RE: Firewall configuration with two ISP
hi mike, actual layer 4-switches will provide you with lots of nice features: load-balancing between providers wire speed acl load-balancing using acl-rules wire speed throughput routing protocols and of course static-routes if you need some more information, feel free to contact me christian -Original Message- From: Mike Schmitz [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2001 10:29 PM To: debian-admintool@lists.debian.org; debian-isp@lists.debian.org; debian-firewall@lists.debian.org Subject: Re: Firewall configuration with two ISP On Wed, Mar 28, 2001 at 12:50:08PM +0530, Bala wrote: > Hello > In Debian GNU/Linux, I have configured three network cards. I'm having > leased line connection from two ISP's with two different series of IP > addersses. With first card I, have configrued ISP1 and with second card, I > have configured with ISP2. With the third card, I have configured my LAN. > Now I'm able to ping both the ISP's gateway from my machine. But, I'm NOT > able to access my machine with one of the Internet IP from Internet. What > could be the problem?? There was a list of URL posted here in the debian-firewall mailing list. One of them had a section that might be of interest. It has the balancing for the opposite direction, but it should help get you there. http://www.linuxsecurity.com/feature_stories/kernel-netfilter.html The appropriate section: So, to develop a simple and inexpensive load balanacing solution, you might use the following to have your firewall redirect some of the traffic to each of the web servers at 192.168.1.100, 192.168.1.101 and 192.168.1.102, as follows: # # Modify destination addresses to 192.168.1.100, # 192.168.1.101, or 192.168.1.102 # iptables -t nat -A POSTROUTING -i eth1 -j DNAT \ --to 192.168.1.100-192.168.1.102 -- Mike Schmitz<[EMAIL PROTECTED]> http://ddns.colug.org/mschmitz My thoughts on h4x0rs: Consider the complacency and arrogance that would cause a porcupine to sleep on its' back. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Firewall configuration with two ISP
hi mike, actual layer 4-switches will provide you with lots of nice features: load-balancing between providers wire speed acl load-balancing using acl-rules wire speed throughput routing protocols and of course static-routes if you need some more information, feel free to contact me christian -Original Message- From: Mike Schmitz [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 28, 2001 10:29 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Firewall configuration with two ISP On Wed, Mar 28, 2001 at 12:50:08PM +0530, Bala wrote: > Hello > In Debian GNU/Linux, I have configured three network cards. I'm having > leased line connection from two ISP's with two different series of IP > addersses. With first card I, have configrued ISP1 and with second card, I > have configured with ISP2. With the third card, I have configured my LAN. > Now I'm able to ping both the ISP's gateway from my machine. But, I'm NOT > able to access my machine with one of the Internet IP from Internet. What > could be the problem?? There was a list of URL posted here in the debian-firewall mailing list. One of them had a section that might be of interest. It has the balancing for the opposite direction, but it should help get you there. http://www.linuxsecurity.com/feature_stories/kernel-netfilter.html The appropriate section: So, to develop a simple and inexpensive load balanacing solution, you might use the following to have your firewall redirect some of the traffic to each of the web servers at 192.168.1.100, 192.168.1.101 and 192.168.1.102, as follows: # # Modify destination addresses to 192.168.1.100, # 192.168.1.101, or 192.168.1.102 # iptables -t nat -A POSTROUTING -i eth1 -j DNAT \ --to 192.168.1.100-192.168.1.102 -- Mike Schmitz<[EMAIL PROTECTED]>http://ddns.colug.org/mschmitz My thoughts on h4x0rs: Consider the complacency and arrogance that would cause a porcupine to sleep on its' back. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall configuration with two ISP
Jeremy Lunn <[EMAIL PROTECTED]> writes: > The problem would be that the replies to any requests sent to the 2nd > ISP will be routed back via the 1st ISP. They are probably blocked by > your 1st ISP which is sane and I wouldn't want to use an ISP that didn't > do that. That will be the problem. The solution is "apt-get install iproute2". There's some reasonable documentation at the following URL: http://snafu.freedom.org/linux2.2/docs/ip-cref/ Goodd luck. -- Fraser Campbell <[EMAIL PROTECTED]> Starnix Inc. Telephone: (905) 771-0017Thornhill, Ontario, Canada http://www.starnix.com/ Professional Linux Services & Products
