Shorewall users - Dec 2010 - Linux Bonding

What is the difference between Shorewall multiple internet connection and
Linux NIC bonding.

 



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

Hi Boby,

Shorewall multiple internet connection is for different internet links and using
them in load balancing, where as NIC bonding is Link aggregation which describes
using multiple network ports in parallel to increase the link speed, and to
increase the redundancy for higher availability.


Thanks!
------------------------------------------------------------
Swapnil Jain ( http://blog.swapnil.me/ )
Indore, India
------------------------------------------------------------
E-mail: swapnil@pisces.net.in
GTalk : swapnil@pisces.net.in
MSN: jswapnil@hotmail.com
Skype : sj1410
YIM   : sj1410
------------------------------------------------------------



On 15-Dec-2010, at 2:47 PM, Boby Philip wrote:
> What is the difference between Shorewall multiple internet connection and
Linux NIC bonding.
>  
>
------------------------------------------------------------------------------
> Lotusphere 2011
> Register now for Lotusphere 2011 and learn how
> to connect the dots, take your collaborative environment
> to the next level, and enter the era of Social Business.
>
http://p.sf.net/sfu/lotusphere-d2d_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

Surely the clue is in the name...

Multiple internet connection is thus:
   

   /ISP1
FW -ISP2
   \ISP3

Bonding is thus:


   /eth0\
FW -eth1-----ISP
   \eth2/

One provides redundancy in case you lose a connection to an isp, the other
provides redundancy in case of NIC failure.  Obviously you could combine the
two (given enough NICs and enough ISP connections)

 

--
Phil Foxton RHCE


---------- Original Message -----------
From: "Boby Philip" <boby.philip@overbrooktechservices.com>
To: <Shorewall-users@lists.sourceforge.net>
Sent: Wed, 15 Dec 2010 14:47:44 +0530
Subject: [Shorewall-users] Linux Bonding
> What is the difference between Shorewall multiple internet 
> connection and Linux NIC bonding.
------- End of Original Message -------


------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

Il 15/12/2010 10:35, Phil Foxton ha scritto:
>    Obviously you could combine the
> two (given enough NICs and enough ISP connections)
With "combine" did you mean "use both", I guess? Actually
the two
features are unrelated each other, if I''m not going wrong.
Bye

___

Paolo Basenghi -- Sistemi Informativi
Az.Spec.Farmacie Comunali Riunite
Via Doberdo'' 9 - 42122 Reggio Emilia
Tel +39(0522)543312
email: paolo.basenghi@fcr.re.it
www.fcr.re.it - www.informazionisuifarmaci.it
www.saninforma.it - www.futurfarma.it

Le informazioni contenute in questa comunicazione sono riservate e 
destinate esclusivamente alla/e persona/e o all''ente sopra indicati.
E'' vietato ai soggetti diversi dai destinatari qualsiasi uso, copia, 
diffusione di quanto in esso contenuto sia ai sensi dell''art. 616 c.p.,
sia ai sensi della legge 196/2003.
Se questa comunicazione vi e'' pervenuta per errore, vi preghiamo di 
rispondere a questa mail e successivamente cancellarla dal vostro sistema.




------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

Yes, I do mean use both, so at the firewall end you could have multiple bonds
(which requires N interfaces, where N=x*y, x being number of interfaces per
bond, and y being number of bonds), so to do another piece of ASCII art, you
can have this:

     BOND0
     /eth0\____ISP1
    / eth1/
FW 
    \ eth2\____ISP2
     \eth3/
     BOND1

Thus making use of both features, allowing for high throughput and failover.

Hope that makes sense

Phil
--
Phil Foxton RHCE


---------- Original Message -----------
From: Paolo Basenghi <paolo.basenghi@fcr.re.it>
To: shorewall-users@lists.sourceforge.net
Sent: Wed, 15 Dec 2010 11:54:15 +0100
Subject: Re: [Shorewall-users] Linux Bonding
> Il 15/12/2010 10:35, Phil Foxton ha scritto:
> >    Obviously you could combine the
> > two (given enough NICs and enough ISP connections)
> With "combine" did you mean "use both", I guess?
Actually the two
> features are unrelated each other, if I''m not going wrong.
> Bye
> 
> ___
> 
> Paolo Basenghi -- Sistemi Informativi
> Az.Spec.Farmacie Comunali Riunite
> Via Doberdo'' 9 - 42122 Reggio Emilia
> Tel +39(0522)543312
> email: paolo.basenghi@fcr.re.it
> www.fcr.re.it - www.informazionisuifarmaci.it
> www.saninforma.it - www.futurfarma.it
> 
> Le informazioni contenute in questa comunicazione sono riservate e 
> destinate esclusivamente alla/e persona/e o all''ente sopra
indicati.
> E'' vietato ai soggetti diversi dai destinatari qualsiasi uso,
copia,
> diffusione di quanto in esso contenuto sia ai sensi dell''art. 616 
> c.p., sia ai sensi della legge 196/2003. Se questa comunicazione vi 
> e'' pervenuta per errore, vi preghiamo di rispondere a questa mail
e
> successivamente cancellarla dal vostro sistema.
------- End of Original Message -------


