Re: [Astlinux-users] WAN Bridge interface
Thanks David Regards Michael Knill From: David Kerr Reply to: AstLinux List Date: Thursday, 3 February 2022 at 7:51 pm To: AstLinux List Subject: Re: [Astlinux-users] WAN Bridge interface If you are looking for redundancy on the WAN uplink then the way to do it is with bonded interfaces not bridged interfaces, assuming the other end supports bonds (also known as Link Aggregation) then the network layer will take care of it all. Astlinux out-of-the-box does not support bonded interfaces, I have added support in my version of Astlinux (on my Github, in the develop branch). I have bonded interfaces on both my WAN and LAN. The WAN has two ethernet cables connecting to my cable modem. The LAN has two ethernet cables connected to my switch that is configured with a LAG (link aggregation group), you need a managed switch that supports LAG. I did it because my Comcast/Xfinity service will deliver 1.4Gbps download speeds, and one ethernet cable maxes out at just under 1Gbps, so to get the most out of my internet service I need to be able to pump more through the Astlinux gateway than a single cable will allow. But you also get redundancy, disconnect one of the two bonded cables and the system doesn't miss a beat (but max throughput drops to 1Gbps). David On Wed, Feb 2, 2022 at 6:28 PM Michael Knill mailto:michael.kn...@ipcsolutions.com.au>> wrote: Hi Lonnie It's the firewalls that are configured for failover using FireCluster. They use VRRP as I just found out: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_ap_cluster_id_wsm.html?Highlight=firecluster%20mac%20address Regards Michael Knill On 3/2/22, 9:23 am, "Lonnie Abelbeck" mailto:li...@lonnie.abelbeck.com>> wrote: Interesting, but I don't quite understand how the upstream multihomed link works. If the AstLinux WAN bridge interface has a static IP and gateway, how is this a failover situation ... unless like you mentioned a VRRP (keepalived) setup. Is the AstLinux static gateway IP ARP'ing to different MACs depending on some magic upstream? All in the same subnet? If "yes" above, then this would indeed be a special case where you would want the WAN to be a bridge interface. Lonnie > On Feb 2, 2022, at 4:04 PM, Michael Knill mailto:michael.kn...@ipcsolutions.com.au>> wrote: > > It's a static address with the gateway address shared on the firewalls as active and standby. Not sure if they have a virtual address like VRRP but doesn't make any difference from Astlinux's perspective. > I did some testing and all seemed to work. Its on a Qotom box so I assume performance should not be an issue. > > Regards > Michael Knill > > On 3/2/22, 9:00 am, "Lonnie Abelbeck" mailto:li...@lonnie.abelbeck.com>> wrote: > >Hi Michael, > >It would be a special case where you would want the WAN to be a bridge interface. > >How is the WAN interface's IP address defined? > >I'm not sure how your two WAN trunks are routed to your bridge interface. > >But, if a 2-port ethernet switch would work, so should a 2-interface linux bridge. > >Lonnie > > > > >> On Feb 2, 2022, at 3:33 PM, Michael Knill mailto:michael.kn...@ipcsolutions.com.au>> wrote: >> >> Hi Group >> >> I have set up two ports on my Astlinux box into a bridge and allocated to the WAN interface. These ports are connected behind a primary and failover Watchguard firewall as a DMZ interface. The LAN interface connects to the Voice VLAN making this system a VPN router only for about 70 phones. >> >> Just wanting to know if anyone can see any issues with this architecture as I haven’t used bridge interfaces before. >> It just seems better than sticking a switch in between creating another single point of failure. >> >> Regards >> >> Michael Knill >> Managing Director >> >> D: +61 2 6189 1360 >> P: +61 2 6140 4656 >> E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> >> W: ipcsolutions.com.au<http://ipcsolutions.com.au> >> >> >> Smarter Business Communications >> >> ___ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net<mailto:Astlinux-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org<mailto:pa
Re: [Astlinux-users] WAN Bridge interface
If you are looking for redundancy on the WAN uplink then the way to do it is with bonded interfaces not bridged interfaces, assuming the other end supports bonds (also known as Link Aggregation) then the network layer will take care of it all. Astlinux out-of-the-box does not support bonded interfaces, I have added support in my version of Astlinux (on my Github, in the develop branch). I have bonded interfaces on both my WAN and LAN. The WAN has two ethernet cables connecting to my cable modem. The LAN has two ethernet cables connected to my switch that is configured with a LAG (link aggregation group), you need a managed switch that supports LAG. I did it because my Comcast/Xfinity service will deliver 1.4Gbps download speeds, and one ethernet cable maxes out at just under 1Gbps, so to get the most out of my internet service I need to be able to pump more through the Astlinux gateway than a single cable will allow. But you also get redundancy, disconnect one of the two bonded cables and the system doesn't miss a beat (but max throughput drops to 1Gbps). David On Wed, Feb 2, 2022 at 6:28 PM Michael Knill < michael.kn...