Re: Firewall configuration with two ISP
On Wed, Mar 28, 2001 at 12:50:08PM +0530, Bala wrote: > Hello > In Debian GNU/Linux, I have configured three network cards. I'm having > leased line connection from two ISP's with two different series of IP > addersses. With first card I, have configrued ISP1 and with second card, I > have configured with ISP2. With the third card, I have configured my LAN. > Now I'm able to ping both the ISP's gateway from my machine. But, I'm NOT > able to access my machine with one of the Internet IP from Internet. What > could be the problem?? There was a list of URL posted here in the debian-firewall mailing list. One of them had a section that might be of interest. It has the balancing for the opposite direction, but it should help get you there. http://www.linuxsecurity.com/feature_stories/kernel-netfilter.html The appropriate section: So, to develop a simple and inexpensive load balanacing solution, you might use the following to have your firewall redirect some of the traffic to each of the web servers at 192.168.1.100, 192.168.1.101 and 192.168.1.102, as follows: # # Modify destination addresses to 192.168.1.100, # 192.168.1.101, or 192.168.1.102 # iptables -t nat -A POSTROUTING -i eth1 -j DNAT \ --to 192.168.1.100-192.168.1.102 -- Mike Schmitz<[EMAIL PROTECTED]> http://ddns.colug.org/mschmitz My thoughts on h4x0rs: Consider the complacency and arrogance that would cause a porcupine to sleep on its' back.
Re: Firewall configuration with two ISP
Jeremy Lunn <[EMAIL PROTECTED]> writes: > The problem would be that the replies to any requests sent to the 2nd > ISP will be routed back via the 1st ISP. They are probably blocked by > your 1st ISP which is sane and I wouldn't want to use an ISP that didn't > do that. That will be the problem. The solution is "apt-get install iproute2". There's some reasonable documentation at the following URL: http://snafu.freedom.org/linux2.2/docs/ip-cref/ Goodd luck. -- Fraser Campbell <[EMAIL PROTECTED]> Starnix Inc. Telephone: (905) 771-0017Thornhill, Ontario, Canada http://www.starnix.com/ Professional Linux Services & Products -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall configuration with two ISP
On Wed, Mar 28, 2001 at 12:50:08PM +0530, Bala wrote: > Hello > In Debian GNU/Linux, I have configured three network cards. I'm having > leased line connection from two ISP's with two different series of IP > addersses. With first card I, have configrued ISP1 and with second card, I > have configured with ISP2. With the third card, I have configured my LAN. > Now I'm able to ping both the ISP's gateway from my machine. But, I'm NOT > able to access my machine with one of the Internet IP from Internet. What > could be the problem?? There was a list of URL posted here in the debian-firewall mailing list. One of them had a section that might be of interest. It has the balancing for the opposite direction, but it should help get you there. http://www.linuxsecurity.com/feature_stories/kernel-netfilter.html The appropriate section: So, to develop a simple and inexpensive load balanacing solution, you might use the following to have your firewall redirect some of the traffic to each of the web servers at 192.168.1.100, 192.168.1.101 and 192.168.1.102, as follows: # # Modify destination addresses to 192.168.1.100, # 192.168.1.101, or 192.168.1.102 # iptables -t nat -A POSTROUTING -i eth1 -j DNAT \ --to 192.168.1.100-192.168.1.102 -- Mike Schmitz<[EMAIL PROTECTED]>http://ddns.colug.org/mschmitz My thoughts on h4x0rs: Consider the complacency and arrogance that would cause a porcupine to sleep on its' back. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall configuration with two ISP
On Wed, Mar 28, 2001 at 09:46:12AM +0200, DI Peter Burgstaller wrote: > I had the same problem when we switched from one ISP ot the other I was > running > both for a couple of months. > > Turned out that, as Jeremy Lunn suggested, that my new ISP wouldn't allow > IPs from a different Net be routed through his net, which is of course very > sensible and right. However, in my case it was the only way to get my setup > working so after long discussions with the admins they would allow only the > one IP address of my multi-homed machine in their net which solved the > problem. > > I'm aware of the implications it had then but it was only a temporal matter > in my case. Great point. Upstream ISP's SHOULD be filtering out any IP's that are not their own as part of their egress filters. Definitely this person should check into that. -- Nate Duehr <[EMAIL PROTECTED]> GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2 Public Key available upon request, or at wwwkeys.pgp.net and others.