------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On 12/15/2010 1:35 AM, Phil Foxton wrote:
>     /eth0\
> FW -eth1-----ISP
>     \eth2/
>
> the other
> provides redundancy in case of NIC failure.
it also covers path failure, switch failure, etc.  basically, *!isp 
failure where

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

I don''t understand what kind of connection you are describing here ...
But I think ( to most of us mortals  ) is CRAP.

There is no such thing such as bonding between a linux system and an ISP 
provider
Unless some kind of exotic connection + hardware is involved that I have 
no knowledge off.
If so please specify and inform us in order to expand our knowledge.

You use bonding to aggregate links that is
between servers,
or between a server and a switch
as long as both ends support bonding and the bonding mode desired.

On the other hand I have a suspicion that you are confusing Multilink 
PPP with bonding

Multilink PPP is a ppp link over (n) links
and It can be done with extra $$$ from your part and some extra hw ( 
Cisco router ) or  a linux distro that has ml-ppp enabled.

Google it for some extra info ...

Cheers,
Harry
> Yes, I do mean use both, so at the firewall end you could have multiple
bonds
> (which requires N interfaces, where N=x*y, x being number of interfaces per
> bond, and y being number of bonds), so to do another piece of ASCII art,
you
> can have this:
>
>       BOND0
>       /eth0\____ISP1
>      / eth1/
> FW
>      \ eth2\____ISP2
>       \eth3/
>       BOND1
>
> Thus making use of both features, allowing for high throughput and
failover.
>
> Hope that makes sense
>
> Phil
> --
> Phil Foxton RHCE
>
>
> ---------- Original Message -----------
> From: Paolo Basenghi<paolo.basenghi@fcr.re.it>
> To: shorewall-users@lists.sourceforge.net
> Sent: Wed, 15 Dec 2010 11:54:15 +0100
> Subject: Re: [Shorewall-users] Linux Bonding
>
>> Il 15/12/2010 10:35, Phil Foxton ha scritto:
>>>     Obviously you could combine the
>>> two (given enough NICs and enough ISP connections)
>> With "combine" did you mean "use both", I guess?
Actually the two
>> features are unrelated each other, if I''m not going wrong.
>> Bye
>>
>> ___
>>
>> Paolo Basenghi -- Sistemi Informativi
>> Az.Spec.Farmacie Comunali Riunite
>> Via Doberdo'' 9 - 42122 Reggio Emilia
>> Tel +39(0522)543312
>> email: paolo.basenghi@fcr.re.it
>> www.fcr.re.it - www.informazionisuifarmaci.it
>> www.saninforma.it - www.futurfarma.it
>>
>> Le informazioni contenute in questa comunicazione sono riservate e
>> destinate esclusivamente alla/e persona/e o all''ente sopra
indicati.
>> E'' vietato ai soggetti diversi dai destinatari qualsiasi uso,
copia,
>> diffusione di quanto in esso contenuto sia ai sensi dell''art.
616
>> c.p., sia ai sensi della legge 196/2003. Se questa comunicazione vi
>> e'' pervenuta per errore, vi preghiamo di rispondere a questa
mail e
>> successivamente cancellarla dal vostro sistema.
> ------- End of Original Message -------
>
>
>
------------------------------------------------------------------------------
> Lotusphere 2011
> Register now for Lotusphere 2011 and learn how
> to connect the dots, take your collaborative environment
> to the next level, and enter the era of Social Business.
> http://p.sf.net/sfu/lotusphere-d2d
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

Il 17/12/2010 15:42, Harry Lachanas ha scritto:
>  I don''t understand what kind of connection you are describing
here ...
> But I think ( to most of us mortals  ) is CRAP.
Calm down, please.
>
> There is no such thing such as bonding between a linux system and an 
> ISP provider
> Unless some kind of exotic connection + hardware is involved that I 
> have no knowledge off.
> If so please specify and inform us in order to expand our knowledge.
Bonding is about to utilize multiple ethernet interfaces (network cards) 
inside the same machine as one single virtual interface (that Linux 
usually identify with "bond0" or "bond1" o so). With bonding
one
implement faul tolerance in LAN connection (not WAN!) and, in some 
cases, even load balancing. Bonding is "ethernet on steroids", but is 
totally unrelated with WAN connections.
>
> You use bonding to aggregate links that is
> between servers,
> or between a server and a switch
> as long as both ends support bonding and the bonding mode desired.
Linux bonding can leverage bonding aware switches or servers, but it 
works perfectly even with dumb switches.
>
> On the other hand I have a suspicion that you are confusing Multilink 
> PPP with bonding
Totally unrelated!
>
> Multilink PPP is a ppp link over (n) links
> and It can be done with extra $$$ from your part and some extra hw ( 
> Cisco router ) or  a linux distro that has ml-ppp enabled.
The second is undubtly the best!  :-)

