Re: FreeBSD router - large scale
On 28 May 2010 07:38, Bruce Cran br...@cran.org.uk wrote: This is possibly the wrong place to be saying this, but isn't OpenBSD usually recommended for routers? I believe the version of pf, for example, is normally kept more up-to-date than than in FreeBSD. The major downside I know of is that it's not nearly as user-friendly; for example my recollection of its installer is that you have to input sector offsets manually in the partition editor! Bruce - sorry for taking so long to reply, this project has been slow-moving. Yes, you are correct, OpenBSD is typically used in this situation and, if the project were strictly for a routing component, it may indeed be a better choice. My concern was that if we decided to add any proxy capability then we would need much more RAM than OpenBSD could address (this will front at least 8k users). I have found the OpenBSD installer to be quite friendly but that's probably because it is pretty minimal and just sort of clicks with me. As long as you're dedicating the system to *BSD, I generally prefer the OpenBSD installer for its flow but have found no particular allegiance with either their installer or sysinstall. As long as I can have a running system within four or five minutes of powering on with the install CD, I don't really care. kmw -- A: Maybe because some people are too annoyed by top-posting. Q: Why do I not get an answer to my question(s)? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD router - large scale
On 27 May 2010 12:12, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: The hardest job I've had an OpenBSD firewall do is actually as a mid-level firewall between a DMZ full of web servers and a back-end database layer. The thing to watch out for is running out of states in PF. It's trivial to change that in the config, and given a machine with 1GB or so RAM dedicated to running PF, you can up the number of states by a factor of a hundred or more without problem. Also if you know all your connections are from directly attached networks and very low latency, you can be a lot more aggressive about dropping old states. Matthew - thanks for the information! For other reasons I'm limited to about 500k states...since our typical hardware build has at least 4GB of RAM, I'm not overly concerned about RAM exhaustion when routing. As I stated in another post the potential for something like a squid cache does exist, in which case I'll take all the RAM I can get my hands on (a 16GB+ build is not out of the question at that point). Preliminary testing has been favorable. My big concerns have mostly been related to state and packets per second. The first test environment was as follows: | one NIC, 4 routable addresses | | -- | FreeBSD 8 Router | -- | | one NIC with aliases for | 10.10.10.254 | 10.10.20.254 | 10.10.30.254 | 10.10.40.254 | |switch| Attached to the switch are four workstations/laptops: 10.10.10.1/255.255.255.0 10.10.20.1/255.255.255.0 10.10.30.1/255.255.255.0 10.10.40.1/255.255.255.0 All connections are gigabit. The idea is that in a production environment, we'll have multiple /22 networks coming in so I wanted to test having multiple network aliases. There will be a pool of public addresses for the outside interface(s), possibly as large as a class C but probably 20 - 30 addresses. By using sticky-address on a NAT rule, we can watch each RFC-1918 address get mapped to a different outside address via round-robin while enforcing that all connections from one inside host are consistently mapped to the same external address. Generating 10k active pings on each of the workstations/laptops, we were able to get an idea of how the machine would respond with 80k active states (two per connection, one in each direction). Adding in a couple of BitTorrent and HTTP .iso downloads only supported the conclusions we were beginning to form. Currently I'm testing it with multiple BitTorrent downloads and a very lively World of Warcraft installer. While nowhere near an indication of what we could expect in production it is showing us RAM usage, processor usage and state maintenance behaviour that gives us pretty good indications that we can go ahead and test in a larger environment. Like I said, we are otherwise limited to approximately 500k states (actually 250k connections) and only about half of that will be allotted for the population this project is targeting so testing with 100k states is actually pretty realistic at this point. We will wait, of course, to attempt a production deployment until after we have tested with a larger sample of the target population. Thanks to everyone for their comments and suggestions, both on and off list! kmw -- A: Maybe because some people are too annoyed by top-posting. Q: Why do I not get an answer to my question(s)? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME)
Hello, Does anyone have any ideas how to block all requests using an IPFW-based router (FreeBSD 6.4) to and from a HOSTNAME (which has more DNS A entries) or better, from any *.HOSTNAME.COM Thank you in advance ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME)
I don't know how to do it with IPFW, but I like using null / bogus routes to blackhole bad hosts - assuming of course the host in question isn't using dynamic IP's. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Valerian Galeru Sent: Thursday, June 17, 2010 3:01 PM To: freebsd-questions@freebsd.org Subject: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME) Hello, Does anyone have any ideas how to block all requests using an IPFW-based router (FreeBSD 6.4) to and from a HOSTNAME (which has more DNS A entries) or better, from any *.HOSTNAME.COM Thank you in advance ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME)
On Jun 17, 2010, at 1:01 PM, Valerian Galeru wrote: Does anyone have any ideas how to block all requests using an IPFW-based router (FreeBSD 6.4) to and from a HOSTNAME (which has more DNS A entries) or better, from any *.HOSTNAME.COM Start by blocking all traffic, add permit rules to only pass traffic which is allowed. :-) Judging by your question, however, it sounds more like you want to use regex based blocking of hostnames within a web proxy like Squid or Varnish than IP-level firewalls. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME)
Valerian Galeru said the following on 2010-06-17 22:01: Hello, Does anyone have any ideas how to block all requests using an IPFW-based router (FreeBSD 6.4) to and from a HOSTNAME (which has more DNS A entries) or better, from any *.HOSTNAME.COM Do a whois hostname.com taking note of their ip-address range. Then, for ipf, put this in your rules file. ### EXAMPLE ### block in quick on fxp0 from 192.168.0.0/16 to any block out quick on fxp0 from any to 192.168.0.0/16 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME)
Ok, very simple put: To do this without shell scripting, but this could avoid filter future IP addresses: 1. DIG HOSTNAMEs and add ipfw block rules for those IPs 2. DIG HOSTNAMEs and add a null rule To block all *.hostname and future IP addresses of any of *.hostname, there must be written a shell script, that analyzes all requests [have no idea how to execute a shell script LIVE!!!, any idea on this topic?]. --- On Thu, 6/17/10, Bernt Hansson be...@bah.homeip.net wrote: From: Bernt Hansson be...@bah.homeip.net Subject: Re: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME) To: Valerian Galeru valerian...@yahoo.com Cc: freebsd-questions@freebsd.org Date: Thursday, June 17, 2010, 11:47 PM Valerian Galeru said the following on 2010-06-17 22:01: Hello, Does anyone have any ideas how to block all requests using an IPFW-based router (FreeBSD 6.4) to and from a HOSTNAME (which has more DNS A entries) or better, from any *.HOSTNAME.COM Do a whois hostname.com taking note of their ip-address range. Then, for ipf, put this in your rules file. ### EXAMPLE ### block in quick on fxp0 from 192.168.0.0/16 to any block out quick on fxp0 from any to 192.168.0.0/16 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME)
What about an entry in your local DNS (what your hosts use) that gives a bogus ip (127.0.0.1?) for *.badhost.com? Then users can never connect to badhost.com. I don't know too many FW's that allow you to use a URL in a rule. IIRC, CheckPoint-FW1 did/does, but they recommend against it due to overhead. As pointed out, Squid or other light weight white/blacklist thingy might be in order. - Original Message - From: owner-freebsd-questi...@freebsd.org owner-freebsd-questi...@freebsd.org To: freebsd-questions@freebsd.org freebsd-questions@freebsd.org Sent: Thu Jun 17 15:56:23 2010 Subject: Re: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME) Ok, very simple put: To do this without shell scripting, but this could avoid filter future IP addresses: 1. DIG HOSTNAMEs and add ipfw block rules for those IPs 2. DIG HOSTNAMEs and add a null rule To block all *.hostname and future IP addresses of any of *.hostname, there must be written a shell script, that analyzes all requests [have no idea how to execute a shell script LIVE!!!, any idea on this topic?]. --- On Thu, 6/17/10, Bernt Hansson be...@bah.homeip.net wrote: From: Bernt Hansson be...@bah.homeip.net Subject: Re: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME) To: Valerian Galeru valerian...@yahoo.com Cc: freebsd-questions@freebsd.org Date: Thursday, June 17, 2010, 11:47 PM Valerian Galeru said the following on 2010-06-17 22:01: Hello, Does anyone have any ideas how to block all requests using an IPFW-based router (FreeBSD 6.4) to and from a HOSTNAME (which has more DNS A entries) or better, from any *.HOSTNAME.COM Do a whois hostname.com taking note of their ip-address range. Then, for ipf, put this in your rules file. ### EXAMPLE ### block in quick on fxp0 from 192.168.0.0/16 to any block out quick on fxp0 from any to 192.168.0.0/16 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME)
The idea with the DNS server is wonderful, but the problem is, that in my network the DNS server is the one in Internet [i dont run a DNS server and all local/LAN computers are configured manually to use a public DNS server ]. --- On Fri, 6/18/10, Gary Gatten ggat...@waddell.com wrote: From: Gary Gatten ggat...@waddell.com Subject: Re: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME) To: 'valerian...@yahoo.com' valerian...@yahoo.com, 'freebsd-questions@freebsd.org' freebsd-questions@freebsd.org Date: Friday, June 18, 2010, 12:08 AM What about an entry in your local DNS (what your hosts use) that gives a bogus ip (127.0.0.1?) for *.badhost.com? Then users can never connect to badhost.com. I don't know too many FW's that allow you to use a URL in a rule. IIRC, CheckPoint-FW1 did/does, but they recommend against it due to overhead. As pointed out, Squid or other light weight white/blacklist thingy might be in order. - Original Message - From: owner-freebsd-questi...@freebsd.org owner-freebsd-questi...@freebsd.org To: freebsd-questions@freebsd.org freebsd-questions@freebsd.org Sent: Thu Jun 17 15:56:23 2010 Subject: Re: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME) Ok, very simple put: To do this without shell scripting, but this could avoid filter future IP addresses: 1. DIG HOSTNAMEs and add ipfw block rules for those IPs 2. DIG HOSTNAMEs and add a null rule To block all *.hostname and future IP addresses of any of *.hostname, there must be written a shell script, that analyzes all requests [have no idea how to execute a shell script LIVE!!!, any idea on this topic?]. --- On Thu, 6/17/10, Bernt Hansson be...@bah.homeip.net wrote: From: Bernt Hansson be...@bah.homeip.net Subject: Re: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME) To: Valerian Galeru valerian...@yahoo.com Cc: freebsd-questions@freebsd.org Date: Thursday, June 17, 2010, 11:47 PM Valerian Galeru said the following on 2010-06-17 22:01: Hello, Does anyone have any ideas how to block all requests using an IPFW-based router (FreeBSD 6.4) to and from a HOSTNAME (which has more DNS A entries) or better, from any *.HOSTNAME.COM Do a whois hostname.com taking note of their ip-address range. Then, for ipf, put this in your rules file. ### EXAMPLE ### block in quick on fxp0 from 192.168.0.0/16 to any block out quick on fxp0 from any to 192.168.0.0/16 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -Inline Attachment Follows- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME)
On Jun 17, 2010, at 1:56 PM, Valerian Galeru wrote: Ok, very simple put: To do this without shell scripting, but this could avoid filter future IP addresses: 1. DIG HOSTNAMEs and add ipfw block rules for those IPs 2. DIG HOSTNAMEs and add a null rule To block all *.hostname and future IP addresses of any of *.hostname, there must be written a shell script, that analyzes all requests [have no idea how to execute a shell script LIVE!!!, any idea on this topic?]. Scripting it is not that hard, but most security advisors seem to recommend against it since a smart attacker could use such a thing against you. If you know the hostname and ip, there is no reason to script it, if you don't, then you will have the script making decisions and it's possible those decisions could be leveraged to make you block the wrong thing. In spite of warnings, I did it during the bot attacks in 2006 and it really saved us. With care, it's a great solution. I'm not sure why you would do this if you know the hostname? I am missing something there, maybe the question of how you come to know that this host should be blocked. If it's content, then here is another approach. If you know the content that makes *.hostname be a bad actor, snort_inline is designed for that. You run it on a socket at startup and divert within ipfw, any traffic you want checked. You create a snort rule to do so and drop the session if it matches. Again, your drop rules need to be well designed, so it has some of the same earmarks as the scripted solutions. It does work though if you can identify a unique signature for what *.hostname (and then *.hostname2, *.hostname3 etc) is doing that they should be blocked. It handles some pretty hefty traffic too though I run it on a machine in front of the net that only does ipfw/bridging and snort_inline. It was pretty easy to set up too. With this, I'm not suggesting a hostname lookup but to drop sessions from hostname based on whatever the criteria is that you use to know that it should be blocked. --- On Thu, 6/17/10, Bernt Hansson be...@bah.homeip.net wrote: From: Bernt Hansson be...@bah.homeip.net Subject: Re: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME) To: Valerian Galeru valerian...@yahoo.com Cc: freebsd-questions@freebsd.org Date: Thursday, June 17, 2010, 11:47 PM Valerian Galeru said the following on 2010-06-17 22:01: Hello, Does anyone have any ideas how to block all requests using an IPFW- based router (FreeBSD 6.4) to and from a HOSTNAME (which has more DNS A entries) or better, from any *.HOSTNAME.COM Do a whois hostname.com taking note of their ip-address range. Then, for ipf, put this in your rules file. ### EXAMPLE ### block in quick on fxp0 from 192.168.0.0/16 to any block out quick on fxp0 from any to 192.168.0.0/16 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: 'Serious' crypto? (was: FreeBSD router - large scale)
Hi Chuck, Thanks for the response. Or is it still worthwhile to consider hardware accelerators such as the ones guys like soekris [1] and others offer? Does anyone have an idea how much such an accelerator may help on older vs. on newer hardware? Something like a 1GHz P3 or equivalent can generally do the symmetric crypto about as fast as a decent PCI crypto card like the HiFN 795x could; bus limitations made faster CPUs better, although a newer PCIe crypto device ought to be more competitive. What matters more for some common use cases is that crypto H/W tends to do asymmetric crypto like RSA/DSA signing to negotiate a shared session key-- aka SSL session creation for SSL websites, secure email, SSH keys, etc much faster than normal CPUs could. I guess I try first without and see where I hit the ceiling. Then go to plan b. I was more thinking of many IPSEC connections but then there's also only so many slots and so many NICs in them. I'll try without and monitor that for a while and then see what happens. Would multiple engines work (and help) at all? From crypto(4), I would not guess so. One consequence would be that there may be certain limitations in using a separate accelerator once the platform comes with its own accelerator device? Sure, you can setup multiple engines, although this does better if you have separate services using each, since you do want to use an SSL session cache, but you don't want to pollute one for HTTPS with sessions from IMAPS and vice versa. Also, the config interface for Apache/IIS/whatever, or Dovecot/Cyrus/Exchange, etc might not let you specify more than one SSLEngine. On the other hand, it's not very much coding to adjust things to use multiple engines even within Apache or whatever-- I can recall some custom webserver modules from CryptoSwift for NSAPI / ISAPI / ASAPI which let you use multiple CryptoSwift boxes via ethernet network or local PCI slots, for example. Hmm... I was thinking more like round-robin the devices but I probably now too little about 'serious' crypto to see the side-effects. Anyways, I think the question is a bit academic at this time since I probably divide the servers anyways. Thanks again, All the best regards, Peter. -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD router - large scale