Re: Firewall configuration with two ISP
On Wed, Mar 28, 2001 at 02:22:29PM +0530, Nags wrote: > Hello all > I tried the same with Windows :( machine, but it is working with two ISP > perfectly . Both of my Internet IP's is accessiable from outside > world. I replied off-list to stop the three-list cross-posting. This whole thread belongs on debian-user, probably. -- Nate Duehr <[EMAIL PROTECTED]> GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2 Public Key available upon request, or at wwwkeys.pgp.net and others.
Re: Firewall configuration with two ISP
Hello all I tried the same with Windows :( machine, but it is working with two ISP perfectly . Both of my Internet IP's is accessiable from outside world. Sorry 2 post Windows messages here. Regards Nags - Original Message - From: "Jeremy Lunn" <[EMAIL PROTECTED]> To: "Jiri Kaderavek" <[EMAIL PROTECTED]> Cc: "Jeremy Lunn" <[EMAIL PROTECTED]>; "Bala" <[EMAIL PROTECTED]>; ; ; Sent: Wednesday, March 28, 2001 2:07 PM Subject: Re: Firewall configuration with two ISP > On Wed, Mar 28, 2001 at 10:30:06AM +0200, Jiri Kaderavek wrote: > > Hi Jeremy. > > > > I'll have the same problem, but: > > What do you mean with some form > > of clustering? Can you explain that. > > Thanx. > > Actually clustering probably isn't what you want since there's only one > machine. > > But what you probably do want is a common set of IPs (unfortunatly these > will be hard to get and you may need a substancial amount to be > multihomed) and to be setup properly to be multihomed. I can't really > say much about what the routing would need to be like either. It's > nothing that I've had to do yet. > > It may even be possible to do it with different IPs, but I am not sure > if the Linux kernel as it is can support it. > > -- > Jeremy Lunn > Melbourne, Australia > >
Re: Firewall configuration with two ISP
On Wed, Mar 28, 2001 at 12:50:08PM +0530, Bala wrote: > Hello > In Debian GNU/Linux, I have configured three network cards. I'm having > leased line connection from two ISP's with two different series of IP > addersses. With first card I, have configrued ISP1 and with second card, I > have configured with ISP2. With the third card, I have configured my LAN. > Now I'm able to ping both the ISP's gateway from my machine. But, I'm NOT > able to access my machine with one of the Internet IP from Internet. What > could be the problem?? This really isn't a problem with Debian -- you are having a problem with your default route. Let's call your ISP's ISP #1 and ISP #2 for this discussion. If your default [outbound from the Linux box] route points at ISP #1, your system will always send traffic for any networks that are not considered "local" to that ISP. Including traffic destined to go back to a connection that came in from ISP #2. In theory, your connections from ISP #2 would get answered properly over ISP #1's link via the Internet unless ISP #1's link is down. Then nothing will work. Nothing. And ALL of your outbound traffic would always take ISP #1's link. You *could* mess around with static routes and weighting, but you'll never see a "load-balanced" connection no matter what you do with this. The "proper" way to be multihomed in this case is to get an Autonomous System (AS) Number assigned for BGP and then run that protocol with agreements at both ISP's that they'll route traffic for ONE range of IP's -- not two. Having two IP ranges for the two links is a waste, and not good IP utilization etiquette. Of course, this isn't going to truly be load-balanced either. BGP will pick the ISP that has the least number of AS hops (unless you prepend AS numbers or do other things to tweak BGP) advertised to get to a particular location. If the ISP's have similar backbone connectivity, they'll be pretty load-balanced, but if one ISP is actually buying bandwidth from the other and selling it to you (happens all the time)... their routes will always be the same AS numbers, with an additional AS number prepended, so all the traffic will prefer the "bigger" ISP. But at least it'll all go the other way when the bigger ISP's link drops, which is what BGP was designed to deal with. Redundancy. There are some GPL'ed routing deamons like Zebra which can do the BGP peering on a Linux system, but it probably makes more sense to go buy a solid-state (no hard disk) router designed for the purpose and to learn about how BGP works before attempting any of this... Best wishes, -- Nate Duehr <[EMAIL PROTECTED]> GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2 Public Key available upon request, or at wwwkeys.pgp.net and others.