Bye
___

Paolo Basenghi -- Sistemi Informativi
Az.Spec.Farmacie Comunali Riunite
Via Doberdo'' 9 - 42122 Reggio Emilia
Tel +39(0522)543312
email: paolo.basenghi@fcr.re.it
www.fcr.re.it - www.informazionisuifarmaci.it
www.saninforma.it - www.futurfarma.it

Le informazioni contenute in questa comunicazione sono riservate e 
destinate esclusivamente alla/e persona/e o all''ente sopra indicati.
E'' vietato ai soggetti diversi dai destinatari qualsiasi uso, copia, 
diffusione di quanto in esso contenuto sia ai sensi dell''art. 616 c.p.,
sia ai sensi della legge 196/2003.
Se questa comunicazione vi e'' pervenuta per errore, vi preghiamo di 
rispondere a questa mail e successivamente cancellarla dal vostro sistema.




------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

>>  I don''t understand what kind of connection you are describing
here ...
>> But I think ( to most of us mortals  ) is CRAP.
> Calm down, please.
I am calm ... no need to worry about that ...
Though I insist that you are confusing people ....
>>
>> There is no such thing such as bonding between a linux system and an 
>> ISP provider
>> Unless some kind of exotic connection + hardware is involved that I 
>> have no knowledge off.
>> If so please specify and inform us in order to expand our knowledge.
> Bonding is about to utilize multiple ethernet interfaces (network 
> cards) inside the same machine as one single virtual interface (that 
> Linux usually identify with "bond0" or "bond1" o so).
With bonding one
> implement faul tolerance in LAN connection (not WAN!) and, in some 
> cases, even load balancing. Bonding is "ethernet on steroids",
but is
> totally unrelated with WAN connections.
>>
>> You use bonding to aggregate links that is
>> between servers,
>> or between a server and a switch
>> as long as both ends support bonding and the bonding mode desired.
> Linux bonding can leverage bonding aware switches or servers, but it 
> works perfectly even with dumb switches.
Here again you are confusing people ...
Cause
It depends on the bonding mode you wish to use ...
"........................................................................................
*mode=0 (balance-rr)*
Round-robin policy: Transmit packets in sequential order from the first 
available slave through the last. This mode provides load balancing and 
fault tolerance.

*mode=1 (active-backup)*
Active-backup policy: Only one slave in the bond is active. A different 
slave becomes active if, and only if, the active slave fails. The
bond''s
MAC address is externally visible on only one port (network adapter) to 
avoid confusing the switch. This mode provides fault tolerance. The 
primary option affects the behavior of this mode.

*mode=2 (balance-xor)*
XOR policy: Transmit based on [(source MAC address XOR''d with 
destination MAC address) modulo slave count]. This selects the same 
slave for each destination MAC address. This mode provides load 
balancing and fault tolerance.

*mode=3 (broadcast)*
Broadcast policy: transmits everything on all slave interfaces. This 
mode provides fault tolerance.

*mode=4 (802.3ad)*
IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that 
share the same speed and duplex settings. Utilizes all slaves in the 
active aggregator according to the 802.3ad specification.

	/Pre-requisites:
	1. Ethtool support in the base drivers for retrieving
	the speed and duplex of each slave.
	2. A switch that supports IEEE 802.3ad Dynamic link
	aggregation.
	Most switches will require some type of configuration
	to enable 802.3ad mode./

*mode=5 (balance-tlb)*
Adaptive transmit load balancing: channel bonding that does not require 
any special switch support. The outgoing traffic is distributed 
according to the current load (computed relative to the speed) on each 
slave. Incoming traffic is received by the current slave. If the 
receiving slave fails, another slave takes over the MAC address of the 
failed receiving slave.

	/Prerequisite:
	Ethtool support in the base drivers for retrieving the
	speed of each slave./

*mode=6 (balance-alb)*
Adaptive load balancing: includes balance-tlb plus receive load 
balancing (rlb) for IPV4 traffic, and does not require any special 
switch support. The receive load balancing is achieved by ARP 
negotiation. The bonding driver intercepts the ARP Replies sent by the 
local system on their way out and overwrites the source hardware address 
with the unique hardware address of one of the slaves in the bond such 
that different peers use different hardware addresses for the server.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------"

For instance If you try to have mode 4 *(802.3ad) with a plain switch
you''ll end up with a mess ... or think you have bonding enabled ...

