Re: [leaf-user] Which Distro for This Firewall/Router?

[Eric Spakman]

Calvin,

Too give some extra information about Bering-uClibc packages that can 
be used for the asked functionality.
 
> Here is a summary of the functionality required:
> 
> Firewall:
> stateful packet inspection
shorwall.lrp

> NAT/PAT
iptables.lrp/shorwall.lrp

> IPSEC Auth
> IPSEC VPN tunneling
ipsec.lrp (super-freeswan)

> Router:
> BGP
> RIP
zebra.lrp, bgpd.lrp, ripd.lrp (Quagga routing suite)

> Logging to external syslog server
standard syslogd functionality

> https/ssh configuration/management tool
weblet.lrp (only management), dropbear.lrp (ssh client, 
configuration/management)

> Port Knocking to trigger remote vpn/ssh access
?

> Optional user authentication to access Internet
tproxy.lrp

> Block outbound traffic by IP,subnet,user,port
> Block all inbound traffic from untrusted networks except that which is
> initiated from inside
> Allow all traffic between trusted networks.
shorwall.lrp

> Fastest available link should be chosen when redundant paths exist.
> 
not currently implemented (multipath) but on the todo list for the 
zebra (quagga) packages.

Regards,
Eric Spakman


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

[Calvin Webster]

On Fri, 2004-03-19 at 15:01, Eric Spakman wrote:
> Calvin,
> 
> Too give some extra information about Bering-uClibc packages that can 
> be used for the asked functionality.
>  
> > Here is a summary of the functionality required:
> > 

Thank you very much for pointing to the specific modules. That will help
focus my efforts.

> > Port Knocking to trigger remote vpn/ssh access
> ?
> 

I'm referring to the method of accessing closed external ports using a
predefined sequence of connection attempts across one or more ports. As
described in the Jun 2003 SysAdmin article, "The log is monitored for
specific port sequences that encode information used to modify firewall
rules, which are changed to open or close ports for a specific IP
address." I'm certain this will be possible using LEAF.

> > Fastest available link should be chosen when redundant paths exist.
> > 
> not currently implemented (multipath) but on the todo list for the 
> zebra (quagga) packages.

It was my understanding that BGP would take care of this. Maybe I didn't
accurately describe my parameters. When I said "fastest link" I meant
the one with the most available bandwidth at a given point in time.
Linux magazine recently had a pretty good article about dynamic routing
protocols.In the Mar 2004 issue it clearly describes load balancing
capabilities of BGP-4.

If my understanding of BGP is correct, what is it that you are saying is
not currently implemented?

Thank you for your detailed response.

--Cal Webster



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

[Eric Spakman]

Cal,

> > > Port Knocking to trigger remote vpn/ssh access
> > ?
> > 
> 
> I'm referring to the method of accessing closed external ports using a
> predefined sequence of connection attempts across one or more ports. As
> described in the Jun 2003 SysAdmin article, "The log is monitored for
> specific port sequences that encode information used to modify firewall
> rules, which are changed to open or close ports for a specific IP
> address." I'm certain this will be possible using LEAF.
> 
This should be possible but I never have seen specific programms for 
this purpose. Maybe snort (snort.lrp) or portsentry (psentry.lrp) 
will do this job. 

> > > Fastest available link should be chosen when redundant paths exist.
> > > 
> > not currently implemented (multipath) but on the todo list for the 
> > zebra (quagga) packages.
> 
> It was my understanding that BGP would take care of this. Maybe I didn't
> accurately describe my parameters. When I said "fastest link" I meant
> the one with the most available bandwidth at a given point in time.
> Linux magazine recently had a pretty good article about dynamic routing
> protocols.In the Mar 2004 issue it clearly describes load balancing
> capabilities of BGP-4.
> 
> If my understanding of BGP is correct, what is it that you are saying is
> not currently implemented?
> 
The following compile setting is left to default (1), but will be set 
to 0 with the next release.

--enable-multipath=ARG
Enable support for Equal Cost Multipath. ARG is the maximum number of 
ECMP paths to allow, set to 0 to allow unlimited number of paths. 

But that has indeed nothing todo with selecting the fastest link, if 
the cost are different the fastest link will be choosen by the 
routing daemon.