@ipcsolutions.com.au> wrote: > Hi Lonnie > > It's the firewalls that are configured for failover using FireCluster. > They use VRRP as I just found out: > > https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_ap_cluster_id_wsm.html?Highlight=firecluster%20mac%20address > > Regards > Michael Knill > > On 3/2/22, 9:23 am, "Lonnie Abelbeck" wrote: > > Interesting, but I don't quite understand how the upstream multihomed > link works. > > If the AstLinux WAN bridge interface has a static IP and gateway, how > is this a failover situation ... unless like you mentioned a VRRP > (keepalived) setup. > > Is the AstLinux static gateway IP ARP'ing to different MACs depending > on some magic upstream? All in the same subnet? > > If "yes" above, then this would indeed be a special case where you > would want the WAN to be a bridge interface. > > Lonnie > > > > On Feb 2, 2022, at 4:04 PM, Michael Knill < > michael.kn...@ipcsolutions.com.au> wrote: > > > > It's a static address with the gateway address shared on the > firewalls as active and standby. Not sure if they have a virtual address > like VRRP but doesn't make any difference from Astlinux's perspective. > > I did some testing and all seemed to work. Its on a Qotom box so I > assume performance should not be an issue. > > > > Regards > > Michael Knill > > > > On 3/2/22, 9:00 am, "Lonnie Abelbeck" > wrote: > > > >Hi Michael, > > > >It would be a special case where you would want the WAN to be a > bridge interface. > > > >How is the WAN interface's IP address defined? > > > >I'm not sure how your two WAN trunks are routed to your bridge > interface. > > > >But, if a 2-port ethernet switch would work, so should a > 2-interface linux bridge. > > > >Lonnie > > > > > > > > > >> On Feb 2, 2022, at 3:33 PM, Michael Knill < > michael.kn...@ipcsolutions.com.au> wrote: > >> > >> Hi Group > >> > >> I have set up two ports on my Astlinux box into a bridge and > allocated to the WAN interface. These ports are connected behind a primary > and failover Watchguard firewall as a DMZ interface. The LAN interface > connects to the Voice VLAN making this system a VPN router only for about > 70 phones. > >> > >> Just wanting to know if anyone can see any issues with this > architecture as I haven’t used bridge interfaces before. > >> It just seems better than sticking a switch in between creating > another single point of failure. > >> > >> Regards > >> > >> Michael Knill > >> Managing Director > >> > >> D: +61 2 6189 1360 > >> P: +61 2 6140 4656 > >> E: michael.kn...@ipcsolutions.com.au > >> W: ipcsolutions.com.au > >> > >> > >> Smarter Business Communications > >> > >> ___ > >> Astlinux-users mailing list > >> Astlinux-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/astlinux-users > >> > >> Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > > > > > >___ > >Astlinux-users mailing list > >Astlinux-users@lists.sourceforge.net > >https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > >Donations to support AstLinux are graciously accepted via PayPal > to pay...@krisk.org. > > > > > > ___ > > Astlinux-users mailing list > > Astlinux-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously
Re: [Astlinux-users] WAN Bridge interface
Hi Lonnie It's the firewalls that are configured for failover using FireCluster. They use VRRP as I just found out: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_ap_cluster_id_wsm.html?Highlight=firecluster%20mac%20address Regards Michael Knill On 3/2/22, 9:23 am, "Lonnie Abelbeck" wrote: Interesting, but I don't quite understand how the upstream multihomed link works. If the AstLinux WAN bridge interface has a static IP and gateway, how is this a failover situation ... unless like you mentioned a VRRP (keepalived) setup. Is the AstLinux static gateway IP ARP'ing to different MACs depending on some magic upstream? All in the same subnet? If "yes" above, then this would indeed be a special case where you would want the WAN to be a bridge interface. Lonnie > On Feb 2, 2022, at 4:04 PM, Michael Knill wrote: > > It's a static address with the gateway address shared on the firewalls as active and standby. Not sure if they have a virtual address like VRRP but doesn't make any difference from Astlinux's perspective. > I did some testing and all seemed to work. Its on a Qotom box so I assume performance should not be an issue. > > Regards > Michael Knill > > On 3/2/22, 9:00 am, "Lonnie Abelbeck" wrote: > >Hi Michael, > >It would be a special case where you would want the WAN to be a bridge interface. > >How is the WAN interface's IP address defined? > >I'm not sure how your two WAN trunks are routed to your bridge interface. > >But, if a 2-port ethernet switch would work, so should a 2-interface linux bridge. > >Lonnie > > > > >> On Feb 2, 2022, at 3:33 PM, Michael Knill wrote: >> >> Hi Group >> >> I have set up two ports on my Astlinux box into a bridge and allocated to the WAN interface. These ports are connected behind a primary and failover Watchguard firewall as a DMZ interface. The LAN interface connects to the Voice VLAN making this system a VPN router only for about 70 phones. >> >> Just wanting to know if anyone can see any issues with this architecture as I haven’t used bridge interfaces before. >> It just seems better than sticking a switch in between creating another single point of failure. >> >> Regards >> >> Michael Knill >> Managing Director >> >> D: +61 2 6189 1360 >> P: +61 2 6140 4656 >> E: michael.kn...@ipcsolutions.com.au >> W: ipcsolutions.com.au >> >> >> Smarter Business Communications >> >> ___ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. > > > >___ >Astlinux-users mailing list >Astlinux-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/astlinux-users > >Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. > > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] WAN Bridge interface
