[EMAIL PROTECTED] (Kotakoski Harri EXT-Novosys/Copenhagen) wrote: > Hello, > > > From: ext garentsen [mailto:[EMAIL PROTECTED]] > > I've got two ISP's providing me with 10 Mbit and 3 Mbit internet > > access at home. I would like to set up my Linux (or any other OS) > > firewall to distribute my load evenly between theese two. > > As Paul said this is mainly routing issue. > > There are two possible solutions: > > First one (which is the 'correct' one) is to use BGP peering with ISP's. > You probably don't have possibility to do this because ISP's are pretty > picky with organizations they are peering with. And you should also have > Autonomous System ID and be prepared to pay for this arrangement. . . . > Other possibility is to use NAT for outbound connections (NATting to > different address spaces) and dynamic DNS for inbound (actually it does > not have to be dynamic). If someone likes to know how this really works > I'm prepared to write something about it. > > This requires system capable of handling this and only implementation I > am aware of is Stonegate firewall. I think that Rainfinity and Radware > also have some stuff related to issue. > > rgds, > Harri
Here at Burton Systems Softwaer, we do something like your "other possibility." It was harder to set it up than I expected, and it still is not perfect, so I'd be interested in reading your advice for Emil, Harri. Our Linux NAT/firewall/server is multi-homed, using a DSL line with a static IP, plus a cablemodem line with a "slightly dynamic" IP that last changed about 5 months ago. I wanted two connections mainly for redundancy, not for load sharing. These "consumer quality" wideband connections are fast and cheap, but they are also unreliable. Our DSL is Directv (formerly Telocity). The cablemodem is Time-Warner Roadrunner. I like Directv because they give us a static IP, and their customer service is usually better, and they are a little bit cheaper, too. But most of the time the cablemodem connection is slightly faster than the DSL connection. Both lines stay up for long periods of time, but occasionally they go down for long periods of time, too. My Roadrunner service was once down for 6.5 days! It would have been down even longer if I'd not screamed bloody murder at every Time-Warner person I could track down. My DSL service has never been down anywhere near that long, but a friend's once went down for more than a week! Also, every month or two the crummy DSL modem/gateway box "loses synch" (their tech support's term) and has to be power-cycled to recover. I keep threatening to plug it into an X-10 module, so that I can make get it to recover automatically. The cablmodem doesn't have that problem, but when the power goes out, the DSL line stays up and the cablemodem line immediately goes down (T-W apparently doesn't use any battery backup at all). We can't tolerate week-long outages! So I figured that the way to have reliable Internet connectivity is to have two completely independent connections. The cablemodem comes into the front of the building on coax, and the DSL comes in the back on a phone line. The Linux NAT/router has three NICs: one for the DSL gateway, one for the cablemodem, and one for the LAN. Handling the outgoing connections is pretty straightforward. I have a little script that tests the lines every couple of minutes, and tries to "ping out" over each of the two lines. If the current default route is down, but the other one is up, it changes the routing table to make the other line be the default. (I haven't bothered to try to load share for better performance.) Also, the script watches for changes in IP on the dynamic DNS line, and if that happens it updates the Dynamic DNS entry for www2.burtonsys.com at our DNS service, www.zoneedit.com, by doing a magic "wget" incantation. (BTW, I highly recommend zoneedit.com.) Also, whenever a line goes up or down, or when the dynamic IP changes for the cablemodem, the script logs the event. Right now I'm using only the DSL line for incoming mailserver traffic, but I'm going to change it to use the cablemodem line as a secondary mail server. Since DNS permits listing multiple mail servers, that should work just fine. The toughest thing is handling incoming Web (or FTP) access. Unfortunately (and inexplicably, to me) there's no provision in DNS records for a "backup" IP to be associated with a domain name, and browsers don't know how to look up two or more IPs for a name and then try each until one is found that works. I have no idea why this capability exists for mail exchangers but not for web servers and ftp servers. :-( So... what to do? I first looked at using BGP and telling the world about the two routes to my box. Ha, silly me! The chances of talking either outfit into letting me mess with BGP routing are precisely zero. They wouldn't know how, even if I could find someone there who understood the question, and they wouldn't do it if they knew how. T-W/RR support is particularly hidious. At Time-Warner, they make it VERY clear that they don't care AT ALL about you and your problems. On one occasion when my Roadrunner connection was down, and had been down for many hours, I finally waited through the Time-Warner/ Roadrunner hold queue and got a support person on the phone. He said he didn't have any other reported problems in my area, and he advised me to wait and try it again tomorrow, and call them back again if it was still down. I asked him to please investigate the problem and have someone call *ME* back when they got it fixed or knew more. He replied, "we don't do call-backs." At least he wasn't overtly rude, unlike some of his coworkers. The Directv/Telocity folks are only slightly better. They aren't rude, but their financial woes seem to have cut into their support staff. So I gave up on BGP and went to "plan B." You can see the result at our web address: http://www.burtonsys.com/ Www.burtonsys.com is hosted at a cheap ($5/month for 1 MB) but very reliable ISP called netmar.com. At Netmar, we have just a skeleton web site, with a "redirection page" that lets visitors choose between www1.burtonsys.com and www2.burtonsys.com, which correspond to our DSL and cablemodem lines, respectively. Plus, if you wait a bit or click the "status" link, a cgi script at Netmar runs and pings our two lines from the Netmar server, to determine for website visitors which server is "up." (Wait a bit longer, and it'll redirect you to a working server.) Another approach, which might be better, would be to use the "failover" service at www.zoneedit.com. According to their web site, if your main web connection goes down, they will detect it and adjust your DNS record accordingly, within a few minutes. Visitors to your site would see only a short outage -- probably under 10 minutes -- and they would not have to go through the strange "redirection page" that we use. I've not tried this approach, but it sounds good, and it is certainly simpler, and I've been very pleased with everything else at zoneedit.com. Do you have a better idea, Harri? -Dave Burton <[EMAIL PROTECTED]> Burton Systems Software: http://www.burtonsys.com/ PO Box 4157, Cary, NC 27519-4157 USA Makers of TLIB Version Control 5.53 for Win-NT/2K/XP/9x/ME/3.1x, DOS & OS/2. (and command-line version also runs under Linux's WINE Windows Emulator) Tel: 1-919-481-0149 Alternate tel: 1-919-481-6658 Fax: 1-919-481-3787 Alternate fax: 1-919-481-4886 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