Regards,
Eric Spakman


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

[Erich Titl]

Cal

At 09:47 22.03.2004 -0500, you wrote:
>On Fri, 2004-03-19 at 15:01, Eric Spakman wrote:
>> Calvin,
>> 
>> Too give some extra information about Bering-uClibc packages that can 
>> be used for the asked functionality.
>>  
>> > Here is a summary of the functionality required:
>> > 
>
>Thank you very much for pointing to the specific modules. That will help
>focus my efforts.
>
>> > Port Knocking to trigger remote vpn/ssh access
>> ?
>> 
>
>I'm referring to the method of accessing closed external ports using a
>predefined sequence of connection attempts across one or more ports. As
>described in the Jun 2003 SysAdmin article, "The log is monitored for
>specific port sequences that encode information used to modify firewall
>rules, which are changed to open or close ports for a specific IP
>address." I'm certain this will be possible using LEAF.

Sure if you port the software. 
I'd rather use a monitoring channel through an IPSEC connection to the firewall, or 
allow access through ssh using RSA.

my 0.02

Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

[Calvin Webster]

On Mon, 2004-03-22 at 10:57, Eric Spakman wrote:
> Cal,
> 
> > > > Port Knocking to trigger remote vpn/ssh access
> > > ?
> > > 
> > 
> > I'm referring to the method of accessing closed external ports using a
> > predefined sequence of connection attempts across one or more ports. As
> > described in the Jun 2003 SysAdmin article, "The log is monitored for
> > specific port sequences that encode information used to modify firewall
> > rules, which are changed to open or close ports for a specific IP
> > address." I'm certain this will be possible using LEAF.
> > 
> This should be possible but I never have seen specific programms for 
> this purpose. Maybe snort (snort.lrp) or portsentry (psentry.lrp) 
> will do this job. 

I've written Perl scripts to monitor logs in the past. Should just be a
matter of triggering the "rule-mod" event on log content, then getting
the daemon to re-read the rules.

> > > > Fastest available link should be chosen when redundant paths exist.
> > > > 
> > > not currently implemented (multipath) but on the todo list for the 
> > > zebra (quagga) packages.
> > 
> > It was my understanding that BGP would take care of this. Maybe I didn't
> > accurately describe my parameters. When I said "fastest link" I meant
> > the one with the most available bandwidth at a given point in time.
> > Linux magazine recently had a pretty good article about dynamic routing
> > protocols.In the Mar 2004 issue it clearly describes load balancing
> > capabilities of BGP-4.
> > 
> > If my understanding of BGP is correct, what is it that you are saying is
> > not currently implemented?
> > 
> The following compile setting is left to default (1), but will be set 
> to 0 with the next release.
> 
> --enable-multipath=ARG
> Enable support for Equal Cost Multipath. ARG is the maximum number of 
> ECMP paths to allow, set to 0 to allow unlimited number of paths. 
> 
> But that has indeed nothing todo with selecting the fastest link, if 
> the cost are different the fastest link will be choosen by the 
> routing daemon.

So, to get this functionality now, I'd need to set this flag
appropriately and recompile. In my example topology, 3 of the routers
have 2 paths to each of the other two. I don't think I currently have
more than 2 links to the same destination. However, depending upon the
reliability of these, we may add an on-demand dial-up link for
emergencies. We also may have access to building-to-building fiber links
sometime in the future as well. Any idea when the next release will be
out?

So, as long as I have multi-paths set to greater than 1, the routing
daemons should be able to accomplish load balancing of the links.

Thanks!

--Cal Webster



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Which Distro for This Firewall/Router?

[Calvin Webster]

On Mon, 2004-03-22 at 11:39, michiel wrote:
> Dear cal.
> 
> My few cent for this layout.
> Hardware:
> I had some problems with a incompatble 3com 3C905 carts.(don't now wy)
> check them before you start.

3Com NICs have proven pretty reliable for me, but I always take them
through the diagnostics before using them. I know the 2.4 kernel modules
can handle them.

> I think that the "old" hardware is even to fast for this setup.
> I like to use old pentium 166 for routers becouse you can down clock
> them to slower machiens that produse less head and need no active
> cooling. (every moving part gives trouble after a wile)
> Also posible to overclock the pci bus from 33 to 40mhz. ( I have not don
> it jet but I am planning a test setup.)
> The pci bus has its limitations I think you will find those faster then
> the processor speed.

Two main reasons for the selection of "New Hardware": (1) rack-mount,
passive backplane chassis allows simple SBC (CPU) changes & dual cooling
fans, and (2) DiskOnChip modules or Flash RAM replace hard drives.
Choice of SBC determined by availability of DOC sockets, integrated
controllers, RAM, and cost.