On 27.05.2010 17:00, Kevin Wilcox wrote: Hello everyone. We're in the very early stages of considering [Free|Open]BSD on commodity hardware to handle NAT *and* firewall duties for (what I consider to be) a sizable deployment. Overall bandwidth is low, only a gigabit connection, but we handle approximately fifteen thousand devices. DHCP and DNS would be passed through to other servers, this hardware would only be responsible for address translation and pf. I've done this on a very, very small scale (small/home office, small business) but I'm curious how many other folks are doing it on this scale, the hardware they are running on and any gotchas they may have faced. Does pf on FreeBSD take advantage of multiple cores/SMP? Is it preferable, as with OpenBSD, to go for a very stout processor without much consideration to cores? Would freebsd-net@ be a better place to ask this? I'm getting ready to start digging in to memory and other resources needed based on available documentation but real-world usage is much preferred to my academic assessment. Actually, I'd find an answer from the FreeBSD Networking gurus useful as well. My trusted Cisco 3640 is getting old (had it's ten-years-of-service birthday a little while ago), so I guess I must be prepared to replace it with something new. Preferrably something that can do proper NAT port mapping to the inside servers in an RFC1918-adressed DMZ, proper NAT mapping for the client net, incoming VPDN (virtual private dialin network, such as PPTP+MPE and L2TP+IPSEC tunelling), sane IDS in the border-gateway, GRE or IPinIP tunelling with crypto for remote-sites, etc If somebody has a good starting-point for documentation on these features, I'm more than willing to do a procject on it to create a mini-howto/handbook-section on setting up FreeBSD as your border gateway, provided I have someone to ask when the documentation is ... flaky. ;) It would be interesting to see what kind of performance modern hardware could get, compared to dedicated hardware a decade old. :) //Svein -- +---+--- /\ |Svein Skogen | sv...@d80.iso100.no \ / |Solberg Østli 9| PGP Key: 0xE5E76831 X|2020 Skedsmokorset | sv...@jernhuset.no / \ |Norway | PGP Key: 0xCE96CE13 | | sv...@stillbilde.net ascii | | PGP Key: 0x58CD33B6 ribbon |System Admin | svein-listm...@stillbilde.net Campaign|stillbilde.net | PGP Key: 0x22D494A4 +---+--- |msn messenger: | Mobile Phone: +47 907 03 575 |sv...@jernhuset.no | RIPE handle:SS16503-RIPE +---+--- If you really are in a hurry, mail me at svein-mob...@stillbilde.net This mailbox goes directly to my cellphone and is checked even when I'm not in front of my computer. Picture Gallery: https://gallery.stillbilde.net/v/svein/ signature.asc Description: OpenPGP digital signature
Re: FreeBSD router - large scale
On 28/05/2010 12:31, Svein Skogen (Listmail Account) wrote: On 27.05.2010 17:00, Kevin Wilcox wrote: Hello everyone. We're in the very early stages of considering [Free|Open]BSD on commodity hardware to handle NAT *and* firewall duties for (what I consider to be) a sizable deployment. Overall bandwidth is low, only a gigabit connection, but we handle approximately fifteen thousand devices. DHCP and DNS would be passed through to other servers, this hardware would only be responsible for address translation and pf. I've done this on a very, very small scale (small/home office, small business) but I'm curious how many other folks are doing it on this scale, the hardware they are running on and any gotchas they may have faced. Does pf on FreeBSD take advantage of multiple cores/SMP? Is it preferable, as with OpenBSD, to go for a very stout processor without much consideration to cores? Would freebsd-net@ be a better place to ask this? I'm getting ready to start digging in to memory and other resources needed based on available documentation but real-world usage is much preferred to my academic assessment. Actually, I'd find an answer from the FreeBSD Networking gurus useful as well. My trusted Cisco 3640 is getting old (had it's ten-years-of-service birthday a little while ago), so I guess I must be prepared to replace it with something new. Preferrably something that can do proper NAT port mapping to the inside servers in an RFC1918-adressed DMZ, proper NAT mapping for the client net, incoming VPDN (virtual private dialin network, such as PPTP+MPE and L2TP+IPSEC tunelling), sane IDS in the border-gateway, GRE or IPinIP tunelling with crypto for remote-sites, etc If somebody has a good starting-point for documentation on these features, I'm more than willing to do a procject on it to create a mini-howto/handbook-section on setting up FreeBSD as your border gateway, provided I have someone to ask when the documentation is ... flaky. ;) This is possibly the wrong place to be saying this, but isn't OpenBSD usually recommended for routers? I believe the version of pf, for example, is normally kept more up-to-date than than in FreeBSD. The major downside I know of is that it's not nearly as user-friendly; for example my recollection of its installer is that you have to input sector offsets manually in the partition editor! -- Bruce Cran ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD router - large scale
On 28.05.2010 13:38, Bruce Cran wrote: *snip!* This is possibly the wrong place to be saying this, but isn't OpenBSD usually recommended for routers? I believe the version of pf, for example, is normally kept more up-to-date than than in FreeBSD. The major downside I know of is that it's not nearly as user-friendly; for example my recollection of its installer is that you have to input sector offsets manually in the partition editor! My main reasoning for wanting this done on FreeBSD i don't introduce yet another OS into the equation, there is sufficient confusion as there is ;) //Svein -- +---+--- /\ |Svein Skogen | sv...@d80.iso100.no \ / |Solberg Østli 9| PGP Key: 0xE5E76831 X|2020 Skedsmokorset | sv...@jernhuset.no / \ |Norway | PGP Key: 0xCE96CE13 | | sv...@stillbilde.net ascii | | PGP Key: 0x58CD33B6 ribbon |System Admin | svein-listm...@stillbilde.net Campaign|stillbilde.net | PGP Key: 0x22D494A4 +---+--- |msn messenger: | Mobile Phone: +47 907 03 575 |sv...@jernhuset.no | RIPE handle:SS16503-RIPE +---+--- If you really are in a hurry, mail me at svein-mob...@stillbilde.net This mailbox goes directly to my cellphone and is checked even when I'm not in front of my computer. Picture Gallery: https://gallery.stillbilde.net/v/svein/ signature.asc Description: OpenPGP digital signature
Re: FreeBSD router - large scale
Svein Skogen (Listmail Account) wrote: Actually, I'd find an answer from the FreeBSD Networking gurus useful as well. My trusted Cisco 3640 is getting old (had it's ten-years-of-service birthday a little while ago), so I guess I must be prepared to replace it with something new. Preferrably something that can do proper NAT port mapping to the inside servers in an RFC1918-adressed DMZ, proper NAT mapping for the client net, incoming VPDN (virtual private dialin network, such as PPTP+MPE and L2TP+IPSEC tunelling), sane IDS in the border-gateway, GRE or IPinIP tunelling with crypto for remote-sites, etc If somebody has a good starting-point for documentation on these features, I'm more than willing to do a procject on it to create a mini-howto/handbook-section on setting up FreeBSD as your border gateway, provided I have someone to ask when the documentation is ... flaky. ;) Although I feel that you'll have to write book to cover all the things mentioned above, I'll try to reply to your question... These is just pointers... Several forms of NAT are supported with the following tools: ipfw pf ipf ng_nat I doubt there is some form of NAT you will miss. the net/mpd5 port can do PPTP, the MPPE part is blurry to me. L2TP is supported for LNS/LAC scenarios. I don't know if you can/how difficult is to combine IPSEC with L2TP. The most famous open source IDS is snort, you'll find it in the ports. For GRE and IPIP read gre and gif manual pages. Again, IPSEC is not integrated to these, yet there is IKE support via ipsec-tools port. You'll have to check for yourself the documentation. Though I can say that all the FreeBSD stuff mentioned above are well documented as usual and there is always this list if you have questions. Good luck replacing the aging Cisco... Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FreeBSD router - large scale
Hello everyone. We're in the very early stages of considering [Free|Open]BSD on commodity hardware to handle NAT *and* firewall duties for (what I consider to be) a sizable deployment. Overall bandwidth is low, only a gigabit connection, but we handle approximately fifteen thousand devices. DHCP and DNS would be passed through to other servers, this hardware would only be responsible for address translation and pf. I've done this on a very, very small scale (small/home office, small business) but I'm curious how many other folks are doing it on this scale, the hardware they are running on and any gotchas they may have faced. Does pf on FreeBSD take advantage of multiple cores/SMP? Is it preferable, as with OpenBSD, to go for a very stout processor without much consideration to cores? Would freebsd-net@ be a better place to ask this? I'm getting ready to start digging in to memory and other resources needed based on available documentation but real-world usage is much preferred to my academic assessment. Thanks! kmw -- A: Maybe because some people are too annoyed by top-posting. Q: Why do I not get an answer to my question(s)? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD router - large scale
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 27/05/2010 16:00:12, Kevin Wilcox wrote: Hello everyone. We're in the very early stages of considering [Free|Open]BSD on commodity hardware to handle NAT *and* firewall duties for (what I consider to be) a sizable deployment. Overall bandwidth is low, only a gigabit connection, but we handle approximately fifteen thousand devices. DHCP and DNS would be passed through to other servers, this hardware would only be responsible for address translation and pf. I've done this on a very, very small scale (small/home office, small business) but I'm curious how many other folks are doing it on this scale, the hardware they are running on and any gotchas they may have faced. Does pf on FreeBSD take advantage of multiple cores/SMP? Is it preferable, as with OpenBSD, to go for a very stout processor without much consideration to cores? Would freebsd-net@ be a better place to ask this? I'm getting ready to start digging in to memory and other resources needed based on available documentation but real-world usage is much preferred to my academic assessment. I've used OpenBSD/pf + carp for several sites; also + relayd for a reasonably high traffic website, plus various setups using IPSec tunnels. All very successfully. On a reasonably fast modern processor, PF can run pretty much at GB wirespeed for straight packet forwarding or NAT. Doing serious crypto slows things up somewhat. The hardest job I've had an OpenBSD firewall do is actually as a mid-level firewall between a DMZ full of web servers and a back-end database layer. The thing to watch out for is running out of states in PF. It's trivial to change that in the config, and given a machine with 1GB or so RAM dedicated to running PF, you can up the number of states by a factor of a hundred or more without problem. Also if you know all your connections are from directly attached networks and very low latency, you can be a lot more aggressive about dropping old states. PF is basically single-threaded -- even on FreeBSD, multiple cores won't help you a great deal. (Unless you've got anything else running on the firewall, when several cores is really useful, of course.) On the other hand, PF is not hugely CPU intensive. Better to spend your money on the best NICs you can afford. There are some useful enhancements in OpenBSD-4.7/pf which haven't made it into FreeBSD yet -- FreeBSD pf is basically equivalent to about OpenBSD-4.1 I think. FreeBSD is compatible with more varieties of amd64/i386 based hardware, and it does threading and multi-cpu very much better. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkv+mesACgkQ8Mjk52CukIyB4gCff56iOhw7jRwmH4jzhaRmZPiK COwAoINJQZ8YRk3s4plAuoru4CIdQr/h =xyZm -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
'Serious' crypto? (was: FreeBSD router - large scale)
Hi, NAT. Doing serious crypto slows things up somewhat. I've been pondering this since a while but thought that crypto engines on modern hardware would make 'extra' hardware accelerators obsolete? Or is it still worthwhile to consider hardware accelerators such as the ones guys like soekris [1] and others offer? Does anyone have an idea how much such an accelerator may help on older vs. on newer hardware? Would multiple engines work (and help) at all? From crypto(4), I would not guess so. One consequence would be that there may be certain limitations in using a separate accelerator once the platform comes with its own accelerator device? Thanks, Peter. --- [1] http://www.soekris.com/vpn1401.htm -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: 'Serious' crypto? (was: FreeBSD router - large scale)
On May 27, 2010, at 1:49 PM, Peter Cornelius wrote: Hi, NAT. Doing serious crypto slows things up somewhat. I've been pondering this since a while but thought that crypto engines on modern hardware would make 'extra' hardware accelerators obsolete? It depends upon usage. Or is it still worthwhile to consider hardware accelerators such as the ones guys like soekris [1] and others offer? Does anyone have an idea how much such an accelerator may help on older vs. on newer hardware? Something like a 1GHz P3 or equivalent can generally do the symmetric crypto about as fast as a decent PCI crypto card like the HiFN 795x could; bus limitations made faster CPUs better, although a newer PCIe crypto device ought to be more competitive. What matters more for some common use cases is that crypto H/W tends to do asymmetric crypto like RSA/DSA signing to negotiate a shared session key-- aka SSL session creation for SSL websites, secure email, SSH keys, etc much faster than normal CPUs could. Would multiple engines work (and help) at all? From crypto(4), I would not guess so. One consequence would be that there may be certain limitations in using a separate accelerator once the platform comes with its own accelerator device? Sure, you can setup multiple engines, although this does better if you have separate services using each, since you do want to use an SSL session cache, but you don't want to pollute one for HTTPS with sessions from IMAPS and vice versa. Also, the config interface for Apache/IIS/whatever, or Dovecot/Cyrus/Exchange, etc might not let you specify more than one SSLEngine. On the other hand, it's not very much coding to adjust things to use multiple engines even within Apache or whatever-- I can recall some custom webserver modules from CryptoSwift for NSAPI / ISAPI / ASAPI which let you use multiple CryptoSwift boxes via ethernet network or local PCI slots, for example. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD router and WCCP
Andrew Pantyukhin wrote: On Fri, Nov 16, 2007 at 12:48:52PM -0500, Steve Bertrand wrote: Does anyone know of a way to configure WCCP redirect support into a FreeBSD based router without having to install squid? I've only used FreeBSD as a WCCPv1/v2 sink (receiver), but you can try sending out packets out of gre(4). That should probably work. If you're trying to redirect traffic to another machine running squid, consider avoiding WCCP, it's not a very bright protocol.j Thanks for the response. We are deploying a commercial appliance as a content filter, so I can only assume that it is running a customized version of Squid but I don't know. Do you have any recommendation on what I should use if WCCP is not recommended? The filter will not be inline, and it will be an opt-in type service, so only certain traffic will need to be redirected. Tks, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router and WCCP
On Mon, Nov 19, 2007 at 08:58:34AM -0500, Steve Bertrand wrote: Andrew Pantyukhin wrote: On Fri, Nov 16, 2007 at 12:48:52PM -0500, Steve Bertrand wrote: Does anyone know of a way to configure WCCP redirect support into a FreeBSD based router without having to install squid? I've only used FreeBSD as a WCCPv1/v2 sink (receiver), but you can try sending out packets out of gre(4). That should probably work. If you're trying to redirect traffic to another machine running squid, consider avoiding WCCP, it's not a very bright protocol.j Thanks for the response. We are deploying a commercial appliance as a content filter, so I can only assume that it is running a customized version of Squid but I don't know. Do you have any recommendation on what I should use if WCCP is not recommended? ipfw forwarding is a very easy way to redirect traffic without changing it. PF has similar functionality. It all depends on what the appliance supports. If wccp is the only way it can eat packets, try playing with gre(4). But maybe it'll consume just plain packets with wrong IP destinations arriving on its MAC address, just the way squid on FreeBSD does. BTW, if the appliance supports ICAP, you'll be much better off running squid on a FreeBSD box and filtering content through ICAP. The filter will not be inline, and it will be an opt-in type service, so only certain traffic will need to be redirected. You'll be able to use ipfw or pf to tune the policies to a very fine degree. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router and WCCP
ipfw forwarding is a very easy way to redirect traffic without changing it. PF has similar functionality. It all depends on what the appliance supports. If wccp is the only way it can eat packets, try playing with gre(4). But maybe it'll consume just plain packets with wrong IP destinations arriving on its MAC address, just the way squid on FreeBSD does. BTW, if the appliance supports ICAP, you'll be much better off running squid on a FreeBSD box and filtering content through ICAP. The appliance does indeed have ICAP capabilities, but I have never dabbled with it before. I am familiar with IPFW, but I'd like to know all options in order to choose the best one. I would very much prefer to do this in a way without having to have Squid running on the box, but will if I have to. The filter will not be inline, and it will be an opt-in type service, so only certain traffic will need to be redirected. You'll be able to use ipfw or pf to tune the policies to a very fine degree. Thanks for your help! Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router and WCCP
On Mon, Nov 19, 2007 at 10:10:43AM -0500, Steve Bertrand wrote: ipfw forwarding is a very easy way to redirect traffic without changing it. PF has similar functionality. It all depends on what the appliance supports. If wccp is the only way it can eat packets, try playing with gre(4). But maybe it'll consume just plain packets with wrong IP destinations arriving on its MAC address, just the way squid on FreeBSD does. BTW, if the appliance supports ICAP, you'll be much better off running squid on a FreeBSD box and filtering content through ICAP. The appliance does indeed have ICAP capabilities, but I have never dabbled with it before. I am familiar with IPFW, but I'd like to know all options in order to choose the best one. I would very much prefer to do this in a way without having to have Squid running on the box, but will if I have to. If filtering is all you want, you don't have to set up squid as a caching proxy. I.e. it won't need much RAM and disk space. I have yet to set up ICAP (with c-icap) in our workshop, but from discussions on squid mailing lists it seems ICAP is in a pretty usable state, both in squid 2.x and 3.x. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router and WCCP
I am familiar with IPFW, but I'd like to know all options in order to choose the best one. I would very much prefer to do this in a way without having to have Squid running on the box, but will if I have to. If filtering is all you want, you don't have to set up squid as a caching proxy. I.e. it won't need much RAM and disk space. I have yet to set up ICAP (with c-icap) in our workshop, but from discussions on squid mailing lists it seems ICAP is in a pretty usable state, both in squid 2.x and 3.x. Essentially, I simply need a method to redirect layer 3/4 traffic destined for anything:80 from the router to the appliance. I've got a few options now, so I'll be testing all of them in the coming days. Thanks for your suggestions. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router and WCCP
On 10:47:37 Nov 19, Steve Bertrand wrote: Essentially, I simply need a method to redirect layer 3/4 traffic destined for anything:80 from the router to the appliance. I've got a few options now, so I'll be testing all of them in the coming days. Including this one? rdr all port 80 to ${appliance} Since you are leaving out the proto and tcp/udp fields this redirection will work as expected. regards, Girish ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router and WCCP
On Fri, Nov 16, 2007 at 12:48:52PM -0500, Steve Bertrand wrote: Does anyone know of a way to configure WCCP redirect support into a FreeBSD based router without having to install squid? I've only used FreeBSD as a WCCPv1/v2 sink (receiver), but you can try sending out packets out of gre(4). That should probably work. If you're trying to redirect traffic to another machine running squid, consider avoiding WCCP, it's not a very bright protocol. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD router and WCCP
Does anyone know of a way to configure WCCP redirect support into a FreeBSD based router without having to install squid? Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw vs. ipf on a freebsd router
I'm putting together a freebsd router to sit between my LAN and a T1. The current router (still running BSD/OS) uses BSDI's ipfw, but that died when BSDI did. It's about as simple a routing job as one could ask, a T1 with a static address to a LAN with a static /24. I have a whole bunch of packet filtering rules on the current router to keep out nasty stuff based partly on port numbers but also a couple of hundred IP ranges from the SBL and elsewhere. I have enough IP addresses that I do not need to NAT. What are the relative merits of freebsd's ipf and ipfw? It looks like either can do the filtering I need to do. Any reason to choose one over the other? While I'm at it, should I turn on netgraph or just use the regular network stuff? R's, John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw vs. ipf on a freebsd router
John Levine wrote: I'm putting together a freebsd router to sit between my LAN and a T1. The current router (still running BSD/OS) uses BSDI's ipfw, but that died when BSDI did. It's about as simple a routing job as one could ask, a T1 with a static address to a LAN with a static /24. I have a whole bunch of packet filtering rules on the current router to keep out nasty stuff based partly on port numbers but also a couple of hundred IP ranges from the SBL and elsewhere. I have enough IP addresses that I do not need to NAT. What are the relative merits of freebsd's ipf and ipfw? It looks like either can do the filtering I need to do. Any reason to choose one over the other? Take a look at PF. It was developed by OpenBSD and ported to FreeBSD. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw vs. ipf on a freebsd router
On 2006-10-18 15:10, John Levine [EMAIL PROTECTED] wrote: I'm putting together a freebsd router to sit between my LAN and a T1. The current router (still running BSD/OS) uses BSDI's ipfw, but that died when BSDI did. It's about as simple a routing job as one could ask, a T1 with a static address to a LAN with a static /24. I have a whole bunch of packet filtering rules on the current router to keep out nasty stuff based partly on port numbers but also a couple of hundred IP ranges from the SBL and elsewhere. I have enough IP addresses that I do not need to NAT. What are the relative merits of freebsd's ipf and ipfw? It looks like either can do the filtering I need to do. Any reason to choose one over the other? For what it's worth, IPFW is also available on FreeBSD. I don't know how different the BSDi version of IPFW was, but it may be easier to use FreeBSD's IPFW -- at least at first. If reducing the pain of a transition from BSD/OS to FreeBSD is a worthy goal, I would recommend IPFW :) While I'm at it, should I turn on netgraph or just use the regular network stuff? Not necessarily. Do you really need it? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD router
Dear all, I want to know, between Cisco Router and a compiled of FreeBSD Router which one is better? Is it posible to build a Router Appliance on FreeBSD instead of using ISO of Cisco? Richard Ben, CIO -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router
On 8/30/06, rithy4u- CEO [EMAIL PROTECTED] wrote: Dear all, I want to know, between Cisco Router and a compiled of FreeBSD Router which one is better? Is it posible to build a Router Appliance on FreeBSD instead of using ISO of Cisco? Richard Ben, CIO I think to best answer your question one needs to know what that router needs to do and how much do you want to spend on it. -- Joao Barros ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router
Depends on what through-put you need, are you good at compiling custom kernels with the extra stuff removed, How good are you at *IOS*?? Do you need a firewall with that router o just straight routing. Does the router need RIP, BGP etc... Perfectly possible, but depending on your requirements/time/expertise/money maybe practical or not. -- Martin On 8/30/06, rithy4u- CEO [EMAIL PROTECTED] wrote: Dear all, I want to know, between Cisco Router and a compiled of FreeBSD Router which one is better? Is it posible to build a Router Appliance on FreeBSD instead of using ISO of Cisco? Richard Ben, CIO -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router
The answer is yes it can be done. Which one is better depends on which cisco model you compare with and what hardware you are going to use to run FreeBSD with what features. As well as your knowledge of FreeBSD admin/network config. As mentioned before you may be expected to compile a custom kernel to best handle your setup. Consider - Are you building this for internal use or as a resell product? What is your FreeBSD/network knowledge level? Do you feel a little overwhelmed at the prospect of installing/configuring/supporting the router yourself? How much downtime is tolerable as you learn/find the solution to problems along the way? An example - I am located in Adelaide, Australia and there is a company here that has been around for several years mainly providing network related support, they sell their own network appliances built from FreeBSD and some custom software that features router, firewall, dmz, vpn, proxy cache, spam filter, network monitoring, CF boot disks. (they can configure/support cisco equipment that you may have installed and I think will sell it to you if you want it but push their products instead of cisco gear) Products range depending on needs but generally the head office may have a P4 rackmount case with a few network cards (offering load sharing across multiple ADSL connections) and a small home/branch office may get a mini-atx 700Mhz VIA chip unit with 1 or 2 network interfaces. Individual pc's (as well as handheld devices) can also connect straight to the vpn as well if that is sufficient for the needs. Most offices would connect with ADSL these days with an option of direct ISDN connection to HO as backup when ADSL is unavailable. Setup as automatic fallover when needed. Australia wide support is provided from the local office with remote offices being setup with modem dialup to allow console access by directly dialling into the appliances in case internet or vpn functionality is not working. Those sort of options would account for a high priced cisco setup that could allow a decent profit margin/cost saving between hardware cost and complete product. With simpler needs the cost difference would be a lot closer. To setup and maintain this setup would need a good knowledge base to ensure sufficient support/maintenance. There are a few options available for pre-built FreeBSD firewall setups which could make it worthwhile for you - I would have said http://netboz.org but the site doesn't seem to be running at the moment (maybe temporary) another is http://m0n0.ch/wall/ I have come across a few other projects over time but haven't really looked at any in great detail and can't seem to find any other bookmarks. On 30/8/2006 10:43, rithy4u- CEO [EMAIL PROTECTED] wrote: Dear all, I want to know, between Cisco Router and a compiled of FreeBSD Router which one is better? Is it posible to build a Router Appliance on FreeBSD instead of using ISO of Cisco? Richard Ben, CIO -- [EMAIL PROTECTED] Get Sheeky @ http://Sheeky.Biz ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router
Hello Richard, I have been using FreeBSD since 1998 and never had to use cisco, Freebsd has a great builtin features, I'm Using Freebsd for a hotspotlogin, with no external servers from anykind, Its my radius, router, ipfw, internetspot login, NAT and port directions. Also i have 2 additional servers in two diffrent locations each has its own bzns, running DNS, email services, hosting, and hundreds of other services. Since i knew FreeBSD i never had to touch any cisco or any other creatures in general. except a HUB and some cables. :) However, I dunt know if you still need Cisco router or anyother machines, maybe as some gurus here wrote, depends on your needs. best of luck. and take a look on FreeBSD handbook, on www.freebsd.org maybe you will find the part you are looking for in routing or cisco that freebsd will do. best of luck Marwan Sultan Dear all, I want to know, between Cisco Router and a compiled of FreeBSD Router which one is better? Is it posible to build a Router Appliance on FreeBSD instead of using ISO of Cisco? Richard Ben, CIO -- _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router
Hello Sultan: I have with FreeBSD about 1 year and I have config and run many services such as NAT/Router/Firewall/Ipfilter, Mailserver, DNS server, DHCP Server, Cache proxy server. But soon, I will have to handle VPN Project from Cambodia to Singapore which got existing Cisco infrastructure. I think my customer will not choose FreeBSD for thier VPN Tunnel. But anyway, I want to know see whether some Internet Backbone or ISP used FreeBSD as thier Internet facilities as us or not. I hope we can be a good friend in FreeBSD. but I just start into it around 1 year. Rgds, Richard Ben, CIO - Original Message - From: Marwan Sultan [EMAIL PROTECTED] To: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Sent: Saturday, September 02, 2006 6:09 AM Subject: RE: FreeBSD router Hello Richard, I have been using FreeBSD since 1998 and never had to use cisco, Freebsd has a great builtin features, I'm Using Freebsd for a hotspotlogin, with no external servers from anykind, Its my radius, router, ipfw, internetspot login, NAT and port directions. Also i have 2 additional servers in two diffrent locations each has its own bzns, running DNS, email services, hosting, and hundreds of other services. Since i knew FreeBSD i never had to touch any cisco or any other creatures in general. except a HUB and some cables. :) However, I dunt know if you still need Cisco router or anyother machines, maybe as some gurus here wrote, depends on your needs. best of luck. and take a look on FreeBSD handbook, on www.freebsd.org maybe you will find the part you are looking for in routing or cisco that freebsd will do. best of luck Marwan Sultan Dear all, I want to know, between Cisco Router and a compiled of FreeBSD Router which one is better? Is it posible to build a Router Appliance on FreeBSD instead of using ISO of Cisco? Richard Ben, CIO -- _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
Yance Kowara wrote: Hi all, I am trying to figure out if *BSD can achieve this: I have two DSL connections to play with, and I would like to configure a *BSD router that can combine the two DSLs together. There is a howto at http://stevenfettig.com/mythoughts/archives/000173.php But it concerns OpenBSD and it was for a T1 connection using a dual T1 card. I would like to configure one on 2 DSLs connected to two individual NICs. Is this feasible at all, or should I just invest in a dual Wan hardware? Yes its possible, I have such done such a setup. Its actually one ADSL user PPP connection the other connection is direct Ethernet to a small ISP that happens to be in the same building. The aim isn't anything that serves data and doesn't use anything complex such as using routing protocols like the other guys are talking about. Its just using NAT via PF to its users behind the box, all they need 24 hour Internet access and don't have to serve anything which I assume is your same situation. All I have done to make use of the multi Internet connection was if one connection goes down they can just choose the other ISP via a simple menu I created for them which just deletes and changes the route, Just uses something like route flush route add default isp_gateway_ip Or for the PPP link that uses ISP1 profile /usr/sbin/ppp -quiet -ddial isp1 and a /etc/rc.d/pf resync afterwards. Its just as easy to hack your own self monitoring link changer script but I felt it was better to leave it in the hands of the people with a menu. The core of the problem is just scripting something to change routes / connection using scripting. Because you appear to be using to DSL and probably pppoe links you would need to put something like this with two profiles in your /etc/ppp/ppp.conf file default: # set log CBCP CCP Chat Connect Command IPCP tun Phase Warning Debug LCP sync set device PPPoE:dc0:isp1 set speed sync disable ipv6cp set cd 5 set dial set login set redial 0 0 add default HISADDR set timeout 0 enable dns isp1: set authname [EMAIL PROTECTED] set authkey yancepassword isp2: set authname [EMAIL PROTECTED] set authkey yancepassword and script something to run either /usr/sbin/ppp -quiet -ddial isp1 or /usr/sbin/ppp -quiet -ddial isp2 Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
