port and a 
normal ethernet port. So it is possible to link this to a ethernet port 
at a PC. But there are also many routers that can act like a bridge.

rp-pppoe is the right software for this. There is a german website which 
shows how it works: http://geggus.net/sven/t-dsl.html
You need the source of rp-pppoe 3.8 and this patch 
http://geggus.net/sven/rp-pppoe-3.8-fakemac.diff
Than you can use a option "-H <macadress>" to start every
connection
with another fake mac-adress.
> As far as I am aware, it''s possible to use multiple modems on one
> interface in this manner, and it gives you the ability to discriminate
> between them on the firewall. But fair warning - I only believe this
> to be possible, I''ve never tried it. I use PPPoE in this fashion
> (because modems that terminate the PPP session must act as routers,
> and they are always lousy routers and truly abysmal NAT devices), but
> only with a single modem on each interface.
I use it till some months. My provider is the german T-Com.
The distribution is Debian Etch with the shorewall package.

Sebastian

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

--- "Roberto C. Sanchez" <roberto@connexer.com> wrote:
> Just get yourself some
> multi-port NICs.  Intel and 3Com both make 2- and
> 4-port NICs.
Hard to find and usually expensive although I did find
a relatively cheap one:
D-Link DFE 580TX - PCI - 10Base-T, 100Base-TX - 4
ports
I just hope there''s a driver for Linux.
Are you using this kind of cards? Are they working
well?

--- Hristo Benev <hristo.benev@waveroad.ca> wrote:
> Why you do not upgrade your lines speed...?!
> 
> If you have ADSL upload is 800K switching to HDSL
> will give you 2M ~ 3 ADSL
> And VHDSL is 30M.
> 
The providers I consulted so far DO offer SDSL and
their top product (250€) is a 2M line but they only
guarantee 25% bandwidth in their most expensive
product. In practice I don''t know how well it performs
because we never tried it (but this is probably what
we will do soon).
We can get cheaper ADSL lines (60€) with 1M upload
which usually are at about 500Kbps.
3 * 60 = 180€ for 1.5Mbps ADSL instead of 250€ for
512K-2Mbps SDSL does make a difference in my area
(although not that big after all).

--- Andrew Suffield <asuffield@suffields.me.uk> wrote:
> I think you can do this with PPPoE-forwarding
modems, and rp-pppoe on the firewall 

--- Sebastian Raring <sebastian@raring.de> wrote:
> There is a
> german website which 
> shows how it works:
> http://geggus.net/sven/t-dsl.html
Interesting solution. Thank you.



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On 1/8/07, Vieri Di Paola <vieridipaola@yahoo.com>
wrote:
> Hard to find and usually expensive although I did find
> a relatively cheap one:
> D-Link DFE 580TX - PCI - 10Base-T, 100Base-TX - 4
> ports
> I just hope there''s a driver for Linux.
> Are you using this kind of cards? Are they working
> well?
If you don''t mind eBay they''re still around:
http://cgi.ebay.com/LOT-OF-4-INTEL-PRO-100-S-DUAL-PORT-SERVER-ADAPTER_W0QQitemZ130065359726QQihZ003QQcategoryZ51196QQrdZ1QQcmdZViewItem
They''re Intel so they should be well-supported.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Vieri Di Paola escribió:
> --- "Roberto C. Sanchez" <roberto@connexer.com> wrote:
> 
>> Just get yourself some
>> multi-port NICs.  Intel and 3Com both make 2- and
>> 4-port NICs.
> 
> Hard to find and usually expensive although I did find
> a relatively cheap one:
> D-Link DFE 580TX - PCI - 10Base-T, 100Base-TX - 4
> ports
> I just hope there''s a driver for Linux.
D-Link DFE-580TX is supported by the ''sundance'' kernel module.
It''s
included in recent 2.6.x kernels though some distributions have it
included in patched older kernels (or as extra packages).
> Are you using this kind of cards? Are they working
> well?
No problems at all, it just works (just check if your kernel has the
''sundance'' module compiled). Well, and it has a reasonable
cost per port.

Regards,
-- 
Angel Marin
http://anmar.eu.org/


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

El lun, 08-01-2007 a las 05:07 -0800, Vieri Di Paola
escribió:
> I was wondering if there's a way to include multiple
> DSL lines on a single physical interface. 
> I just ran out of ethernet cards and need to connect
> more lines, hopefully without having to setup a second
> shorewall gateway.
Yes, create VLANs and a switch capable of it, I use it.
> If I don't have any options then I will of course
> configure a second server but I wanted to here from
> this list first.
> 
> I have 4 ethernet interfaces and no space for more and
> 5 DSL lines.
> 3 DSLs would be for remote RDP access only (remote
> users in group n would connect through Provider n's
> public IP to the same Terminal Server in LAN/LOC zone
> via DNAT).
> 1 DSL would be for HTTP and co.
> 1 DSL would be for E-MAIL, etc.
> So the 3 DSLs for RDP might as well have the same
> ruleset.
> I was thinking of connecting the 3 DSL modems to a
> single ethernet interface through a switch and
> configure aliases for eth0:
> 
> DSL1---
> DSL2---\       DSL4    DSL5
> DSL3----\       |     /
>         eth0  eth1  eth2
>               eth3
>                 |
>               LAN
> 
> After reading
> http://www.shorewall.net/Multiple_Zones.html
> and
> http://www.shorewall.net/MultiISP.html
> I deduce that the above configuration isn't possible
> mainly because I can't correctly define the gateway
> column in the providers file (my knowledge of
> iptables/netfilter is very limited).
> 
> Is this right and thus need to setup a second
> shorewall?
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to
share your
> opinions on IT & business topics through brief surveys - and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share
your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users