On 12 Jan 2002, at 13:54, garentsen wrote: > Hi all! > > not sure whether this is the right group for firewall issues in > Linux but here goes: > > I've got two ISP's providing me with 10 Mbit and 3 Mbit internet > access at home. I would like to set up my Linux (or any other OS) > firewall to distribute my load evenly between theese two. > > I have no need of a DMZ but my internal network has an NT server > with IIS running. I would like to configure the FW so that any > request to IIS from either inbound connection can be served. > > I've looked at a dozen different firewall solutions for Linux but > found none that could facilitate this. Has anyone done something > like, and is it even possible/managable? > > Thanks > > /Emil
There are several bits and pieces to this puzzle. Odds are that your ISPs have each provided you with one or more IP addresses to be reached via their bandwidth, right? So the first issue is that your server has two public addresses. (I don't think SSL is going to like that....) So you're going to have two static NAT mappings on the firewall, from different outside addresses to a single DMZ address. I'm assuming that NAT will operate on a session-by-session basis -- some implementations may not handle static mappings this way! -- and so an outside host that tries to connect to either address will elicit response packets that show that same address as the originator. (If either static definition gets blindly applied to all outbound traffic from the host, one of your outside addresses will be unreachable.) So now we have outbound response packets whose source address agrees with the target of the inbound session initiation. In order to send them out the pipe that the initiation packet arrived via, we need to do source routing. Oops. Alternatively, you can just distribute packets statistically between the pipes based on destination address -- as long as neither ISP does egress filtering.... Now all this leaves is that you'd like to have about a quarter of your traffic come via a different pipe and destination address. You can approximate that with round-robin DNS entries. Of course, one of the reasons you might want pipes from two different ISPs is to be able to fail over from one to the other n case of an outage. Everything I've suggested above is pretty much static, and handles failures poorly, if at all. The "right" solution is to obtain your own AS number and arrange with your ISPs to talk BGP. This will get you a single public address, reachable via either pipe with failover in case either goes down. With the kind of bandwidth you're talking about, your ISPs should be experienced at this kind of setup, and willing to help you set it up. Or you could hire a consultant to set it up.... Are you anywhere near me? Dave Gillett _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