On Wed, Dec 21, 2005 at 09:55:37AM -0800, Danial Thom wrote: --- Loren M. Lang [EMAIL PROTECTED] wrote: On Sun, Dec 11, 2005 at 11:28:17PM -0800, Ted Mittelstaedt wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. I strongly disagree. There are many reasons for this. Two of which are increased throughoutput and redundancy. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP or some kind of static route setup by the two ISPs. For an internet cafe, most connections will probably be outgoing so it won't be a problem. Thats not right at all, although in *some* cases it may be desirable. All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. For efficiencies sake, you may argue that sending to the ISP that sent you the traffic will be a better path, but if one of your pipes is saturated and the other running at 20% then its likely more efficient to keep your pipes filled and send to either isp. You can achieve this with per-packet load-balancing with ciscos, or bit-balancing with a product like ETs for FreeBSD. Unless your 2 isps are connected substantially differently (say if one is in Europe and one in the US), you'll do better keeping your pipes balanced, as YOU are the bottleneck, not the upstream, assuming you have quality upstream providers. You are correct in the case of a normal router, but this is not a normal router, this is an NAT router with two different incoming pipes with two unique ip addresses. As far as each ISP is concerned, they are providing bandwidth to a single computer that is not the same as the other ISP. There is no information that connects the two together. With NAT, the network behind is hidden and normal routing can't take place. Only outgoing connections can take place, and the from address is modified to be the same as the IP address on the pipeline it is leaving from. Internet routers won't know that the other ip address is the same computer and even if they did know, the NAT software on the router might discard the packets because the data is arriving on the wrong interface. Incoming connections work only if the router is setup to do port forwarding. The problem here with sharing the bandwidth is that each pipeline has it's own address and there is no way to specifiy an address of a computer behind the router because each ISP has only allocated one address to their customer and there are no entries in the routing tables for computers behind them. Bandwidth sharing is possible with an NAT router, but not connection sharing. Danial __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: CEE1 AAE2 F66C 59B5 34CA C415 6D35 E847 0118 A3D2 pgp0pSj6aYzKE.pgp Description: PGP signature
Re: FreeBSD router two DSL connections
On Fri, Dec 23, 2005 at 03:46:50PM -0800, Danial Thom wrote: Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? You are beyond clueless, Ted. Why do you keep opening your mouth? You understand the issues little yourself. I'd recommend getting a good book on NAT and IP routing. With a normal router and either static routes or a good routing protocol setup, this would work fine, but with NAT in the mix, it's much more difficult. The problem is that neither ISP knows about the network behind the NAT router, that's the basic reason for NAT in the first place. There are no official addresses allocated for the computers behind so there can be no routes to the computer behind. NAT causes the entire network behind the router to look like it came from the router itself. And since the router has a different address for each ISP, it looks like two independent computers on the internet. For efficiencies sake, you may argue that sending to the ISP that sent you the traffic will be a better path, but if one of your pipes is saturated and the other running at 20% letsseenow, these are full duplex 'pipes', can we have some direction this saturation is taking place in? I mean, since you are at least trying to make a senseless explanation sound right, you might as well try a bit harder. Its not senseless, you just don't understand how the internet works, apparently. I do this for a living, and you just yap. You could use a good book too. If you were able to send back the data on the pipe it arrived on then you would have uneven use of the pipes. So one could be saturation the the other highly unused. Balancing the outgoing data would reduce the latency that occurs when a pipe is saturated. Its hard to explain calculus to some who can't add or subtract ted, so you should figure out how routing works before you try something this complicated. then its likely more efficient to keep your pipes filled and send to either isp. You can achieve this with per-packet load-balancing with ciscos, per packet load balancing is for parallel links between 2 endpoints. Not three, as in you, your first ISP, and your second ISP. Wrong again, Ted. Usually thats how it is used to gain extra throughput, but thats not the only thing that it can be used for. Since the internet is connectionless (back to school for you Ted), per packet balancing can utilize 2 outgoing pipes to different ISPs as well. Obviously since failover on dual-homed network works, you can send your packets to any ISP you want. Routers route based on destination address, as anyone who knows how routers work knows. You can even use per packet load balancing on 2 lines to the same ISP when the other end doesn't support it; using 2 pipes in one direction and only one in the other. You can be innovative when you actually understand how things work, Ted. Surprising you would drag up a Ciscoism as your such a big fan of BSD-based routers. or bit-balancing with a product like ETs for FreeBSD. Unless your 2 isps are connected substantially differently (say if one is in Europe and one in the US), you'll do better keeping your pipes balanced, as YOU are the bottleneck, not the upstream, assuming you have quality upstream providers. Sometimes you run into someone who is so ignorant of the subject of which he is trying to speak, - routing in this case - that you can't even argue with the person. Kind of like trying to explain the concept of the fossil record to a creationist. This is one of these times. Yes Ted. People run into you, the ultimate ignoramous. I have 3000 ISP customers. This is not just theory; its being done. You are wrong about every single thing you
RE: FreeBSD router two DSL connections
-Original Message- From: Loren M. Lang [mailto:[EMAIL PROTECTED] Sent: Saturday, December 31, 2005 6:31 PM To: Danial Thom Cc: Loren M. Lang; Ted Mittelstaedt; Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections On Wed, Dec 21, 2005 at 09:55:37AM -0800, Danial Thom wrote: --- Loren M. Lang [EMAIL PROTECTED] wrote: On Sun, Dec 11, 2005 at 11:28:17PM -0800, Ted Mittelstaedt wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. I strongly disagree. There are many reasons for this. Two of which are increased throughoutput and redundancy. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP or some kind of static route setup by the two ISPs. For an internet cafe, most connections will probably be outgoing so it won't be a problem. Thats not right at all, although in *some* cases it may be desirable. All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. For efficiencies sake, you may argue that sending to the ISP that sent you the traffic will be a better path, but if one of your pipes is saturated and the other running at 20% then its likely more efficient to keep your pipes filled and send to either isp. You can achieve this with per-packet load-balancing with ciscos, or bit-balancing with a product like ETs for FreeBSD. Unless your 2 isps are connected substantially differently (say if one is in Europe and one in the US), you'll do better keeping your pipes balanced, as YOU are the bottleneck, not the upstream, assuming you have quality upstream providers. You are correct in the case of a normal router, but this is not a normal router, this is an NAT router with two different incoming pipes with two unique ip addresses. As far as each ISP is concerned, they are providing bandwidth to a single computer that is not the same as the other ISP. There is no information that connects the two together. With NAT, the network behind is hidden and normal routing can't take place. Only outgoing connections can take place, and the from address is modified to be the same as the IP address on the pipeline it is leaving from. On a NORMAL nat device this is correct, what Danial was recommending is a modified NAT that basically favors one of the 2 outside addresses that it has, as the source address for all connections, and sends traffic sourced with this address out both pipes, depending on what pipe might be available at the time. He was arguing more on a theoretical level, I personally don't know of any NAT devices that can do that, but perhaps there are some. Certainly, something like that could be written if it doesen't exist. Internet routers won't know that the other ip address is the same computer it doesen't matter if they know or not. and even if they did know, the NAT software on the router might discard the packets because the data is arriving on the wrong interface. Yes, that is one of the things the NAT would have to keep track of. It could certainly be done. I maintain that the upstream ISP's would not allow something like this to work, due to antispoof filters. Danial maintained that upstream ISP's don't run antispoof filters, and thus it would work. Incoming connections work only if the router is setup to do port forwarding. The problem here with sharing the bandwidth is that each pipeline has it's own address and there is no way to specifiy an address of a computer behind the router because each ISP has only allocated one address to their customer and there are no entries in the routing tables for computers behind them. None of that is applicable to the scenario that Danial described. Bandwidth sharing is possible with an NAT router, but not connection sharing. If your going to restrict each connection to the max bandwidth of the fastest pipe, you are really not bandwidth sharing. The general public is going to expect that anything labeled a bandwidth sharer that is designed to work with multiple
RE: FreeBSD router two DSL connections
Does it meet the test I already outlined? Download the FreeBSD iso then upload it to a remote server, with both lines connected. Time it. Disconnect 1 line, then repeat the test. If the time to download and upload when both DSL lines are connected is half the time it takes when 1 DSL line is connected, then your load-balancing. If not, then you are not - although if it makes you feel like you haven't wasted your money claim your per session load balancing then I suppose it would be uncharitable to make you feel bad by pointing out that this is purely a marketing term with no networking significance. Oops. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Winelfred G. Pasamba Sent: Monday, December 26, 2005 8:27 PM To: [EMAIL PROTECTED] Cc: Loren M. Lang; Yance Kowara; Ted Mittelstaedt; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections ted, danial, and the rest, i'm learning a lot in this thread. i have a pfsense (freebsd) router that has two connections to the same ISP and one connection to a linux squid (another server). i use the ported openbsd packet filter in freebsd for (whatever) load balancing. i can paste the freebsd-/etc/pf.conf and give you a sample of 'pfctl -s state' which looks like a firewall state table (i'm not sure though). i can also capture traffic graphs on all three interfaces of the pfsense router. just want to know what's happening in the (freebsd) pfsense router. is it route balancing, packet round-robin'ing, connection-round-robining, or what? one thing is that both these isp lines don't have any CIR. one is up to 128kbps and the other is up to 256 kbps. and i don't know which is which, hehe. here are the graphs and dump: http://geocities.com/winelfredpasamba/is_this_load_balancing_or_what/ On 12/26/05, Danial Thom [EMAIL PROTECTED] wrote: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Friday, December 23, 2005 3:47 PM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. I assure you they will not. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? ISP's that are dual-homed have to register their subnets with both providers. For example, suppose I'm a small ISP and I go get a Sprint connection and get assigned a range of 11 IP subnets, 192.168.1.0 - 192.168.10.0 These are Sprint-owned IP addresses of course. As I source traffic from 192.168.1.x, Sprint recognizes it as valid traffic and allows it to pass Sprint's ingress filter to me. Now I get a bit bigger and decide I need a redundant connection. So I contact ARIN and buy an AS number, then contact ATT and get a connection to them, then setup BGP between myself and ATT Sprint. When ATT and I are setting up BGP, ATT's techs will ask me what subnets I'm advertising, I tell them 192.168.1.0 - 192.168.10.0 ATT then checks with ARIN's whois server to make sure Sprint has entered a record for that list of subnets that says I'm authorized to use them. If all that checks out OK then ATT adjusts their ingress filters so I can source traffic to them from those subnets. Now I get even bigger and need more IP's than what Sprint will provide, so I go to ARIN and buy them. Then all my feeds have to adjust their ingress filters to the new subnet. Now I get even more bigger and I start trying to setup peering relationships with other networks, so I don't have to pay them directly. Well now guess what, those networks are now monitoring
RE: FreeBSD router two DSL connections
--- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Monday, December 26, 2005 7:50 AM To: Ted Mittelstaedt; Winelfred G. Pasamba Cc: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections As stated, even by Ted, you have to register ALL of your addresses with ALL of your ISPs, so you can send your packets to ANYONE you want, even if they are filtering. No, what I said is that any ISP that is an end-node AS and gets a feed from a network must tell that network what IP blocks they are using to send traffic from. You're a very sick person, Ted. If you use BGP, both of your providers have to know about all of your address blocks. So if they know about your address blocks, then you can load balance instead of using BGP. Its the same damn thing, you incompetent blob :) There's little point in being multi-homed if you can't send all of your traffic up EITHER pipe. If you couldn't, you'd be out of business if one of your pipes was down,which simply isn't the case. I really don't know what's wrong with you, except that you seem obsessed with being on the opposite side of whatever arguement I'm one. You're making a goddamned fool of yourself. DT __ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Ted Mittelstaedt [EMAIL PROTECTED] wrote: Does it meet the test I already outlined? Download the FreeBSD iso then upload it to a remote server, with both lines connected. Time it. Disconnect 1 line, then repeat the test. If the time to download and upload when both DSL lines are connected is half the time it takes when 1 DSL line is connected, then your load-balancing. If not, then you are not - although if it makes you feel like you haven't wasted your money claim your per session load balancing then I suppose it would be uncharitable to make you feel bad by pointing out that this is purely a marketing term with no networking significance. Oops. Ted Ted seems incapable of grasping how things work, so I don't recommend wasting your time on anything he says. As I stated, you cannot control how traffic comes into your network, so Ted's little download test is sure not to work. Traffic is routed to whichever ISP has the best route. You can only control how traffic goes OUT of your network. So load-balancing can only increase your upload speeds, not your download speeds. If you are hosting this is useful. If you have mostly download traffic, then its probably not worth is. I don't know if Ted is trying to boondoggle you into thinking his view is correct, or he just doesn't understand it. I suspect its a bit of both. You should really try the freebsd-isp list, as there are at least some people on there that have a clue. Although even Ted's resume looks good on paper, so you really can't tell. Incompetence is widespread. DT __ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Danial Thom [EMAIL PROTECTED] wrote: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: Does it meet the test I already outlined? Download the FreeBSD iso then upload it to a remote server, with both lines connected. Time it. Disconnect 1 line, then repeat the test. If the time to download and upload when both DSL lines are connected is half the time it takes when 1 DSL line is connected, then your load-balancing. If not, then you are not - although if it makes you feel like you haven't wasted your money claim your per session load balancing then I suppose it would be uncharitable to make you feel bad by pointing out that this is purely a marketing term with no networking significance. Oops. Ted Ted seems incapable of grasping how things work, so I don't recommend wasting your time on anything he says. As I stated, you cannot control how traffic comes into your network, so Ted's little download test is sure not to work. Traffic is routed to whichever ISP has the best route. You can only control how traffic goes OUT of your network. So load-balancing can only increase your upload speeds, not your download speeds. If you are hosting this is useful. If you have mostly download traffic, then its probably not worth is. I don't know if Ted is trying to boondoggle you into thinking his view is correct, or he just doesn't understand it. I suspect its a bit of both. You should really try the freebsd-isp list, as there are at least some people on there that have a clue. Although even Ted's resume looks good on paper, so you really can't tell. Incompetence is widespread. DT To sooth the nerves of the OP, the truth about this is that it might work and it might not. Ted's assertion that all ISPs do ingress address filtering is simply wrong. Not even close. My assumption that none do isn't right either. IF when one of your lines goes down you are still online then you can load-balance outbound. IF you are multi-homed or have a working backup scenario, then you can load balance outbound. There is much discussion on the trade-offs of ingress address filtering, and many believe its the old cut off your nose to spite your face. It reduces the cpu power of your router by causing it to test every packet coming in, it makes multi-homing not work, and it makes changing addresses on a large network extremely more difficult, in order to thwart an unlikely event. I recommend that my customers isolate co-location customers so when worms hit they can find the problem easier. Few do because its easier to have everyone on the same wire. My cable company, for example, changes their networking scheme every few months, and if they had to change ingress filters on 100s of routers manually it would be ridiculously difficult to do. So they don't address filter. Ted is somehow in denial that 100s of people load balance to different destinations. Since he doesn't know the terms (such as round-robin, etc) you can be sure he's never done any of it. The simple truth is that you have to try things. You never know what your upstream is doing. DSL is a strange animal that requires muxes in often very complicated meshes. If you can move your default router to your other router then you are likely not filtered. There are many issues more important than address-spoofing, such as stability and performance. I have customers that are so disorganized that they can't isolate any known address group to any specific router, and others that require that you register your MAC address with them or nothing will work at all. You can't postulate what your situation is. You have to do testing and figure out what you can and can't do. The more you know about how things REALLY work, the more innovative you can be in your implementation. DT __ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
