Heh, i just subscribed to this list because i have the exact same
question! just i have a little network of users inside, no web server,
but smtp instead.
i was wondering if it was possible to avoid the BPG4, even though both my
ISPs are willing to do it, because i hear it is one of the more difficult
things to configure properly, and i get port scanned constantly. BGP4
involves getting some magical AS number, and several class C IPs which
i do not need, and may be over my budget.
anyway, first i was thinking of using the "equalize" option in the "ip
route" command, which will split the packets on both devices randomly.
and then if one of the links goes down i would go over to the machine and
get rid of one of the static routes:
machine1 --. .- IP1 -- ISP1 -...
machine2 --|-linux masqing-| internet ...- remote machine
machine3 --' `- IP2 -- ISP2 -...
but then i noticed that if my packets are originating from two different
IPs tcp connections would not work! even though my ISP claims that it
should (are they right?), if "remote machine" above gets some packets from
IP1 and some from IP2 it will probably initiate a connection with one of
them and ignore the other.
finally i thought if we get a 3rd IP from one of the ISPs we could do
something like this:
.. -. .- IP1 ..
.. -|-linux masqing -- IP3 -- linux router -|
.. -' `- IP2 ..
now, if i tell ISP1 to make a static route from them to IP3 via my IP1,
things should work fine. (and similarly with ISP2)
but what route do the packets coming back take?
the best solution i could think of was something like this:
get rid of IP3 and make it another internal address from the private
range, now lets look at the "linux router" above, we do equalizing like
before. to prevent the remote machine seeing two IPs we would want
the equalizing to recognize an active connection from the internal
network to the remote host, and send it to the same IP is was on before.
if we could port forward all connections originating from even ports on
the "linux masquing" machine to IP1, and all those from odd ports on IP2,
we are guaranteeing that there are no connections to a remote host from two
IPs. (i could probably fit it all on one machine instead of two).
perhaps one could do that with ipchains, by marking all the packets
originating from even ports on the "linux masqing" with one mark, and all
those from odd ports with another mark, and together with ip rule's option
"fwmark" split them between the two IPs. (maybe ipchains should be
modified to include something like ipchains -A input --sport odd --mark
n... or just make a 4 line shell script which will make a chain with
65536 entries...)
i was also thinking of something smarter then just equalizing the traffic,
%60 of ports to IP1 %40 to IP2. etc. and check from time to time.
what's good about that solution is that it doesn't depend on my ISP or
running another service which may be prone to attack.
i am pretty confused and don't know what to choose. is BPG4 the way to go?
zebra, routed or gated? just stick with the kernel's routing abilities?
can traffic shaping help me, or is it not meant for that?
thanks in advance.
-- Elisheva Alexander
On Wed, 12 Apr 2000 [EMAIL PROTECTED] wrote:
>
> re: You are trying to use the wrong tools. Yes it is possible to kind of
> make this work by using round-robin DNS, or DNS servers with really low
> TTLs that give out the "current"
> good address, but this is all a hack that will be unreliable.
> --
>
> No, this is not what I am trying to do. I am not trying to use round robin
> dns, and I am not interested in adjusting the TTL's, or worry about what the
> current good address is.
>
> I have had DSL outages as short as 5 minutes and as long as 6 months. I do
> not want to go through all my machines eveyr time the network goes down
> to change all the ip numbers, only to have the network up again 5 minutes
> later on my faster line, only to switch everything back. i do not want to
> wake up one morning to find out there was an outage that started 5 minutes
> after i went to sleep. I have lost thousands of dollars in revenue per month
> because of things like this. Bell Atlantic unplugs my lines, they take
> months to fix it, etc. that's why i have *3* connections just for a small
> number of sites in my home, which I pay a lot for.
>
> All i want is what i described. I tried contacting my ISP's about routing
> on their end. i either got no response, or they ask me what version of
> windows i am running, or they say that linux doesn't work with their ISP,
> etc. Working with the ISP is not getting me anywhere.
>
> All I want to do is access any machine on my internal network from either
> of my internet connections, and have the machines internal be able to
> communicate with each other, and that is all. If someone knows hwo to do
> this, please help me. I have tried iproute2 but it does not work. I have
> recompiled my kernels a hundred times with every option on many machines
> with many configurations for months and there is always something about the
> setup that does not work. And I know that you guys know how to do this
> because you are always talking about your huge networks with 5 internal
> LAN's and 3 redundant connections and multipel firewalls, etc, but no one
> has ever been able to say "you need this linux kernel, set your machines
> up with the router here, the hub here, your www servers here, with these
> machines running this software, with this configuration". so it doesn't
> work, and no the online how-tos, the books at the store, usenet, the
> sysadmins I know, etc are ever of much help.
>
> Last year I was one of the only ones trying to figure this out, but there
> is now a large number of people on the net asking the same question, and
> not getting any answers.
>
> If it can be done, then how?
>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