> Myself I stoped using diskdrive's for the os. My 3 routers were standing
> in a non heated envirment and after a cold period the disk were always
> damaged. Using old 170mb hd for it now. Just using 4.7mb of space on
> them.
> Using 32mb of memory and still a lot of space left

I'm only using the hard drives for initial building, configuration, and
testing. They'll be removed in the new machines when they'll boot and
run from DOC.


> Layout:
> In youre setup the routers wil be crusial to network operation.
> If you duble routers 1, 2 and 3 you can get more redundancy in youre
> planning and easyer implementation.
> Separate network for wireless and dsl for example.

I'm not real clear on what you mean by doubling the routers. If you are
talking about dividing responsibility for some of the paths (interfaces)
off to 2nd machine at each of the locations, I don't think this would be
best. First, our budget currently won't support purchase of duplicate
hardware. Second, it means more to manage for an already overworked
staff. 

When the budget will support additional purchases, I'd favor a fail-over
Linux cluster configuration, moving to a split passive backplane with
multi-port Ethernet cards. I certainly could press some old PC's into
service, but network closets don't have much room and recycled PC's tend
to produce more heat and have less efficient air flow than rack-mount
chassis.

> Routing:
> You have to wach out for the problem that if the dsl at the corp network
> go's down that packeges don't get send around in circles over the
> wireless network and get in a endles loop. That will bring the hole
> network down in mather of seconds.

Would you expect this to be a problem with multi-path routing? I'll be
sure to simulate bringing down each link when the new routers are
deployed to see if this happens. I thought that the BGP daemon on the
affected router would be smart enough to detect the dead link and notify
its neighbors so they could pass the traffic through an open link to the
same destination, in theory through next available link with the most
bandwidth.

> Conclusion:
> It looks like a verrie nice project.
> But I think you need to split the network up for bether managemend and
> redundancy.
> Then some machiens will be router and some will be firewall
> Keep me informed.
> Anny questions mail me. Willing to help. Even with my bad english.

Thanks for the comments and offer to help. I'm hoping to return to this
project this week. I just had an RF link go down so my time is pretty
divided right now.

--Cal Webster



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

[Calvin Webster]

On Mon, 2004-03-22 at 11:37, Erich Titl wrote:
> >> > Port Knocking to trigger remote vpn/ssh access
> >> ?
> >> 
> >
> >I'm referring to the method of accessing closed external ports using a
> >predefined sequence of connection attempts across one or more ports. As
> >described in the Jun 2003 SysAdmin article, "The log is monitored for
> >specific port sequences that encode information used to modify firewall
> >rules, which are changed to open or close ports for a specific IP
> >address." I'm certain this will be possible using LEAF.
> 
> Sure if you port the software. 
> I'd rather use a monitoring channel through an IPSEC connection to the firewall, or 
> allow access through ssh using RSA.
> 
> my 0.02
> 

There is no software to port, so far as I can tell. The log monitoring
and rule setting is all done via an external Perl script. Routing
daemons continue to function as they have. They'll just be told to
re-read their configuration files when it's time to open a specific port
to a specific IP address for the specified duration. You may want to
read the article I cited if you can lay your hands on a copy of the
SysAdmin mag. It's a pretty clever method, adding another valuable tool
the the network manager's belt. 

The premise behind port knocking is that external ports remain closed.
An open port is vulnerable to port scans. Once an open port is
identified, a DOS (or other) attack can be launched. Without a port to
scan, the likelihood of a DOS attack is dramatically diminished. With
port knocking, the port is opened to the specified IP address only when
connection attempts to the correct combination of ports in the correct
sequence and timing is received, with optionally encrypted payloads.
When it's time to make the connection, you can still use IPSEC
authentication and encryption.

Thanks for the comments!

--Cal Webster



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

[Eric Spakman]

Cal,

> > > I'm referring to the method of accessing closed external ports using a
> > > predefined sequence of connection attempts across one or more ports. As
> > > described in the Jun 2003 SysAdmin article, "The log is monitored for
> > > specific port sequences that encode information used to modify firewall
> > > rules, which are changed to open or close ports for a specific IP
> > > address." I'm certain this will be possible using LEAF.
> > > 
> > This should be possible but I never have seen specific programms for 
> > this purpose. Maybe snort (snort.lrp) or portsentry (psentry.lrp) 
> > will do this job. 
> 
> I've written Perl scripts to monitor logs in the past. Should just be a
> matter of triggering the "rule-mod" event on log content, then getting
> the daemon to re-read the rules.
>
We don't have perl packages for Bering-uClibc
 