So please please-please-please try not to confuse people and be as 
accurate as possible, or hold your piece ....
We are here to get a piece of knowledge and not to be confused.

Regards
Harry

*



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

Hai,

 

Our network , we have been using two ISP connections. First ISP connected to
eth0 and second ISP connected to eth1. One ISP always would be backup. Can I
use Linux bonding to amalgamate those two connections. Can I overcome manual
switch over by using Linux bonding. Please advise.

 

Thank you,

 

Boby 

System Admin

 



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

Boby Philip wrote:
>Our network , we have been using two ISP connections. First ISP 
>connected to eth0 and second ISP connected to eth1. One ISP always 
>would be backup. Can I use Linux bonding to amalgamate those two 
>connections. Can I overcome manual switch over by using Linux 
>bonding.

The answer is nothing to do with Shorewall, or even Linux ... it''s a 
very fundamental IP question.

Without explicit support from your ISP (note the singular) then the 
answer is NO. There simply is no way to combine multiple links with 
different IP addresses in this manner.

Also, being pedantic, I believe you are looking for link aggregation 
(or PPP multilink support depending on the access technology). 
Bonding is some thing that can be done only at the local network 
layer - as in combining multiple links to get higher bandwidth 
between a system and a switch with such a capability.

There are service providers that will provide an aggregation facility 
like you are looking for. With these service providers, you still 
need your regular internet connections, but the aggregation provider 
supplies a router for your premises that will create 2 or more 
tunnels back to them over your available links. All your traffic is 
then routed over these tunnels back to the aggregation provider who 
then routes it out over the internet - and your visible external IP 
is that provided by the aggregation provider.

Alternatively, there are a very small number of ISPs that support 
multilink. In this case all your links must come from the same 
provider, and usually have to terminate on the same access controller.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On 1/4/11 2:34 AM, Simon Hobson wrote:
> Boby Philip wrote:
> 
>> Our network , we have been using two ISP connections. First ISP 
>> connected to eth0 and second ISP connected to eth1. One ISP always 
>> would be backup. Can I use Linux bonding to amalgamate those two 
>> connections. Can I overcome manual switch over by using Linux 
>> bonding.
> 
> 
> The answer is nothing to do with Shorewall, or even Linux ... it''s
a
> very fundamental IP question.
> 
> Without explicit support from your ISP (note the singular) then the 
> answer is NO. There simply is no way to combine multiple links with 
> different IP addresses in this manner.
Note, however, that it is possible to use Shorewall''s Multi-ISP feature
(http://www.shorewall.net/MultiISP.html) to share the load over the two
links. With a link monitor such as LSM, switch-over in the event of
failure, is automatic.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

>> Our network , we have been using two ISP connections. First ISP
>> connected to eth0 and second ISP connected to eth1. One ISP always
>> would be backup. Can I use Linux bonding to amalgamate those two
>> connections. Can I overcome manual switch over by using Linux
>> bonding.
>
> The answer is nothing to do with Shorewall, or even Linux ... it''s
a
> very fundamental IP question.
I have a question even though not directly related to the topic.

Are there any users in the list that have Fiber optic connection to the 
net ?

Is there an option similar to bonding or ML-ppp  that ISP''s provide for
fail over redundancy  ??
and
last but not least ...
How is shorewall + linux + hardware behave in these setups ( if any )  ???

Regards
Harry.




------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

Harry Lachanas wrote:
>Are there any users in the list that have Fiber optic connection to the net
?
>
>Is there an option similar to bonding or ML-ppp  that ISP''s provide
>for fail over redundancy  ??
>and
>last but not least ...
>How is shorewall + linux + hardware behave in these setups ( if any )  ???
I''m not aware of any ISPs offering such a product, but it would not 
surprise me in the least to find that there are some - at a price. 
Multiple links/failover/some sort of backup is actually quite 
commonly available on business networks (at business network prices), 
but my experience has the ISP providing a dedicated router on-site as 
part of the package so that the customer never sees any of the "back 
end" workings - the customer just gets presented with an ethernet 
port on a router.

How a Linux box would handle it would very much depend on the service 
from teh ISP, and possibly your programming skills to set it up. As 
Tom has already pointed out, you can already handle multiple ISPs 
with Shorewall - but traffic egressing on each link will have an IP 
address linked to that link, and if you do lose a link, then traffic 
that fails over will switch IP addresses as well which will break 
sessions etc.

There are packages offering various levels of virtual 
router/automatic failover available for Linux (I''ve got keepalived 
running on some machines at work for this), but I''m not aware of a 
package that will offer quite the transparency to network devices 
that HSRP offers on Cisco kit where even the MAC address is shared 
across routers (for example). keepalived does appear to be somewhat 
more flexible and comprehensive though from my reading of the docs.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl