Re: [Vyatta-users] WAN Load Balancing

2008-02-07 Thread abhilash s 
Hi,

   This makes sense. We will try the multi WAN load balancing.

Thanks,

Abhilash S
Ascella Technologies, Inc.
www.ascellatech.com


On Feb 5, 2008 11:59 AM, Dave Roberts <[EMAIL PROTECTED]> wrote:
>
> > Thanks for your quick reply. I am agreed that we can test the
> > multiple WAN load balancing feature before it is released to
> > help with your testing. But one thing I forgot to mention
> > about the broadband connection, is that it has a maximum data
> > transfer of 20GB per month.
> > That is why we were using the below plan:
> >
> > * The leased line connection is all traffic till 11 AM  (it
> > is set to the default gateway)
> > * After 11:00AM, we switch the default gateway to the
> > broadband connection for all internet traffic, and add a
> > static route so that VPN traffic remains on the leased line.
> > * After 5:00PM, we reset this back to the original configuration
> >
> > We don't want to exceed the maximum limit of 20GB on the
> > broadband connection.
> >
> > Is it possible to limit the bandwidth usage of the broadband
> > connection using the multiple WAN loadbalancing ?  That is
> > why we were thinking of using OSPF, so that we could increase
> > the "cost" of the 2Mb connection as we approach the maximum.
> > With this new requirement, does OSPF still make sense for us?
> >  If not, could you explain why OSPF may not be the choice for us?
>
> OSPF would allow you to assign a cost to a given route, but it's a hard
> cost. Paths with the lowest cost will receive all the traffic until a
> lower-cost path becomes available. If that's exactly what you want, then
> that's one way to achieve it, but it feels like overkill because OSPF is a
> hugely complex protocol and you really aren't using it for doing what it
> was intended.
>
> One thing you could do is use the WAN load balancing feature and change
> the weight factors between the links as you approach the maximum. There is
> currently no way to do this automatically, though coupled with QoS you
> might be able to work something out. Personally, I would go this route
> with WAN LB weight adjustment rather than OSPF.
>
> -- Dave
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] WAN Load Balancing

2008-02-04 Thread abhilash s 
Hi ,

Thanks for your quick reply. I am agreed that we can test the multiple
WAN load balancing feature before it is released to help with your
testing. But one thing I forgot to mention about the broadband
connection, is that it has a maximum data transfer of 20GB per month.
That is why we were using the below plan:

* The leased line connection is all traffic till 11 AM  (it is set to
the default gateway)
* After 11:00AM, we switch the default gateway to the broadband
connection for all internet traffic, and add a static route so that
VPN traffic remains on the leased line.
* After 5:00PM, we reset this back to the original configuration

We don't want to exceed the maximum limit of 20GB on the broadband connection.

Is it possible to limit the bandwidth usage of the broadband
connection using the multiple WAN loadbalancing ?  That is why we were
thinking of using OSPF, so that we could increase the "cost" of the
2Mb connection as we approach the maximum.  With this new requirement,
does OSPF still make sense for us?  If not, could you explain why OSPF
may not be the choice for us?

Thanks,

Abhilash S
Ascella Technologies, Inc.
www.ascellatech.com
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] Vyatta network architecture / OSPF

2008-02-04 Thread abhilash s 
Hi All,

We are planning to do some upgrade in our network. The present network
has one vyatta router and two internet connections (one is 1Mb leased
line and the other is 2Mb Broadband), Since the broadband connection
is limited, we are manually changing the default gateway

* The leased line connection is all traffic till 11 AM  (it is set to
the default gateway)
* After 11:00AM, we switch the default gateway to the broadband
connection for all internet traffic, and add a static route so that
VPN traffic remains on the leased line.
* After 5:00PM, we reset this back to the original configuraton

Here are the drawbacks of the system we currently use:

* Requires manual shifting of routes (twice a day)
* If the leased line connection goes down then we have to remove the
static route and restart the VPN process so that it utilizes the
broadband connection
* If the broadband connection goes down between 11-5, then we have to
switch the default gateway to the leased line.

In an attempt to fix these issues we were thinking about something
like the below diagram (3 Router setup) and utilize dynamic routing
protocols.

 Router A (ISP1-Leased Line)
Router B(ISP2-Broadband)
   |
|
   |
|
   |
|
   Router C
(Connected to LAN)

The first idea we had was to configure Router A and B so that both
servers have the VPN process started (so both can reach the server).
This way there are two paths to reach the same destination.  We were
then planning on setting the cost of the VPN route through Router A as
the lowest cost so that is used by default. If Router A goes down,
then Router C knows to automatically route VPN traffic from the LAN to
Router B.  Can we use OSPF to perform this?

The second idea that we would like to try is to modify route cost
based on time of day.  For example, between 11-5, we want Router C to
shift Internet traffic from Router A to Router B with the exception of
VPN.  Can this be done by utilizing OSPF?  What is the best way to
update the cost dynamically?  Is there a way to do it within Vyatta
OFR or do we need to utilize a bash/perl script?  Has anyone created
rules like this that take into account bandwidth or latency?

Any suggestions that can be offered about this architecture would be
great before we start testing this.

Thanks

Abhilash S
Ascella Technologies, Inc
www.ascellatech.com
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] VC3 firewall problem

2008-01-10 Thread abhilash s 
Hi Robyn,

 This works for me. Thank you very much.