> > > > > Fastest available link should be chosen when redundant paths exist.
> > > > > 
> > > > not currently implemented (multipath) but on the todo list for the 
> > > > zebra (quagga) packages.
> > > 
> > > It was my understanding that BGP would take care of this. Maybe I didn't
> > > accurately describe my parameters. When I said "fastest link" I meant
> > > the one with the most available bandwidth at a given point in time.
> > > Linux magazine recently had a pretty good article about dynamic routing
> > > protocols.In the Mar 2004 issue it clearly describes load balancing
> > > capabilities of BGP-4.
> > > 
> > > If my understanding of BGP is correct, what is it that you are saying is
> > > not currently implemented?
> > > 
> > The following compile setting is left to default (1), but will be set 
> > to 0 with the next release.
> > 
> > --enable-multipath=ARG
> > Enable support for Equal Cost Multipath. ARG is the maximum number of 
> > ECMP paths to allow, set to 0 to allow unlimited number of paths. 
> > 
> > But that has indeed nothing todo with selecting the fastest link, if 
> > the cost are different the fastest link will be choosen by the 
> > routing daemon.
> 
> So, to get this functionality now, I'd need to set this flag
> appropriately and recompile. In my example topology, 3 of the routers
> have 2 paths to each of the other two. I don't think I currently have
> more than 2 links to the same destination. However, depending upon the
> reliability of these, we may add an on-demand dial-up link for
> emergencies. We also may have access to building-to-building fiber links
> sometime in the future as well. Any idea when the next release will be
> out?
> 
You only need to set this flag if you want load-balancing for those 
lines. For fallback this isn't necessary, the on-demand link will 
have a higher cost set and will only be enabled when the primary link 
fails. BGP or OSPF can handle this without problems.
You may also take a look at the ipvsadm.lrp package, it will give you 
HSRP (Hot Standby Router) like operation 
(http://www.linuxvirtualserver.org)

Our routing source is based on Quagga (Zebra) software, we will 
create and test new packages when the next version of that software 
is available. But I have no idea when the next version of Quagga will 
be released exactly...

> So, as long as I have multi-paths set to greater than 1, the routing
> daemons should be able to accomplish load balancing of the links.
> 
Yes, but if you set it to "0" you have support for unlimited number 
of paths.

Eric


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

[Calvin Webster]

On Mon, 2004-03-22 at 14:33, Eric Spakman wrote:
> Cal,
> 
> > > > I'm referring to the method of accessing closed external ports using a
> > > > predefined sequence of connection attempts across one or more ports. As
> > > > described in the Jun 2003 SysAdmin article, "The log is monitored for
> > > > specific port sequences that encode information used to modify firewall
> > > > rules, which are changed to open or close ports for a specific IP
> > > > address." I'm certain this will be possible using LEAF.
> > > > 
> > > This should be possible but I never have seen specific programms for 
> > > this purpose. Maybe snort (snort.lrp) or portsentry (psentry.lrp) 
> > > will do this job. 
> > 
> > I've written Perl scripts to monitor logs in the past. Should just be a
> > matter of triggering the "rule-mod" event on log content, then getting
> > the daemon to re-read the rules.
> >
> We don't have perl packages for Bering-uClibc

Well, that could be a problem then. I'm sure it's still do-able, but it
might be a little more difficult to implement. I know we're trying to
keep the footprint as small as possible so it makes sense that the
rather large Perl distro isn't there. Maybe there's a "mini-perl"
somewhere. Or, a working Perl script could be converted to C and
compiled to run by itself.
 