Re: Firewall configuration with two ISP
I had the same problem when we switched from one ISP ot the other I was running both for a couple of months. Turned out that, as Jeremy Lunn suggested, that my new ISP wouldn't allow IPs from a different Net be routed through his net, which is of course very sensible and right. However, in my case it was the only way to get my setup working so after long discussions with the admins they would allow only the one IP address of my multi-homed machine in their net which solved the problem. I'm aware of the implications it had then but it was only a temporal matter in my case. - cheers, Peter /--\ | Dipl.-Ing. Peter Burgstaller | | Technical Assistant and System Administrator | | @ all information network & services gmbh| | email: [EMAIL PROTECTED] | | phone: +43 662 452335| | fax : +43 662 452335 90 | \--/
Re: Firewall configuration with two ISP
On Wed, Mar 28, 2001 at 10:30:06AM +0200, Jiri Kaderavek wrote: > Hi Jeremy. > > I'll have the same problem, but: > What do you mean with some form > of clustering? Can you explain that. > Thanx. Actually clustering probably isn't what you want since there's only one machine. But what you probably do want is a common set of IPs (unfortunatly these will be hard to get and you may need a substancial amount to be multihomed) and to be setup properly to be multihomed. I can't really say much about what the routing would need to be like either. It's nothing that I've had to do yet. It may even be possible to do it with different IPs, but I am not sure if the Linux kernel as it is can support it. -- Jeremy Lunn Melbourne, Australia
Re: Firewall configuration with two ISP
Hi Jeremy. I'll have the same problem, but: What do you mean with some form of clustering? Can you explain that. Thanx. Jiri Kaderavek. - Original Message - From: "Jeremy Lunn" <[EMAIL PROTECTED]> To: "Bala" <[EMAIL PROTECTED]> Cc: ; ; Sent: Wednesday, March 28, 2001 10:18 AM Subject: Re: Firewall configuration with two ISP > On Wed, Mar 28, 2001 at 12:50:08PM +0530, Bala wrote: > > Hello > > In Debian GNU/Linux, I have configured three network cards. I'm having > > leased line connection from two ISP's with two different series of IP > > addersses. With first card I, have configrued ISP1 and with second card, I > > have configured with ISP2. With the third card, I have configured my LAN. > > Now I'm able to ping both the ISP's gateway from my machine. But, I'm NOT > > able to access my machine with one of the Internet IP from Internet. What > > could be the problem?? > > Presummably one of your ISPs is the default route. The other one just > has a route for that ISPs IPs? > > The problem would be that the replies to any requests sent to the 2nd > ISP will be routed back via the 1st ISP. They are probably blocked by > your 1st ISP which is sane and I wouldn't want to use an ISP that didn't > do that. > > Sorry I can't give you a solution, but you might need to do some form of > clustering and you may need the same IPs through both ISPs.a > > -- > Jeremy Lunn > Melbourne, Australia > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: Firewall configuration with two ISP
On Wed, Mar 28, 2001 at 12:50:08PM +0530, Bala wrote: > Hello > In Debian GNU/Linux, I have configured three network cards. I'm having > leased line connection from two ISP's with two different series of IP > addersses. With first card I, have configrued ISP1 and with second card, I > have configured with ISP2. With the third card, I have configured my LAN. > Now I'm able to ping both the ISP's gateway from my machine. But, I'm NOT > able to access my machine with one of the Internet IP from Internet. What > could be the problem?? Presummably one of your ISPs is the default route. The other one just has a route for that ISPs IPs? The problem would be that the replies to any requests sent to the 2nd ISP will be routed back via the 1st ISP. They are probably blocked by your 1st ISP which is sane and I wouldn't want to use an ISP that didn't do that. Sorry I can't give you a solution, but you might need to do some form of clustering and you may need the same IPs through both ISPs.a -- Jeremy Lunn Melbourne, Australia
Re: Firewall configuration with two ISP
On Wed, Mar 28, 2001 at 09:46:12AM +0200, DI Peter Burgstaller wrote: > I had the same problem when we switched from one ISP ot the other I was running > both for a couple of months. > > Turned out that, as Jeremy Lunn suggested, that my new ISP wouldn't allow > IPs from a different Net be routed through his net, which is of course very > sensible and right. However, in my case it was the only way to get my setup > working so after long discussions with the admins they would allow only the > one IP address of my multi-homed machine in their net which solved the problem. > > I'm aware of the implications it had then but it was only a temporal matter > in my case. Great point. Upstream ISP's SHOULD be filtering out any IP's that are not their own as part of their egress filters. Definitely this person should check into that. -- Nate Duehr <[EMAIL PROTECTED]> GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2 Public Key available upon request, or at wwwkeys.pgp.net and others. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall configuration with two ISP