Quoting Danial Thom [EMAIL PROTECTED]: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Monday, December 26, 2005 7:50 AM To: Ted Mittelstaedt; Winelfred G. Pasamba Cc: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections As stated, even by Ted, you have to register ALL of your addresses with ALL of your ISPs, so you can send your packets to ANYONE you want, even if they are filtering. No, what I said is that any ISP that is an end-node AS and gets a feed from a network must tell that network what IP blocks they are using to send traffic from. You're a very sick person, Ted. If you use BGP, both of your providers have to know about all of your address blocks. My VERY FIRST response to the original poster was that their scheme would not work UNLESS they were running BGP. So if they know about your address blocks, then you can load balance instead of using BGP. Its the same damn thing, you incompetent blob :) There's little point in being multi-homed if you can't send all of your traffic up EITHER pipe. If you couldn't, you'd be out of business if one of your pipes was down,which simply isn't the case. I really don't know what's wrong with you, except that you seem obsessed with being on the opposite side of whatever arguement I'm one. You're making a goddamned fool of yourself. I think you are arguing with a series of straw men. Perhaps you might try READING THE RESPONSES for a change? Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
Quoting Danial Thom [EMAIL PROTECTED]: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: Does it meet the test I already outlined? Download the FreeBSD iso then upload it to a remote server, with both lines connected. Time it. Disconnect 1 line, then repeat the test. If the time to download and upload when both DSL lines are connected is half the time it takes when 1 DSL line is connected, then your load-balancing. If not, then you are not - although if it makes you feel like you haven't wasted your money claim your per session load balancing then I suppose it would be uncharitable to make you feel bad by pointing out that this is purely a marketing term with no networking significance. Oops. Ted Ted seems incapable of grasping how things work, so I don't recommend wasting your time on anything he says. As I stated, you cannot control how traffic comes into your network, so Ted's little download test is sure not to work. Danial, once again your having trouble reading. That little test was for BOTH a download AND an upload test. So, are you sure that the upload component of my little test WILL work? Perhaps we might have the poster I responded to actually RUN the test and report the results? Traffic is routed to whichever ISP has the best route. You can only control how traffic goes OUT of your network. So load-balancing can only increase your upload speeds, not your download speeds. If you are hosting this is useful. If you have mostly download traffic, then its probably not worth is. Once again Danial you flee to arguing from theory and not reality. Until the second poster tries the test I proposed and reports the results, you are really wasting time. As I said before, try the test. If your download speed is doubled with both DSL lines turned on, your load balancing. If your upload speed is doubled with both DSL lines turned on then your load balancing. If your download speed is NOT doubled YET your upload speed IS doubled with both DSL lines connected, then you are also load balancing - after a fashion - although the reason this works is that one of the ISP's is not properly ingress filtering. (assuming the DSL lines are connected to different ISPs, presumably if they are connected to the same ISP you would have already got multilink PPP or some other kind of real load balancing setup with that ISP) And if that is the case, then the ISP that isn't ingress filtering, has a network full of spoofed traffic from DDoS trojans and such, and it is unlikely you would find their bandwidth that useable in the first place. Additionally, since your making use of the failure of one of the ISP's to properly ingress filter, this sort of 'load balance' could disappear without warning. It is not something you would depend on for production use and few ISP's are like this anymore. In any case, I think chances that the second poster would observed doubled upload speed with both lines connected, on the file test I illustrated, are virtually zero. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
Quoting Danial Thom [EMAIL PROTECTED]: --- Danial Thom [EMAIL PROTECTED] wrote: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: Does it meet the test I already outlined? Download the FreeBSD iso then upload it to a remote server, with both lines connected. Time it. Disconnect 1 line, then repeat the test. If the time to download and upload when both DSL lines are connected is half the time it takes when 1 DSL line is connected, then your load-balancing. If not, then you are not - although if it makes you feel like you haven't wasted your money claim your per session load balancing then I suppose it would be uncharitable to make you feel bad by pointing out that this is purely a marketing term with no networking significance. Oops. Ted Ted seems incapable of grasping how things work, so I don't recommend wasting your time on anything he says. As I stated, you cannot control how traffic comes into your network, so Ted's little download test is sure not to work. Traffic is routed to whichever ISP has the best route. You can only control how traffic goes OUT of your network. So load-balancing can only increase your upload speeds, not your download speeds. If you are hosting this is useful. If you have mostly download traffic, then its probably not worth is. I don't know if Ted is trying to boondoggle you into thinking his view is correct, or he just doesn't understand it. I suspect its a bit of both. You should really try the freebsd-isp list, as there are at least some people on there that have a clue. Although even Ted's resume looks good on paper, so you really can't tell. Incompetence is widespread. DT To sooth the nerves of the OP, the truth about this is that it might work and it might not. Ted's assertion that all ISPs do ingress address filtering is simply wrong. I will concede this because of all the ISP's in the world, chances are that there is at least 1 that is run so incompetently, connected to a backbone network that is also unbelievably incompetent, that they are not filtering. Not even close. My assumption that none do isn't right either. Finally you are admitting that antispoofing filtering is a reality. I am glad to see that. However, you are wrong when you IMPLY that antispoofing access lists are not widespread. Anti spoof lists have a long history. Why even as far back as 1997 Cisco was unofficially offering to assist ISP's to put them in, this was in response to land.c, see here: http://www.apnic.net/mailing-lists/apnic-talk/archive/1997/11/msg2.html Then in 2000, the IETF decided to codify the requirements for this in the following RFC's: ftp://ftp.ietf.org/rfc/rfc2827.txt ftp://ftp.ietf.org/rfc/rfc3013.txt We also saw then a pledge from the 9 founders of the Internet Security Alliance (http://www.isalliance.org/) to institute antispoofing on their networks, that article is here: http://news.zdnet.com/2100-9595_22-518743.html We also saw calls for this from SANS: http://www.sans.org/dosstep/index.php and that gadfly, Steve Gibson: http://grc.com/dos/grcdos.htm This was 5 years ago. Today, the practice is firmly established, Cisco provides instructions for it: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a 1a55.shtml and the US Department of Homeland Security has recommended it: http://www.dhs.gov/interweb/assetlibrary/NIAC_HardeningInternetPaper_Jan05.pdf and yes, these are the same people that have installed the black boxes that the NSA has used to electronically eavesdrop on the Internet without a search warrant, as was just reported a week or so ago in the NYT, and caused Congress to kill the extension of the Patriot Act. So don't think that those large networks aren't listening to the Feds - by contrast they are actively helping the Feds to spy on us!!! To assert as Danial is doing that they aren't following the Feds when the Feds tell them to anti-spoof is absurd. IF when one of your lines goes down you are still online then you can load-balance outbound. IF you are multi-homed or have a working backup scenario, then you can load balance outbound. I am afraid though that none of that is useful to the OP who wanted to know if he could shoestring load balance to 2 different ISP's for an Internet Cafe. Unless I am quite mistaken, Internet Cafe's are mainly inbound bandwidth consumers. There is much discussion on the trade-offs of ingress address filtering, and many believe its the old cut off your nose to spite your face. There WAS much discussion about 5 years ago when the Land worm hit, as I recall. There is very little today. Anyone authoratative strongly recommends it, and I know that some neworks are even now requiring ISP customers to do it. MANY isp's (such as the one I work for) automatically
RE: FreeBSD router two DSL connections
-Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Friday, December 23, 2005 3:47 PM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. I assure you they will not. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? ISP's that are dual-homed have to register their subnets with both providers. For example, suppose I'm a small ISP and I go get a Sprint connection and get assigned a range of 11 IP subnets, 192.168.1.0 - 192.168.10.0 These are Sprint-owned IP addresses of course. As I source traffic from 192.168.1.x, Sprint recognizes it as valid traffic and allows it to pass Sprint's ingress filter to me. Now I get a bit bigger and decide I need a redundant connection. So I contact ARIN and buy an AS number, then contact ATT and get a connection to them, then setup BGP between myself and ATT Sprint. When ATT and I are setting up BGP, ATT's techs will ask me what subnets I'm advertising, I tell them 192.168.1.0 - 192.168.10.0 ATT then checks with ARIN's whois server to make sure Sprint has entered a record for that list of subnets that says I'm authorized to use them. If all that checks out OK then ATT adjusts their ingress filters so I can source traffic to them from those subnets. Now I get even bigger and need more IP's than what Sprint will provide, so I go to ARIN and buy them. Then all my feeds have to adjust their ingress filters to the new subnet. Now I get even more bigger and I start trying to setup peering relationships with other networks, so I don't have to pay them directly. Well now guess what, those networks are now monitoring the traffic volume I'm sending them, because they don't want me to use and abuse them and give them little peering in return. So I now have an enormous financial incentive to make sure that any traffic coming from any of my end users is in fact valid traffic, so you better believe I'm going to enforce that with ingress filters to my downstream customers. Anyway, this is all academic because the wrongly-sourced packet won't even get into my network to be forwarded and blocked by ATT or Sprint, or my peer routers, in the first place. Why? Because every wrongly-sourced packet I allow a customer to send to me, can potentially displace a correct packet from a customer, making their traffic slower and setting up potential for complaints. The ONLY Internet routers that don't igress filter today are transit routers run by transit ASs, and no network that is worth anything allows direct connections to those routers to their end-user customers. There is just too much potential for abuse, and even more potential for being blackholed as a rogue network by the rest of the Internet. Everybody today that knows anything about what they are doing, applies ingress filters, or they require their downstreams to ingress filter. In fact I'd say this is one of the reasons Cisco was disloged as the core router vendor by Juniper, because of the need for enough CPU in routers closer and closer to the core to be able to run access lists. Chances today that a cable line or a DSL line going to an end user could get a packet with a non-network source very far in to the Internet are zilch. One of the largest sources of bogus source IP numbers in fact are those cheap-as-shit DSL/Cable routers, as some of those models will ARP both their legal WAN IP address, and the LAN IP addresses, on their WAN port. All of the ActionTec routers do this in bridged mode, for example, and Qwest has thousands of them deployed. And the second largest source are infected PC's that have DDoS trojans on them, which some mothership has programmed to try to DDoS some poor bugger, with bougs sources. You are beyond clueless, Ted. Why do you keep opening your mouth