> > > > > > Fastest available link should be chosen when redundant paths exist.
> > > > > > 
> > > > > not currently implemented (multipath) but on the todo list for the 
> > > > > zebra (quagga) packages.
> > > > 
> > > > It was my understanding that BGP would take care of this. Maybe I didn't
> > > > accurately describe my parameters. When I said "fastest link" I meant
> > > > the one with the most available bandwidth at a given point in time.
> > > > Linux magazine recently had a pretty good article about dynamic routing
> > > > protocols.In the Mar 2004 issue it clearly describes load balancing
> > > > capabilities of BGP-4.
> > > > 
> > > > If my understanding of BGP is correct, what is it that you are saying is
> > > > not currently implemented?
> > > > 
> > > The following compile setting is left to default (1), but will be set 
> > > to 0 with the next release.
> > > 
> > > --enable-multipath=ARG
> > > Enable support for Equal Cost Multipath. ARG is the maximum number of 
> > > ECMP paths to allow, set to 0 to allow unlimited number of paths. 
> > > 
> > > But that has indeed nothing todo with selecting the fastest link, if 
> > > the cost are different the fastest link will be choosen by the 
> > > routing daemon.
> > 
> > So, to get this functionality now, I'd need to set this flag
> > appropriately and recompile. In my example topology, 3 of the routers
> > have 2 paths to each of the other two. I don't think I currently have
> > more than 2 links to the same destination. However, depending upon the
> > reliability of these, we may add an on-demand dial-up link for
> > emergencies. We also may have access to building-to-building fiber links
> > sometime in the future as well. Any idea when the next release will be
> > out?
> > 
> You only need to set this flag if you want load-balancing for those 
> lines. For fallback this isn't necessary, the on-demand link will 
> have a higher cost set and will only be enabled when the primary link 
> fails. BGP or OSPF can handle this without problems.
> You may also take a look at the ipvsadm.lrp package, it will give you 
> HSRP (Hot Standby Router) like operation 
> (http://www.linuxvirtualserver.org)

At peak loads even the 100 Mbps wireless gets saturated for short
periods. With overhead it's really only about 30-40 Mbps. Load balancing
with the slower DSL links would still offer some benefit I think. I
definitely don't see any benefit to balancing with a dial-up link,
though. Are the links that get balanced selectable? If I enable
unlimited multipaths, will it try balance all links between identical
networks?

I was going to model the entire project on VMware, but I found that
VMware limits number of NICs to 3, too few for most of my routers. I
suppose I can still model some of this functionality though, to get the
feel of the software. It will also help answer some of the "dumb"
questions without cluttering the mailing list.

Thank you for the follow-up.

--Cal Webster





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

[Eric Spakman]

Cal,

> > > I've written Perl scripts to monitor logs in the past. Should just be a
> > > matter of triggering the "rule-mod" event on log content, then getting
> > > the daemon to re-read the rules.
> > >
> > We don't have perl packages for Bering-uClibc
> 
> Well, that could be a problem then. I'm sure it's still do-able, but it
> might be a little more difficult to implement. I know we're trying to
> keep the footprint as small as possible so it makes sense that the
> rather large Perl distro isn't there. Maybe there's a "mini-perl"
> somewhere. Or, a working Perl script could be converted to C and
> compiled to run by itself.
>
A small footprint is not the only issue, extra software on a 
router/firewall can give higher security risks also.

If I'm not mistaken there is indeed something like "miniperl" I will 
take a look at it.
  
> > You only need to set this flag if you want load-balancing for those 
> > lines. For fallback this isn't necessary, the on-demand link will 
> > have a higher cost set and will only be enabled when the primary link 
> > fails. BGP or OSPF can handle this without problems.
> > You may also take a look at the ipvsadm.lrp package, it will give you 
> > HSRP (Hot Standby Router) like operation 
> > (http://www.linuxvirtualserver.org)
> 
> At peak loads even the 100 Mbps wireless gets saturated for short
> periods. With overhead it's really only about 30-40 Mbps. Load balancing
> with the slower DSL links would still offer some benefit I think. I
> definitely don't see any benefit to balancing with a dial-up link,
> though. Are the links that get balanced selectable? If I enable
> unlimited multipaths, will it try balance all links between identical
> networks?
> 
Equal Cost Multipath is something else than loadbalancing, I wasn't 
fully clear in my previous mail. You probably won't set the costs for 
a 100 Mb and dialup link equal, that means that the router thinks 
those lines are equal in speed and half of the traffic will send over 
the slow link ;-) ECM is only meant for Equal lines.
I have to look at the exact function and impact of the ECM setting.

> I was going to model the entire project on VMware, but I found that
> VMware limits number of NICs to 3, too few for most of my routers. I
> suppose I can still model some of this functionality though, to get the
> feel of the software. It will also help answer some of the "dumb"
> questions without cluttering the mailing list.
> 
> Thank you for the follow-up.
> 
> --Cal Webster
> 
> 
> 
> 




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Which Distro for This Firewall/Router?

[Peter Mueller]

> I was going to model the entire project on VMware, but I found that
> VMware limits number of NICs to 3, too few for most of my routers. I

I don't think user-mode-linux has that built-in restriction.

http://user-mode-linux.sourceforge.net/


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Which Distro for This Firewall/Router?