On Wed, Mar 28, 2001 at 02:22:29PM +0530, Nags wrote: > Hello all > I tried the same with Windows :( machine, but it is working with two ISP > perfectly . Both of my Internet IP's is accessiable from outside > world. I replied off-list to stop the three-list cross-posting. This whole thread belongs on debian-user, probably. -- Nate Duehr <[EMAIL PROTECTED]> GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2 Public Key available upon request, or at wwwkeys.pgp.net and others. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall configuration with two ISP
Hello all I tried the same with Windows :( machine, but it is working with two ISP perfectly . Both of my Internet IP's is accessiable from outside world. Sorry 2 post Windows messages here. Regards Nags - Original Message - From: "Jeremy Lunn" <[EMAIL PROTECTED]> To: "Jiri Kaderavek" <[EMAIL PROTECTED]> Cc: "Jeremy Lunn" <[EMAIL PROTECTED]>; "Bala" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, March 28, 2001 2:07 PM Subject: Re: Firewall configuration with two ISP > On Wed, Mar 28, 2001 at 10:30:06AM +0200, Jiri Kaderavek wrote: > > Hi Jeremy. > > > > I'll have the same problem, but: > > What do you mean with some form > > of clustering? Can you explain that. > > Thanx. > > Actually clustering probably isn't what you want since there's only one > machine. > > But what you probably do want is a common set of IPs (unfortunatly these > will be hard to get and you may need a substancial amount to be > multihomed) and to be setup properly to be multihomed. I can't really > say much about what the routing would need to be like either. It's > nothing that I've had to do yet. > > It may even be possible to do it with different IPs, but I am not sure > if the Linux kernel as it is can support it. > > -- > Jeremy Lunn > Melbourne, Australia > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall configuration with two ISP
On Wed, Mar 28, 2001 at 12:50:08PM +0530, Bala wrote: > Hello > In Debian GNU/Linux, I have configured three network cards. I'm having > leased line connection from two ISP's with two different series of IP > addersses. With first card I, have configrued ISP1 and with second card, I > have configured with ISP2. With the third card, I have configured my LAN. > Now I'm able to ping both the ISP's gateway from my machine. But, I'm NOT > able to access my machine with one of the Internet IP from Internet. What > could be the problem?? This really isn't a problem with Debian -- you are having a problem with your default route. Let's call your ISP's ISP #1 and ISP #2 for this discussion. If your default [outbound from the Linux box] route points at ISP #1, your system will always send traffic for any networks that are not considered "local" to that ISP. Including traffic destined to go back to a connection that came in from ISP #2. In theory, your connections from ISP #2 would get answered properly over ISP #1's link via the Internet unless ISP #1's link is down. Then nothing will work. Nothing. And ALL of your outbound traffic would always take ISP #1's link. You *could* mess around with static routes and weighting, but you'll never see a "load-balanced" connection no matter what you do with this. The "proper" way to be multihomed in this case is to get an Autonomous System (AS) Number assigned for BGP and then run that protocol with agreements at both ISP's that they'll route traffic for ONE range of IP's -- not two. Having two IP ranges for the two links is a waste, and not good IP utilization etiquette. Of course, this isn't going to truly be load-balanced either. BGP will pick the ISP that has the least number of AS hops (unless you prepend AS numbers or do other things to tweak BGP) advertised to get to a particular location. If the ISP's have similar backbone connectivity, they'll be pretty load-balanced, but if one ISP is actually buying bandwidth from the other and selling it to you (happens all the time)... their routes will always be the same AS numbers, with an additional AS number prepended, so all the traffic will prefer the "bigger" ISP. But at least it'll all go the other way when the bigger ISP's link drops, which is what BGP was designed to deal with. Redundancy. There are some GPL'ed routing deamons like Zebra which can do the BGP peering on a Linux system, but it probably makes more sense to go buy a solid-state (no hard disk) router designed for the purpose and to learn about how BGP works before attempting any of this... Best wishes, -- Nate Duehr <[EMAIL PROTECTED]> GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2 Public Key available upon request, or at wwwkeys.pgp.net and others. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall configuration with two ISP