Interesting, but I don't quite understand how the upstream multihomed link works. If the AstLinux WAN bridge interface has a static IP and gateway, how is this a failover situation ... unless like you mentioned a VRRP (keepalived) setup. Is the AstLinux static gateway IP ARP'ing to different MACs depending on some magic upstream? All in the same subnet? If "yes" above, then this would indeed be a special case where you would want the WAN to be a bridge interface. Lonnie > On Feb 2, 2022, at 4:04 PM, Michael Knill > wrote: > > It's a static address with the gateway address shared on the firewalls as > active and standby. Not sure if they have a virtual address like VRRP but > doesn't make any difference from Astlinux's perspective. > I did some testing and all seemed to work. Its on a Qotom box so I assume > performance should not be an issue. > > Regards > Michael Knill > > On 3/2/22, 9:00 am, "Lonnie Abelbeck" wrote: > >Hi Michael, > >It would be a special case where you would want the WAN to be a bridge > interface. > >How is the WAN interface's IP address defined? > >I'm not sure how your two WAN trunks are routed to your bridge interface. > >But, if a 2-port ethernet switch would work, so should a 2-interface linux > bridge. > >Lonnie > > > > >> On Feb 2, 2022, at 3:33 PM, Michael Knill >> wrote: >> >> Hi Group >> >> I have set up two ports on my Astlinux box into a bridge and allocated to >> the WAN interface. These ports are connected behind a primary and failover >> Watchguard firewall as a DMZ interface. The LAN interface connects to the >> Voice VLAN making this system a VPN router only for about 70 phones. >> >> Just wanting to know if anyone can see any issues with this architecture as >> I haven’t used bridge interfaces before. >> It just seems better than sticking a switch in between creating another >> single point of failure. >> >> Regards >> >> Michael Knill >> Managing Director >> >> D: +61 2 6189 1360 >> P: +61 2 6140 4656 >> E: michael.kn...@ipcsolutions.com.au >> W: ipcsolutions.com.au >> >> >> Smarter Business Communications >> >> ___ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. > > > >___ >Astlinux-users mailing list >Astlinux-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/astlinux-users > >Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] WAN Bridge interface
It's a static address with the gateway address shared on the firewalls as active and standby. Not sure if they have a virtual address like VRRP but doesn't make any difference from Astlinux's perspective. I did some testing and all seemed to work. Its on a Qotom box so I assume performance should not be an issue. Regards Michael Knill On 3/2/22, 9:00 am, "Lonnie Abelbeck" wrote: Hi Michael, It would be a special case where you would want the WAN to be a bridge interface. How is the WAN interface's IP address defined? I'm not sure how your two WAN trunks are routed to your bridge interface. But, if a 2-port ethernet switch would work, so should a 2-interface linux bridge. Lonnie > On Feb 2, 2022, at 3:33 PM, Michael Knill wrote: > > Hi Group > > I have set up two ports on my Astlinux box into a bridge and allocated to the WAN interface. These ports are connected behind a primary and failover Watchguard firewall as a DMZ interface. The LAN interface connects to the Voice VLAN making this system a VPN router only for about 70 phones. > > Just wanting to know if anyone can see any issues with this architecture as I haven’t used bridge interfaces before. > It just seems better than sticking a switch in between creating another single point of failure. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] WAN Bridge interface
Hi Michael, It would be a special case where you would want the WAN to be a bridge interface. How is the WAN interface's IP address defined? I'm not sure how your two WAN trunks are routed to your bridge interface. But, if a 2-port ethernet switch would work, so should a 2-interface linux bridge. Lonnie > On Feb 2, 2022, at 3:33 PM, Michael Knill > wrote: > > Hi Group > > I have set up two ports on my Astlinux box into a bridge and allocated to the > WAN interface. These ports are connected behind a primary and failover > Watchguard firewall as a DMZ interface. The LAN interface connects to the > Voice VLAN making this system a VPN router only for about 70 phones. > > Just wanting to know if anyone can see any issues with this architecture as I > haven’t used bridge interfaces before. > It just seems better than sticking a switch in between creating another > single point of failure. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