[Calvin Webster]

Hello Michiel,

Wow! I guess you were serious about helping. I really appreciate the
time and thought you have put into this, Michiel. I'm curious why you
have not been cc'ing the LEAF list. This information might be helpful to
someone else like me. If you would prefer I leave the list off my
replies please let me know. I'm not sure if all my replies are making it
to the list either. I just got a message that my last post was sent to
the moderator awaiting approval due to "suspicious header". I suspect
you may be in the same boat.

My in-line comments are inserted below.

Thanks!

--Cal Webster

On Mon, 2004-03-22 at 19:37, michiel wrote:
> Dear calvin
> 
> Not all 3C905 cart are the same.
> I got one with a lucent chip that don't works with linux.
> Most of them do work with linux best sugestion try it first. The bug is
> verrie enoing becouse dhcp and some other things work but not havie
> loads like ftp. (espacialy lage packeges (mtu).)
> It cost me 3 days to find that out. Trying to prevent it for you.

Thanks for the warning. Fortunately, I haven't encountered those
problems.

> DOC sockets?
> You can also use a ide port with a doc.
> Take a look at this one.
> http://www.routerboard.com/parts.html#cf_ide
> Just works like a harddisk. (have not tried it jet)

That was an option when I specified the SBC, but the performance
specifications in the Cyber Research catalog appeared better for the DOC
sockets. I've bookmarked that site, though. I'm always looking for new
sources for non-standard hardware.

> 128 MB RAM?
> Even with squid proxie caching is way to mutch.
> 32 mb is mostly oke.
> 768 MB RAM?
> There is no use for it. Atleast not with leaf.

RAM is relatively cheap. Better to have more than less, especially
without hard drives.

> Pci bridge.
> All pci briges can only do a 133 mbps.
> Then there will be a problem to use 2X 100mbps wireless link.
> (not sure witch wireless system you are using?)
> I am using a 54g wireless network that doesn't mean that there is a 54
> mbps speed just 22.5 mbps max.
> Intel has mainboards with a separate brige for network ( 1 gbps) that
> can give some space, but expensive.
> Otherwise there is not mutch need for faster systems as a pentium.
> Pci express is going to chainge that I hope.

We're using RadioLAN RMG503's. I may substitute a free-space optical
bridge for one of the links. With Ethernet overhead and encryption from
VPN tunneling, we're getting more like 30-40 Mbps of the 100 Mbps
advertised. 

I'd be interested in looking at any SBC with separate bridge for
networking to use with the 3rd router and possible upgrades for the
others. Is there a separate block of PCI slots for NICs?

As I indicated in one of my previous posts, I intend to eventually
upgrade the existing NICs with multi-port Ethernet cards. These
typically have their own PCI-to-PCI bridge anyway. Such is the case with
the "4-port Ethernet Card RouterBoard 44" at the site you listed above.

> Layout:
> This wil be my solution.
> At least just my few cents.
> 
> Building D firewall 4.
> Not realy intereting just a simple bering + ipsec. A 486DX-33. pci will
> do, but isa is fine to. (maybe if the plan1/2 are big go for pci)
> Bit more pc is always nice. So use a pentium.
> No routing protocols nessesary so I will scratch him out the scemetic.

I don't want to have to manage static routes. As I indicated in my
original specification, all other Private LANs (PLANs) must be able to
send and receive traffic to/from all other PLANs without restriction. I
neglected to mention however, that at least one PLAN in each building
will also need Internet access and access to the corporate intranet.

> To Firewall or to (ipsec)route
> That's the diferents.
> Routers 1/2/3 use ospf/bgp/ routing over ipsec.
> firewals 1/2/3 use a simple switching software between dsl and router.

I'm not sure what you mean by "switching software between dsl and
router". Are you implying that the ospf/bgp daemons are not to be aware
of the DSL links? Without the routing protocols, how will automatic
fail-over occur when a link goes down?

> Most dsl providers requier that they are your defauld gatway.
> And you want that to be router 2 at building B.

We own our own DSL equipment including the chassis and line cards at the
corporate telephone office/network operation center. However, it is
aging and will soon be unsupportable. I haven't gotten approval for
replacement yet, but hope to tap existing fiber links.

We have a default gateway on the corporate network for access to the
corporate network and their severely restricted Internet connection. We
will normally only use corporate network to access corporate resources.
However, if the main cable ISP link at our site goes down or is somehow
unavailable, each of the buildings should fail-over to use the corporate
Internet access through the DSL link.

>   [Remote User]
>  [firewall 1]   [