I had the same problem when we switched from one ISP ot the other I was running both for a couple of months. Turned out that, as Jeremy Lunn suggested, that my new ISP wouldn't allow IPs from a different Net be routed through his net, which is of course very sensible and right. However, in my case it was the only way to get my setup working so after long discussions with the admins they would allow only the one IP address of my multi-homed machine in their net which solved the problem. I'm aware of the implications it had then but it was only a temporal matter in my case. - cheers, Peter /--\ | Dipl.-Ing. Peter Burgstaller | | Technical Assistant and System Administrator | | @ all information network & services gmbh| | email: [EMAIL PROTECTED] | | phone: +43 662 452335| | fax : +43 662 452335 90 | \--/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall configuration with two ISP
On Wed, Mar 28, 2001 at 10:30:06AM +0200, Jiri Kaderavek wrote: > Hi Jeremy. > > I'll have the same problem, but: > What do you mean with some form > of clustering? Can you explain that. > Thanx. Actually clustering probably isn't what you want since there's only one machine. But what you probably do want is a common set of IPs (unfortunatly these will be hard to get and you may need a substancial amount to be multihomed) and to be setup properly to be multihomed. I can't really say much about what the routing would need to be like either. It's nothing that I've had to do yet. It may even be possible to do it with different IPs, but I am not sure if the Linux kernel as it is can support it. -- Jeremy Lunn Melbourne, Australia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall configuration with two ISP
Hi Jeremy. I'll have the same problem, but: What do you mean with some form of clustering? Can you explain that. Thanx. Jiri Kaderavek. - Original Message - From: "Jeremy Lunn" <[EMAIL PROTECTED]> To: "Bala" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, March 28, 2001 10:18 AM Subject: Re: Firewall configuration with two ISP > On Wed, Mar 28, 2001 at 12:50:08PM +0530, Bala wrote: > > Hello > > In Debian GNU/Linux, I have configured three network cards. I'm having > > leased line connection from two ISP's with two different series of IP > > addersses. With first card I, have configrued ISP1 and with second card, I > > have configured with ISP2. With the third card, I have configured my LAN. > > Now I'm able to ping both the ISP's gateway from my machine. But, I'm NOT > > able to access my machine with one of the Internet IP from Internet. What > > could be the problem?? > > Presummably one of your ISPs is the default route. The other one just > has a route for that ISPs IPs? > > The problem would be that the replies to any requests sent to the 2nd > ISP will be routed back via the 1st ISP. They are probably blocked by > your 1st ISP which is sane and I wouldn't want to use an ISP that didn't > do that. > > Sorry I can't give you a solution, but you might need to do some form of > clustering and you may need the same IPs through both ISPs.a > > -- > Jeremy Lunn > Melbourne, Australia > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall configuration with two ISP
On Wed, Mar 28, 2001 at 12:50:08PM +0530, Bala wrote: > Hello > In Debian GNU/Linux, I have configured three network cards. I'm having > leased line connection from two ISP's with two different series of IP > addersses. With first card I, have configrued ISP1 and with second card, I > have configured with ISP2. With the third card, I have configured my LAN. > Now I'm able to ping both the ISP's gateway from my machine. But, I'm NOT > able to access my machine with one of the Internet IP from Internet. What > could be the problem?? Presummably one of your ISPs is the default route. The other one just has a route for that ISPs IPs? The problem would be that the replies to any requests sent to the 2nd ISP will be routed back via the 1st ISP. They are probably blocked by your 1st ISP which is sane and I wouldn't want to use an ISP that didn't do that. Sorry I can't give you a solution, but you might need to do some form of clustering and you may need the same IPs through both ISPs.a -- Jeremy Lunn Melbourne, Australia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]