Thanks and Regards,

Abhilash.S

On Jan 10, 2008 10:11 AM, Robyn Orosz <[EMAIL PROTECTED]> wrote:
> Hi Abhilash,
>
> There is an issue in VC3 that restricts the related/ established rule
> (your rule number 1) to TCP only.  Most likely, the reason your VC2
> firewall was working is because return traffic of any type (ICMP, UDP,
> TCP, etc.) was allowed back in via rule number 1.  Your new rule number
> 1 on VC3 only allows return traffic on TCP.
>
> For more information on the bug and to fix this issue on your system,
> see the following post to the user's list:
>
> http://mailman.vyatta.com/pipermail/vyatta-users/2007-November/002406.html
>
> This bug has been fixed and will no longer be an issue in the next release.
>
> Thank you,
>
> Robyn
>
>
>
> abhilash s wrote:
> > Hi All,
> >
> > I have upgraded VC2 to VC3. But when I tried to implement
> > firewall, all traffic to internet stops. Here is my old and new
> > firewall configuration:
> >
> >
> > OLD FIREWALL CONFIGURATION:
> >
> >
> > firewall {
> > log-martians: "enable"
> > send-redirects: "disable"
> > receive-redirects: "disable"
> > ip-src-route: "disable"
> > broadcast-ping: "disable"
> > syn-cookies: "enable"
> > name inbound {
> > rule 1 {
> > protocol: "all"
> > state {
> > established: "enable"
> > related: "enable"
> > }
> > action: "accept"
> > log: "disable"
> > }
> > rule 2 {
> > protocol: "tcp"
> > action: "accept"
> > log: "disable"
> > source {
> > address: x.x.x.x
> > }
> > destination {
> > port-name: "ssh"
> > }
> > }
> > rule 3 {
> > protocol: "tcp"
> > action: "accept"
> > log: "disable"
> > source {
> > address: x.x.x.x
> > }
> > destination {
> > port-name: "ssh"
> > }
> > }
> > rule 4 {
> > protocol: "icmp"
> > icmp {
> > type: "8"
> > }
> > action: "accept"
> > log: "disable"
> > }
> > rule 5 {
> > protocol: "icmp"
> > icmp {
> > type: "11"
> > }
> > action: "accept"
> > log: "disable"
> > }
> > rule 6 {
> > protocol: "udp"
> > action: "accept"
> > log: "disable"
> > destination {
> > port-number: xxx
> > }
> > }
> > rule 7 {
> > protocol: "all"
> > action: "drop"
> > log: "disable"
> > source {
> > network: 0.0.0.0/0
> > }
> > }
> > }
> > }
> >
> > NEW FIREWALL CONFIGURATION:
> >
> > firewall {
> > log-martians: "enable"
> > send-redirects: "disable"
> > receive-redirects: "disable"
> > ip-src-route: "disable"
> > broadcast-ping: "disable"
> > syn-cookies: "enable"
> > name inbound {
> > description: "inbound firewall"
> > rule 1 {
> > protocol: "tcp"
> > state {
> > established: "enable"
> > related: "enable"
> > }
> > action: "accept"
> > log: "disable"
> > }
> > rule 2 {
> > protocol: "tcp"
> > action: "accept"
> > log: "disable"
> > source {
> > address: "

[Vyatta-users] VC3 firewall problem

2008-01-10 Thread abhilash s 
Hi All,

I have upgraded VC2 to VC3. But when I tried to implement
firewall, all traffic to internet stops. Here is my old and new
firewall configuration:


OLD FIREWALL CONFIGURATION:


firewall {
log-martians: "enable"
send-redirects: "disable"
receive-redirects: "disable"
ip-src-route: "disable"
broadcast-ping: "disable"
syn-cookies: "enable"
name inbound {
rule 1 {
protocol: "all"
state {
established: "enable"
related: "enable"
}
action: "accept"
log: "disable"
}
rule 2 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
address: x.x.x.x
}
destination {
port-name: "ssh"
}
}
rule 3 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
address: x.x.x.x
}
destination {
port-name: "ssh"
}
}
rule 4 {
protocol: "icmp"
icmp {
type: "8"
}
action: "accept"
log: "disable"
}
rule 5 {
protocol: "icmp"
icmp {
type: "11"
}
action: "accept"
log: "disable"
}
rule 6 {
protocol: "udp"
action: "accept"
log: "disable"
destination {
port-number: xxx
}
}
rule 7 {
protocol: "all"
action: "drop"
log: "disable"
source {
network: 0.0.0.0/0
}
}
}
}

NEW FIREWALL CONFIGURATION:

firewall {
log-martians: "enable"
send-redirects: "disable"
receive-redirects: "disable"
ip-src-route: "disable"
broadcast-ping: "disable"
syn-cookies: "enable"
name inbound {
description: "inbound firewall"
rule 1 {
protocol: "tcp"
state {
established: "enable"
related: "enable"
}
action: "accept"
log: "disable"
}
rule 2 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
address: "x.x.x.x"
}
destination {
port-name ssh
}
}
rule 3 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
address: "x.x.x.x"
}
destination {
port-name ssh
}
}
rule 4 {
protocol: "icmp"
icmp {
type: "8"
}
action: "accept"
log: "disable"
}
rule 5 {
protocol: "icmp"
icmp {
type: "11"
}
action: "accept"
log: "disable"
}
rule 6 {
protocol: "udp"
action: "accept"
log: "disable"
destination {
port-number xxx
}
    }
    rule 7 {
protocol: "udp"
action: "accept"
log: "disable"
destination {
port-number xxx
}
}
rule 8 {
protocol: "all"
action: "drop"
log: "disable"
source {
network: "0.0.0.0/0"
}
}
}
}

I have applied this setting to my interface's firewall as : in and local .
When I try to enable this firewall setting , I can't ping to my ISP
gateway (modem IP) too.
Please tell me what I want to change to implement it on VC3 ?

Thanks in Advance,

Regards,

Abhilash S
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users