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Yance Kowara Sent: Saturday, December 24, 2005 6:09 AM To: freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Ted, you have to think outside the box. Life is more than one connection. While you can't increase the throughput of a single connection, you can increase the throughput of your network, which is usually the point. Throughput in this context is capacity. Throughput is not only what you can get on a download; its the sum total of all of your activites. You can upload at 2Mb/s on one connection if you balance your outbound traffic, but not download, because while you can control where outgoing packets are sent, you can't control over which pipe incoming traffic arrives. Believe me, ted. It works. Its not theory. Its being done. For example a hosting ISP saturates its pipes outgoing and has very little traffic incoming. They can load balance in the outgoing only direction and have all of their incoming traffic on a single pipe and double the capacity of their network. Since they never exceed the incoming bandwidth of a single pipe there is no need to balance it. DT Ted and Daniel, I am still following this thread and am getting all confused here. Back to my original question: 2 ADSL uplinks - 2 different ISPs can they be merged? (Load balanced, load shared, whatever it is) No, as I already said, they can not. OpenBSD's PF has something that looks promising: http://www.openbsd.org/faq/pf/pools.html#outgoing Is this what I am looking for? Yance, I said no once, I'll say no again, you still don't believe me, please go set the thing up and see for yourself. As I said, set it up, plug one DSL line in, download the FreeBSD ISO, time it, plug the second DSL line in, download the FreeBSD ISO again, and measure the time it takes, there will be no difference. Then when your finished doing that, repeast the test but this time try uploading the ISO file to some remote server, with one line connected, then with both lines connected, and once again, you will see no difference. By that definition, no they are not merged/Load balanced/ load shared. If you have something else in mind, then load balancing, then maybe the software will do something that you want. But it will not load balance 2 lines to different ISP's. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Danial Thom Sent: Saturday, December 24, 2005 7:48 AM To: [EMAIL PROTECTED]; Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections --- Danial Thom [EMAIL PROTECTED] wrote: --- Yance Kowara [EMAIL PROTECTED] wrote: Ted, you have to think outside the box. Life is more than one connection. While you can't increase the throughput of a single connection, you can increase the throughput of your network, which is usually the point. Throughput in this context is capacity. Throughput is not only what you can get on a download; its the sum total of all of your activites. You can upload at 2Mb/s on one connection if you balance your outbound traffic, but not download, because while you can control where outgoing packets are sent, you can't control over which pipe incoming traffic arrives. Believe me, ted. It works. Its not theory. Its being done. For example a hosting ISP saturates its pipes outgoing and has very little traffic incoming. They can load balance in the outgoing only direction and have all of their incoming traffic on a single pipe and double the capacity of their network. Since they never exceed the incoming bandwidth of a single pipe there is no need to balance it. DT Ted and Daniel, I am still following this thread and am getting all confused here. Back to my original question: 2 ADSL uplinks - 2 different ISPs can they be merged? (Load balanced, load shared, whatever it is) OpenBSD's PF has something that looks promising: http://www.openbsd.org/faq/pf/pools.html#outgoing Is this what I am looking for? Kind regards, Yance Kowara merged is not the correct word. You cannot change how your traffic comes in (ie from which ISP it arrives). You can use various techniques (source routing, static routing tables, load balancing) to increase your outgoing capacity. What you should be discussing is how you can use each of these techniques within a FreeBSd environment. Unfortunately we have to teach Ted how routing works in the meantime, which muddles the issue. DT As an example, I had a customer that had a T1 and a T3 connection to different ISPs (they kept the T1 because of the IPs they didn't want to relinquish, and as a backup), and BGP worked on hops at the time so clearly that doesnt work when you have unbalanced pipes, because arguable the T3 is always the better route). More baloney. The better route with BGP is the route with fewer AS hops not the one that goes out the biggest pipe. It is quite possible to have a T1 to a backbone that is very well connected (ie: uunet) and a DS3 to a backbone that is poorly connected (ie: Wiltel) and have all the inbound and outbound traffic favor the T1 Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Saturday, December 24, 2005 7:59 AM To: Ted Mittelstaedt; Winelfred G. Pasamba Cc: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: http://www.edimax.com/html/english/products/PRI582.htm ...Performs Outbound load balancing by session, weight round robin or traffic... Note that they say by SESSION not by PACKET. It's marketingspeak. They are simply using the term load balancing for a device that doesen't actually load balance. Apparently they figure that if they say session load balancing even though there is no such accepted definition, that then they are somehow not lying. It's akin to someone saying that FreeBSD is a kind of Linux in a sentence that uses Linux to indicate open source operating systems Apparently you never heard the old saying A grain of truth is buried in all great lies I'm not sure what your primary language is, but round robin IS packet balancing. In an engineers treatise, perhaps. but this is a marketing document and your just assuming that they mean per packet they could have easily meant that the sessions were round-robined. Suppose you have 2 pipes: Round Robin: 1 packet to pipe1 1 packet to pipe2 1 packet to pipe1 1 packet to pipe2 Weighted round Robin, weighted 2 to 1: 1 packet to pipe1 1 packet to pipe1 1 packet to pipe2 1 packet to pipe1 1 packet to pipe1 1 packet to pipe2 Per session balancing may be useful when you have paths that are not very equal. If you load balance to different ISPs packets could arrive out of order (in fact they are likely to). You cannot load balance to 2 different ISPs unless your running BGP I already went over this. Does this product speak BGP? Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Friday, December 23, 2005 3:47 PM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. I assure you they will not. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? ISP's that are dual-homed have to register their subnets with both providers. For example, suppose I'm a small ISP and I go get a Sprint connection and get assigned a range of 11 IP subnets, 192.168.1.0 - 192.168.10.0 These are Sprint-owned IP addresses of course. As I source traffic from 192.168.1.x, Sprint recognizes it as valid traffic and allows it to pass Sprint's ingress filter to me. Now I get a bit bigger and decide I need a redundant connection. So I contact ARIN and buy an AS number, then contact ATT and get a connection to them, then setup BGP between myself and ATT Sprint. When ATT and I are setting up BGP, ATT's techs will ask me what subnets I'm advertising, I tell them 192.168.1.0 - 192.168.10.0 ATT then checks with ARIN's whois server to make sure Sprint has entered a record for that list of subnets that says I'm authorized to use them. If all that checks out OK then ATT adjusts their ingress filters so I can source traffic to them from those subnets. So if you have 2 ISPs, then both of them know about both of your address groups, so you can load balance any way you want, right? Which is why the scenario I've suggested will work in all cases. I also know tons of secondary peering ISPs that don't do any filtering at all on incoming traffic. If you're peering with multiple networks the combinations of source addresses that are possible to go through your network are too mind-boggling to load your server with. Most T3 routers deployed can barely handle their loads without filtering every incoming packet through ingress filters. You may think they do it, but most don't For example, in my office I have a cable modem and a 100Mb/s link to an ISP that happens to be in my building. I can set my default router to either router and it works fine. The cable modem company will accept ANY source address and so will the ISP. I assure you that the cable company doesn't know of my other addresses. DT __ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Saturday, December 24, 2005 7:59 AM To: Ted Mittelstaedt; Winelfred G. Pasamba Cc: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: http://www.edimax.com/html/english/products/PRI582.htm ...Performs Outbound load balancing by session, weight round robin or traffic... Note that they say by SESSION not by PACKET. It's marketingspeak. They are simply using the term load balancing for a device that doesen't actually load balance. Apparently they figure that if they say session load balancing even though there is no such accepted definition, that then they are somehow not lying. It's akin to someone saying that FreeBSD is a kind of Linux in a sentence that uses Linux to indicate open source operating systems Apparently you never heard the old saying A grain of truth is buried in all great lies I'm not sure what your primary language is, but round robin IS packet balancing. In an engineers treatise, perhaps. but this is a marketing document and your just assuming that they mean per packet they could have easily meant that the sessions were round-robined. Suppose you have 2 pipes: Round Robin: 1 packet to pipe1 1 packet to pipe2 1 packet to pipe1 1 packet to pipe2 Weighted round Robin, weighted 2 to 1: 1 packet to pipe1 1 packet to pipe1 1 packet to pipe2 1 packet to pipe1 1 packet to pipe1 1 packet to pipe2 Per session balancing may be useful when you have paths that are not very equal. If you load balance to different ISPs packets could arrive out of order (in fact they are likely to). You cannot load balance to 2 different ISPs unless your running BGP I already went over this. Does this product speak BGP? Ted I've seen your resume, Ted how do you get jobs? Are people hiring so incompetent? As stated, even by Ted, you have to register ALL of your addresses with ALL of your ISPs, so you can send your packets to ANYONE you want, even if they are filtering. Please stop listening to Ted. He doesnt understand this. DT __ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Friday, December 23, 2005 3:47 PM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. I assure you they will not. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? ISP's that are dual-homed have to register their subnets with both providers. For example, suppose I'm a small ISP and I go get a Sprint connection and get assigned a range of 11 IP subnets, 192.168.1.0 - 192.168.10.0 These are Sprint-owned IP addresses of course. As I source traffic from 192.168.1.x, Sprint recognizes it as valid traffic and allows it to pass Sprint's ingress filter to me. Now I get a bit bigger and decide I need a redundant connection. So I contact ARIN and buy an AS number, then contact ATT and get a connection to them, then setup BGP between myself and ATT Sprint. When ATT and I are setting up BGP, ATT's techs will ask me what subnets I'm advertising, I tell them 192.168.1.0 - 192.168.10.0 ATT then checks with ARIN's whois server to make sure Sprint has entered a record for that list of subnets that says I'm authorized to use them. If all that checks out OK then ATT adjusts their ingress filters so I can source traffic to them from those subnets. Now I get even bigger and need more IP's than what Sprint will provide, so I go to ARIN and buy them. Then all my feeds have to adjust their ingress filters to the new subnet. Now I get even more bigger and I start trying to setup peering relationships with other networks, so I don't have to pay them directly. Well now guess what, those networks are now monitoring the traffic volume I'm sending them, because they don't want me to use and abuse them and give them little peering in return. So I now have an enormous financial incentive to make sure that any traffic coming from any of my end users is in fact valid traffic, so you better believe I'm going to enforce that with ingress filters to my downstream customers. Anyway, this is all academic because the wrongly-sourced packet won't even get into my network to be forwarded and blocked by ATT or Sprint, or my peer routers, in the first place. Why? Because every wrongly-sourced packet I allow a customer to send to me, can potentially displace a correct packet from a customer, making their traffic slower and setting up potential for complaints. The ONLY Internet routers that don't igress filter today are transit routers run by transit ASs, and no network that is worth anything allows direct connections to those routers to their end-user customers. There is just too much potential for abuse, and even more potential for being blackholed as a rogue network by the rest of the Internet. Everybody today that knows anything about what they are doing, applies ingress filters, or they require their downstreams to ingress filter. In fact I'd say this is one of the reasons Cisco was disloged as the core router vendor by Juniper, because of the need for enough CPU in routers closer and closer to the core to be able to run access lists. Chances today that a cable line or a DSL line going to an end user could get a packet with a non-network source very far in to the Internet are zilch. One of the largest sources of bogus source IP numbers in fact are those cheap-as-shit DSL/Cable routers, as some of those models will ARP both their legal WAN IP address, and the LAN IP addresses, on their WAN port. All of the ActionTec routers do this in bridged mode, for example, and Qwest has thousands of them deployed
Re: FreeBSD router two DSL connections
ted, danial, and the rest, i'm learning a lot in this thread. i have a pfsense (freebsd) router that has two connections to the same ISP and one connection to a linux squid (another server). i use the ported openbsd packet filter in freebsd for (whatever) load balancing. i can paste the freebsd-/etc/pf.conf and give you a sample of 'pfctl -s state' which looks like a firewall state table (i'm not sure though). i can also capture traffic graphs on all three interfaces of the pfsense router. just want to know what's happening in the (freebsd) pfsense router. is it route balancing, packet round-robin'ing, connection-round-robining, or what? one thing is that both these isp lines don't have any CIR. one is up to 128kbps and the other is up to 256 kbps. and i don't know which is which, hehe. here are the graphs and dump: http://geocities.com/winelfredpasamba/is_this_load_balancing_or_what/ On 12/26/05, Danial Thom [EMAIL PROTECTED] wrote: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Friday, December 23, 2005 3:47 PM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. I assure you they will not. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? ISP's that are dual-homed have to register their subnets with both providers. For example, suppose I'm a small ISP and I go get a Sprint connection and get assigned a range of 11 IP subnets, 192.168.1.0 - 192.168.10.0 These are Sprint-owned IP addresses of course. As I source traffic from 192.168.1.x, Sprint recognizes it as valid traffic and allows it to pass Sprint's ingress filter to me. Now I get a bit bigger and decide I need a redundant connection. So I contact ARIN and buy an AS number, then contact ATT and get a connection to them, then setup BGP between myself and ATT Sprint. When ATT and I are setting up BGP, ATT's techs will ask me what subnets I'm advertising, I tell them 192.168.1.0 - 192.168.10.0 ATT then checks with ARIN's whois server to make sure Sprint has entered a record for that list of subnets that says I'm authorized to use them. If all that checks out OK then ATT adjusts their ingress filters so I can source traffic to them from those subnets. Now I get even bigger and need more IP's than what Sprint will provide, so I go to ARIN and buy them. Then all my feeds have to adjust their ingress filters to the new subnet. Now I get even more bigger and I start trying to setup peering relationships with other networks, so I don't have to pay them directly. Well now guess what, those networks are now monitoring the traffic volume I'm sending them, because they don't want me to use and abuse them and give them little peering in return. So I now have an enormous financial incentive to make sure that any traffic coming from any of my end users is in fact valid traffic, so you better believe I'm going to enforce that with ingress filters to my downstream customers. Anyway, this is all academic because the wrongly-sourced packet won't even get into my network to be forwarded and blocked by ATT or Sprint, or my peer routers, in the first place. Why? Because every wrongly-sourced packet I allow a customer to send to me, can potentially displace a correct packet from a customer, making their traffic slower and setting up potential for complaints. The ONLY Internet routers that don't igress filter today are transit routers run by transit ASs, and no network
RE: FreeBSD router two DSL connections
-Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Monday, December 26, 2005 7:48 AM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Friday, December 23, 2005 3:47 PM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. I assure you they will not. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? ISP's that are dual-homed have to register their subnets with both providers. For example, suppose I'm a small ISP and I go get a Sprint connection and get assigned a range of 11 IP subnets, 192.168.1.0 - 192.168.10.0 These are Sprint-owned IP addresses of course. As I source traffic from 192.168.1.x, Sprint recognizes it as valid traffic and allows it to pass Sprint's ingress filter to me. Now I get a bit bigger and decide I need a redundant connection. So I contact ARIN and buy an AS number, then contact ATT and get a connection to them, then setup BGP between myself and ATT Sprint. When ATT and I are setting up BGP, ATT's techs will ask me what subnets I'm advertising, I tell them 192.168.1.0 - 192.168.10.0 ATT then checks with ARIN's whois server to make sure Sprint has entered a record for that list of subnets that says I'm authorized to use them. If all that checks out OK then ATT adjusts their ingress filters so I can source traffic to them from those subnets. So if you have 2 ISPs, then both of them know about both of your address groups, so you can load balance any way you want, right? No, they don't know about those groups as I have just finished explaining. Which is why the scenario I've suggested will work in all cases. Which is why it won't work in all cases. I also know tons of secondary peering ISPs that don't do any filtering at all on incoming traffic. Bullcrap. Prove it. Start naming names and I'll post them on NANOG and ask others opinions. I'm sure the script kiddies looking for DDoS hosts will appreciate knowing who to concentrate their attacks on. If you're peering with multiple networks the combinations of source addresses that are possible to go through your network are too mind-boggling to load your server with. Most T3 routers deployed can barely handle their loads without filtering every incoming packet through ingress filters. You may think they do it, but most don't As I already said core routers don't filter. However, networks that do multiple peering have edge routers that they use to connect to end-node ASs and those filter. For example, in my office I have a cable modem and a 100Mb/s link to an ISP that happens to be in my building. I can set my default router to either router and it works fine. The cable modem company will accept ANY source address and so will the ISP. I assure you that the cable company doesn't know of my other addresses. Bullcrap. Once again, prove it. If you think this scenario really exists, post who is involved instead of hiding. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Monday, December 26, 2005 7:50 AM To: Ted Mittelstaedt; Winelfred G. Pasamba Cc: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections As stated, even by Ted, you have to register ALL of your addresses with ALL of your ISPs, so you can send your packets to ANYONE you want, even if they are filtering. No, what I said is that any ISP that is an end-node AS and gets a feed from a network must tell that network what IP blocks they are using to send traffic from. Network to network peering is a different story - but you won't find DSL or cable providers running DSL lines from their peering routers to end users. All that has to happen is for the end user to start pumping a ton of traffic into the peering router with the source IP number of, say, www.fbi.gov and a destination IP of, say www.whitehouse.gov and all kinds if interesting and unpleasant things will start happening to the operators of that cable or DSL provider once the feds finish tracking them down. Think about it. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Monday, December 26, 2005 7:58 AM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections You're not using illegal addresses when you load balance, Ted. You're using real address that all of your upstream ISPs need to know about. Why can't you grasp this concept? So you finally figured it out, Danial. These get one DSL line from one ISP and a cable line from another ISP schemes will not work precisely because while the upstream ISP's need to know about your real addresses, they don't. ISP A that you have a DSL line to and assigns you 10.0.0.1 as an IP number is expecting traffic to come from you with a destination IP number of anywhere on the Internet, and a source IP number of 10.0.0.1 ISP B that you have a cable line to and assigns you 192.168.0.1 as an IP number is expecting traffic to come from you with a destination IP number of anywhere on the Internet, and a source IP number of 192.168.0.1 If you use 10.0.0.1 as a source IP for a packet that you send to ISP B, then ISP B's ingress filters will not see this packet with a source IP of 192.168.0.1, and assume it's bogus, and drop it. If you use 192.168.0.1 as a source IP for a packet that you send to ISP A, then ISP A's ingress filters will not see this packet with a source IP of 10.0.0.1, and assume it's bogus, and drop it. Very simple concept for anyone to grasp. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
http://www.edimax.com/html/english/products/PRI582.htm ...Performs Outbound load balancing by session, weight round robin or traffic... Note that they say by SESSION not by PACKET. It's marketingspeak. They are simply using the term load balancing for a device that doesen't actually load balance. Apparently they figure that if they say session load balancing even though there is no such accepted definition, that then they are somehow not lying. It's akin to someone saying that FreeBSD is a kind of Linux in a sentence that uses Linux to indicate open source operating systems Apparently you never heard the old saying A grain of truth is buried in all great lies Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Winelfred G. Pasamba Sent: Thursday, December 22, 2005 11:30 PM To: Ted Mittelstaedt Cc: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections I wonder if these routers are using freebsd http://www.edimax.com/html/english/products/list-router.htm 2 WAN, 4 WAN, etc... and i also wonder what happens if one WAN goes down? or if the WANs are of different speeds? On 12/23/05, Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 22, 2005 3:09 AM To: freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Which is not redundant. Considering the OP asked for specifics on how to do this and your response as been a bunch of theoretical gobbdleygook that is flat out wrong network theory, you haven't done anything to help the poor bastard. Hi, This is a pretty firey debate. I have a question along the lines of this thread. I currently have a 1.5Mbit ADSL tail at the school that I work for. This tail connects to the Education Office which hosts a variety of websites, we then get internet access through the education office. We currently also have 230 PCs, and the connection is slowing down significantly. What I planned on doing was purchasing a 20Mbit ADSL 2+ connection and setting up a FreeBSD router which forwards all internet traffic through the ADSL2+ connection, and the Education Office traffic would be forwarded through the existing connection. Is this feasible? The easiest way would be to purchase a DSL modem/router for use with the ADSL2 connection (or a ADSL2 modem coupled to a etherent-to-ethernet DSL router) Set this up as a network address translator, plug it into your school network. (you can use FreeBSD for this if you want) You will need to do a bit of exploring to find out the subnets that the ED office is using. For example, suppose ED office has assigned IP subnet 10.0.10.0/24 to your school. Their existing DSL tail has an IP number of 10.0.10.1 on it. You have your PC's seup to use IP addresses 10.0.10.10 - 10.0.10.240 with a subnet mask of 255.255.255.0 and a gateway of 10.0.10.1 You do some queries with nslookup to find out all the IP adresses of the Ed servers, and you find they are on subnets 10.0.12.x, 10.0.15.x, 192.168.4.x, etc. So, first thing you do is you setup your BSD system/DSL router/DSl modem as a translator, and set it's internal interface IP address to 10.0.10.2 Then you add in a bunch of static routes into it for the ED subnets you discovered, pointing those subnets to 10.0.10.1 Last you set your PC's to use 10.0.10.2 as their default gateway. When the PC's send traffic to the Internet the router sends that out the ADSL2 line When the PC's send traffic to ED, the router issues an ICMP redirect that installs an ICMP route in the PC's that points to 10.0.10.1 for that host. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Seek ye first the kingdom of God and all these things shall be added unto you. Winelfred G. Pasamba Adventist University of the Philippines Computer Science Department, AUP Online Information System ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.5/212 - Release Date: 12/23/2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
Ted, you have to think outside the box. Life is more than one connection. While you can't increase the throughput of a single connection, you can increase the throughput of your network, which is usually the point. Throughput in this context is capacity. Throughput is not only what you can get on a download; its the sum total of all of your activites. You can upload at 2Mb/s on one connection if you balance your outbound traffic, but not download, because while you can control where outgoing packets are sent, you can't control over which pipe incoming traffic arrives. Believe me, ted. It works. Its not theory. Its being done. For example a hosting ISP saturates its pipes outgoing and has very little traffic incoming. They can load balance in the outgoing only direction and have all of their incoming traffic on a single pipe and double the capacity of their network. Since they never exceed the incoming bandwidth of a single pipe there is no need to balance it. DT Ted and Daniel, I am still following this thread and am getting all confused here. Back to my original question: 2 ADSL uplinks - 2 different ISPs can they be merged? (Load balanced, load shared, whatever it is) OpenBSD's PF has something that looks promising: http://www.openbsd.org/faq/pf/pools.html#outgoing Is this what I am looking for? Kind regards, Yance Kowara __ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Yance Kowara [EMAIL PROTECTED] wrote: Ted, you have to think outside the box. Life is more than one connection. While you can't increase the throughput of a single connection, you can increase the throughput of your network, which is usually the point. Throughput in this context is capacity. Throughput is not only what you can get on a download; its the sum total of all of your activites. You can upload at 2Mb/s on one connection if you balance your outbound traffic, but not download, because while you can control where outgoing packets are sent, you can't control over which pipe incoming traffic arrives. Believe me, ted. It works. Its not theory. Its being done. For example a hosting ISP saturates its pipes outgoing and has very little traffic incoming. They can load balance in the outgoing only direction and have all of their incoming traffic on a single pipe and double the capacity of their network. Since they never exceed the incoming bandwidth of a single pipe there is no need to balance it. DT Ted and Daniel, I am still following this thread and am getting all confused here. Back to my original question: 2 ADSL uplinks - 2 different ISPs can they be merged? (Load balanced, load shared, whatever it is) OpenBSD's PF has something that looks promising: http://www.openbsd.org/faq/pf/pools.html#outgoing Is this what I am looking for? Kind regards, Yance Kowara merged is not the correct word. You cannot change how your traffic comes in (ie from which ISP it arrives). You can use various techniques (source routing, static routing tables, load balancing) to increase your outgoing capacity. What you should be discussing is how you can use each of these techniques within a FreeBSd environment. Unfortunately we have to teach Ted how routing works in the meantime, which muddles the issue. DT __ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Danial Thom [EMAIL PROTECTED] wrote: --- Yance Kowara [EMAIL PROTECTED] wrote: Ted, you have to think outside the box. Life is more than one connection. While you can't increase the throughput of a single connection, you can increase the throughput of your network, which is usually the point. Throughput in this context is capacity. Throughput is not only what you can get on a download; its the sum total of all of your activites. You can upload at 2Mb/s on one connection if you balance your outbound traffic, but not download, because while you can control where outgoing packets are sent, you can't control over which pipe incoming traffic arrives. Believe me, ted. It works. Its not theory. Its being done. For example a hosting ISP saturates its pipes outgoing and has very little traffic incoming. They can load balance in the outgoing only direction and have all of their incoming traffic on a single pipe and double the capacity of their network. Since they never exceed the incoming bandwidth of a single pipe there is no need to balance it. DT Ted and Daniel, I am still following this thread and am getting all confused here. Back to my original question: 2 ADSL uplinks - 2 different ISPs can they be merged? (Load balanced, load shared, whatever it is) OpenBSD's PF has something that looks promising: http://www.openbsd.org/faq/pf/pools.html#outgoing Is this what I am looking for? Kind regards, Yance Kowara merged is not the correct word. You cannot change how your traffic comes in (ie from which ISP it arrives). You can use various techniques (source routing, static routing tables, load balancing) to increase your outgoing capacity. What you should be discussing is how you can use each of these techniques within a FreeBSd environment. Unfortunately we have to teach Ted how routing works in the meantime, which muddles the issue. DT As an example, I had a customer that had a T1 and a T3 connection to different ISPs (they kept the T1 because of the IPs they didn't want to relinquish, and as a backup), and BGP worked on hops at the time so clearly that doesnt work when you have unbalanced pipes, because arguable the T3 is always the better route). So they source routed all of their dial-up traffic via the T1 and their more profitable hosting traffic to the T3. You're not going to be able to advertise 2Mb/s downloads if thats what you're trying to do. DT __ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Ted Mittelstaedt [EMAIL PROTECTED] wrote: http://www.edimax.com/html/english/products/PRI582.htm ...Performs Outbound load balancing by session, weight round robin or traffic... Note that they say by SESSION not by PACKET. It's marketingspeak. They are simply using the term load balancing for a device that doesen't actually load balance. Apparently they figure that if they say session load balancing even though there is no such accepted definition, that then they are somehow not lying. It's akin to someone saying that FreeBSD is a kind of Linux in a sentence that uses Linux to indicate open source operating systems Apparently you never heard the old saying A grain of truth is buried in all great lies I'm not sure what your primary language is, but round robin IS packet balancing. Suppose you have 2 pipes: Round Robin: 1 packet to pipe1 1 packet to pipe2 1 packet to pipe1 1 packet to pipe2 Weighted round Robin, weighted 2 to 1: 1 packet to pipe1 1 packet to pipe1 1 packet to pipe2 1 packet to pipe1 1 packet to pipe1 1 packet to pipe2 Per session balancing may be useful when you have paths that are not very equal. If you load balance to different ISPs packets could arrive out of order (in fact they are likely to). This is not really a problem for modern TCP stacks. Session balancing, if done properly, should guarantee that the ACKs for a download go out the same pipe as the data is arriving. Its not clear from the datasheet if thats the case, but thats the correct way to do it. Its seems like a quite comprehensive product to me, from the docs. Ted's analysis is backwards. load balancing is a vague term. Weighted Round Robin is a more specific term for how they have implemented the load balancing. Danial __ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? You are beyond clueless, Ted. Why do you keep opening your mouth? For efficiencies sake, you may argue that sending to the ISP that sent you the traffic will be a better path, but if one of your pipes is saturated and the other running at 20% letsseenow, these are full duplex 'pipes', can we have some direction this saturation is taking place in? I mean, since you are at least trying to make a senseless explanation sound right, you might as well try a bit harder. Its not senseless, you just don't understand how the internet works, apparently. I do this for a living, and you just yap. If you were able to send back the data on the pipe it arrived on then you would have uneven use of the pipes. So one could be saturation the the other highly unused. Balancing the outgoing data would reduce the latency that occurs when a pipe is saturated. Its hard to explain calculus to some who can't add or subtract ted, so you should figure out how routing works before you try something this complicated. then its likely more efficient to keep your pipes filled and send to either isp. You can achieve this with per-packet load-balancing with ciscos, per packet load balancing is for parallel links between 2 endpoints. Not three, as in you, your first ISP, and your second ISP. Wrong again, Ted. Usually thats how it is used to gain extra throughput, but thats not the only thing that it can be used for. Since the internet is connectionless (back to school for you Ted), per packet balancing can utilize 2 outgoing pipes to different ISPs as well. Obviously since failover on dual-homed network works, you can send your packets to any ISP you want. Routers route based on destination address, as anyone who knows how routers work knows. You can even use per packet load balancing on 2 lines to the same ISP when the other end doesn't support it; using 2 pipes in one direction and only one in the other. You can be innovative when you actually understand how things work, Ted. Surprising you would drag up a Ciscoism as your such a big fan of BSD-based routers. or bit-balancing with a product like ETs for FreeBSD. Unless your 2 isps are connected substantially differently (say if one is in Europe and one in the US), you'll do better keeping your pipes balanced, as YOU are the bottleneck, not the upstream, assuming you have quality upstream providers. Sometimes you run into someone who is so ignorant of the subject of which he is trying to speak, - routing in this case - that you can't even argue with the person. Kind of like trying to explain the concept of the fossil record to a creationist. This is one of these times. Yes Ted. People run into you, the ultimate ignoramous. I have 3000 ISP customers. This is not just theory; its being done. You are wrong about every single thing you said in this thread. DT __ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Loren M. Lang [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:47 AM To: Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections On Sun, Dec 11, 2005 at 11:28:17PM -0800, Ted Mittelstaedt wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. I strongly disagree. There are many reasons for this. Two of which are increased throughoutput and redundancy. If you have read this thread you will have already seen that you cannot get increased throughput this way. As I asked before, explain how a DSL line to SpiritOne running at 1MBit/sec and a Comcast cable connection running at 1MBit/sec will allow you to download the FreeBSD release iso file at 2MBit/sec. This will be interesting. If you can't do it, which I will tell you that you can't, you have not increased throughput. And as for redundancy, I already explained that while this setup increases redundancy, the redundancy must be manually done - monitored by a human, and switched over when needed - or it will not react to the most common redundancy problems. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. No, not at all. The primary problem is that the incoming data that is in response to the outgoing connection will come in on the same line that the outgoing connection used. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP Explain how to run BGP with a DSL line to Spirit One and a cable line to Comcast. or some kind of static route setup by the two ISPs. Rubbish. Explain how this would work. It won't. I have done this with a Linux router and using Comcast Cable and SpiritOne DSL. We had all incoming connections use DSL and outgoing connections use either line. You used the dual-NAT package that was detailed earlier which is the only one that can do that - is specific to Linux - and as I explained before, also will not permit you to take a 1MB DSL line from one provider and a 1MB cable line from the cable company and download a freebsd iso at 2MB. Thus it is not load-balancing because it does not actually use both lines for a connection. Ted, you have to think outside the box. Life is more than one connection. While you can't increase the throughput of a single connection, you can increase the throughput of your network, which is usually the point. Throughput in this context is capacity. Throughput is not only what you can get on a download; its the sum total of all of your activites. You can upload at 2Mb/s on one connection if you balance your outbound traffic, but not download, because while you can control where outgoing packets are sent, you can't control over which pipe incoming traffic arrives. Believe me, ted. It works. Its not theory. Its being done. For example a hosting ISP saturates its pipes outgoing and has very little traffic incoming. They can load balance in the outgoing only direction and have all of their incoming traffic on a single pipe and double the capacity of their network. Since they never exceed the incoming bandwidth of a single pipe there is no need to balance it. DT __ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. For efficiencies sake, you may argue that sending to the ISP that sent you the traffic will be a better path, but if one of your pipes is saturated and the other running at 20% letsseenow, these are full duplex 'pipes', can we have some direction this saturation is taking place in? I mean, since you are at least trying to make a senseless explanation sound right, you might as well try a bit harder. then its likely more efficient to keep your pipes filled and send to either isp. You can achieve this with per-packet load-balancing with ciscos, per packet load balancing is for parallel links between 2 endpoints. Not three, as in you, your first ISP, and your second ISP. Surprising you would drag up a Ciscoism as your such a big fan of BSD-based routers. or bit-balancing with a product like ETs for FreeBSD. Unless your 2 isps are connected substantially differently (say if one is in Europe and one in the US), you'll do better keeping your pipes balanced, as YOU are the bottleneck, not the upstream, assuming you have quality upstream providers. Sometimes you run into someone who is so ignorant of the subject of which he is trying to speak, - routing in this case - that you can't even argue with the person. Kind of like trying to explain the concept of the fossil record to a creationist. This is one of these times. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
Which is not redundant. Considering the OP asked for specifics on how to do this and your response as been a bunch of theoretical gobbdleygook that is flat out wrong network theory, you haven't done anything to help the poor bastard. Hi, This is a pretty firey debate. I have a question along the lines of this thread. I currently have a 1.5Mbit ADSL tail at the school that I work for. This tail connects to the Education Office which hosts a variety of websites, we then get internet access through the education office. We currently also have 230 PCs, and the connection is slowing down significantly. What I planned on doing was purchasing a 20Mbit ADSL 2+ connection and setting up a FreeBSD router which forwards all internet traffic through the ADSL2+ connection, and the Education Office traffic would be forwarded through the existing connection. Is this feasible? I would assume that it would be a simple matter of letting the router know what ranges need to be forwarded to the existing connection, and defaulting the rest to the new connection. Note there is NO load balancing in this scenario, so don't flame my head off. Sorry if this is not making sense, I've had a long day. Cheers, Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
[EMAIL PROTECTED] wrote: Which is not redundant. Considering the OP asked for specifics on how to do this and your response as been a bunch of theoretical gobbdleygook that is flat out wrong network theory, you haven't done anything to help the poor bastard. Hi, This is a pretty firey debate. I have a question along the lines of this thread. I currently have a 1.5Mbit ADSL tail at the school that I work for. This tail connects to the Education Office which hosts a variety of websites, we then get internet access through the education office. We currently also have 230 PCs, and the connection is slowing down significantly. What I planned on doing was purchasing a 20Mbit ADSL 2+ connection and setting up a FreeBSD router which forwards all internet traffic through the ADSL2+ connection, and the Education Office traffic would be forwarded through the existing connection. Is this feasible? I would assume that it would be a simple matter of letting the router know what ranges need to be forwarded to the existing connection, and defaulting the rest to the new connection. Note there is NO load balancing in this scenario, so don't flame my head off. Sorry if this is not making sense, I've had a long day. Cheers, Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] First off, you might have posted this under a new subject/thread to avoid getting into the debate and to potentially get replies from those not interested in agruing this one anymore. That said - there's all the flame you'll get from me. You should be able to connect both of your 'tails' (interesting term btw - never heard a pipe/connection called a 'tail') - and yes, specify which are to go out the pipe to your education office, set the default route to the other connection and you should be off to the races, ie: Con1 (education office) xxx.xxx.xxx.xxx Con2 (Large ADSL pipe) yyy.yyy.yyy.yyy route add 0.0.0.0 yyy.yyy.yyy.yyy route add some.ip.net.work/24 xxx.xxx.xxx.xxx route add some.other.ip.range/26 xxx.xxx.xxx.xxx etc... Of course, depending on your configuration, you may have to use your upstream provided default route instead of the interface IP as indicated in the above example, (PPPoE uses your own IP as the default gateway, which is the case in -most- DSL setups). Anyhow, should be relatively straight-forward, just add the static routes to a script called when the connection is made, (for ppp, use ppp.links). -- Nathan Vidican [EMAIL PROTECTED] Windsor Match Plate Tool Ltd. http://www.wmptl.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
If you have read this thread you will have already seen that you cannot get increased throughput this way. As I asked before, explain how a DSL line to SpiritOne running at 1MBit/sec and a Comcast cable connection running at 1MBit/sec will allow you to download the FreeBSD release iso file at 2MBit/sec. This will be interesting. If you can't do it, which I will tell you that you can't, you have not increased throughput. I agree with this whole-heartedly. And as for redundancy, I already explained that while this setup increases redundancy, the redundancy must be manually done - monitored by a human, and switched over when needed - or it will not react to the most common redundancy problems. Well, technically, it could be scripted: - load balancer pings primary upstream gateway - primary upstream gateway does not respond - run script that reconfigures routing tables, NAT etc accordingly Which I wouldn't trust in a critical uptime environment. Plus, this would NOT have the effect of increasing throughput. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. No, not at all. The primary problem is that the incoming data that is in response to the outgoing connection will come in on the same line that the outgoing connection used. Yes indeed. Unless you mask or 'spoof' your IP in the packet header as it's going out, the traffic will always come back via the same pipe. Unless of course your upstream allows this, which I doubt very much. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP Explain how to run BGP with a DSL line to Spirit One and a cable line to Comcast. BGP with two separate Internet providers such as those you speak of is nearly impossible. Realistically, to run BGP, you have to have utmost co-ordination between yourself, and BOTH providers. As soon as either one disagrees (which they will), this will not work. BGP is typically used in Point-to-Point connections. Generally, it's used by ISP's to THEIR upstream providers. For instance, at the ISP at which I work, part of the feed consists of three T-1's. Two of the T-1's are bound together as a single channel (effectively doubling the throughput), and the third is for load-balancing and redundancy. BGP is used for this, but if I want to make a change, I have to get on the phone with my upstream provider, and do the BGP changes together at both ends. Trying to do BGP with a single $40 to $80 DSL customer would not only be financially wasteful because of wasted time and resources, most networks are not set up to do this easily. As a matter of fact, just thinking about it makes my head hurt. If you really want this type of redundancy, and reliable throughput, especially for a business, go the proper way and get your connection(s) from an ISP's upstream provider. (Allstream, MCI, Sprint etc). or some kind of static route setup by the two ISPs. We are a small ISP (10,000 clients), and I wouldn't even do this. This is easily something that could be forgotten it was done, slip through the cracks, and cause all sorts of havoc down the road once the client has up and left. Especially if the second provider mucks up their end. Again, personally, the way I look at it is if you want to pay $40-$80 for your Internet connection, you technically get what you pay for. If you REALLY wanted this done, you would have to personally know someone inside the ISP who actually has direct and full access to the infrastructure. I assure you, calling Comcast support desk and asking them to 'please apply this routing structure for me' will get you no where. You would have lost them at 'apply' :) I have done this with a Linux router and using Comcast Cable and SpiritOne DSL. We had all incoming connections use DSL and outgoing connections use either line. You used the dual-NAT package that was detailed earlier which is the only one that can do that - is specific to Linux - and as I explained before, also will not permit you to take a 1MB DSL line from one provider and a 1MB cable line from the cable company and download a freebsd iso at 2MB. Thus it is not load-balancing because it does not actually use both lines for a connection. We balanced them by internal IP addresses, You did not balance them, you had some of the inside IP numbers use one line, and others use the other line. This isn't load balancing. Which, AFAICT, if the device sent data out one of the lines, it would have come back in the same. Essentially, you are 'preserving' throughput simply by dividing your network in half. This is not balancing. Balancing is 'least-used'. In this configuration, you could have one pipe maxed out, while the other at 2%.
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 22, 2005 3:09 AM To: freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Which is not redundant. Considering the OP asked for specifics on how to do this and your response as been a bunch of theoretical gobbdleygook that is flat out wrong network theory, you haven't done anything to help the poor bastard. Hi, This is a pretty firey debate. I have a question along the lines of this thread. I currently have a 1.5Mbit ADSL tail at the school that I work for. This tail connects to the Education Office which hosts a variety of websites, we then get internet access through the education office. We currently also have 230 PCs, and the connection is slowing down significantly. What I planned on doing was purchasing a 20Mbit ADSL 2+ connection and setting up a FreeBSD router which forwards all internet traffic through the ADSL2+ connection, and the Education Office traffic would be forwarded through the existing connection. Is this feasible? The easiest way would be to purchase a DSL modem/router for use with the ADSL2 connection (or a ADSL2 modem coupled to a etherent-to-ethernet DSL router) Set this up as a network address translator, plug it into your school network. (you can use FreeBSD for this if you want) You will need to do a bit of exploring to find out the subnets that the ED office is using. For example, suppose ED office has assigned IP subnet 10.0.10.0/24 to your school. Their existing DSL tail has an IP number of 10.0.10.1 on it. You have your PC's seup to use IP addresses 10.0.10.10 - 10.0.10.240 with a subnet mask of 255.255.255.0 and a gateway of 10.0.10.1 You do some queries with nslookup to find out all the IP adresses of the Ed servers, and you find they are on subnets 10.0.12.x, 10.0.15.x, 192.168.4.x, etc. So, first thing you do is you setup your BSD system/DSL router/DSl modem as a translator, and set it's internal interface IP address to 10.0.10.2 Then you add in a bunch of static routes into it for the ED subnets you discovered, pointing those subnets to 10.0.10.1 Last you set your PC's to use 10.0.10.2 as their default gateway. When the PC's send traffic to the Internet the router sends that out the ADSL2 line When the PC's send traffic to ED, the router issues an ICMP redirect that installs an ICMP route in the PC's that points to 10.0.10.1 for that host. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
I wonder if these routers are using freebsd http://www.edimax.com/html/english/products/list-router.htm 2 WAN, 4 WAN, etc... and i also wonder what happens if one WAN goes down? or if the WANs are of different speeds? On 12/23/05, Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 22, 2005 3:09 AM To: freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Which is not redundant. Considering the OP asked for specifics on how to do this and your response as been a bunch of theoretical gobbdleygook that is flat out wrong network theory, you haven't done anything to help the poor bastard. Hi, This is a pretty firey debate. I have a question along the lines of this thread. I currently have a 1.5Mbit ADSL tail at the school that I work for. This tail connects to the Education Office which hosts a variety of websites, we then get internet access through the education office. We currently also have 230 PCs, and the connection is slowing down significantly. What I planned on doing was purchasing a 20Mbit ADSL 2+ connection and setting up a FreeBSD router which forwards all internet traffic through the ADSL2+ connection, and the Education Office traffic would be forwarded through the existing connection. Is this feasible? The easiest way would be to purchase a DSL modem/router for use with the ADSL2 connection (or a ADSL2 modem coupled to a etherent-to-ethernet DSL router) Set this up as a network address translator, plug it into your school network. (you can use FreeBSD for this if you want) You will need to do a bit of exploring to find out the subnets that the ED office is using. For example, suppose ED office has assigned IP subnet 10.0.10.0/24 to your school. Their existing DSL tail has an IP number of 10.0.10.1 on it. You have your PC's seup to use IP addresses 10.0.10.10 - 10.0.10.240 with a subnet mask of 255.255.255.0 and a gateway of 10.0.10.1 You do some queries with nslookup to find out all the IP adresses of the Ed servers, and you find they are on subnets 10.0.12.x, 10.0.15.x, 192.168.4.x, etc. So, first thing you do is you setup your BSD system/DSL router/DSl modem as a translator, and set it's internal interface IP address to 10.0.10.2 Then you add in a bunch of static routes into it for the ED subnets you discovered, pointing those subnets to 10.0.10.1 Last you set your PC's to use 10.0.10.2 as their default gateway. When the PC's send traffic to the Internet the router sends that out the ADSL2 line When the PC's send traffic to ED, the router issues an ICMP redirect that installs an ICMP route in the PC's that points to 10.0.10.1 for that host. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Seek ye first the kingdom of God and all these things shall be added unto you. Winelfred G. Pasamba Adventist University of the Philippines Computer Science Department, AUP Online Information System ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
On Sun, Dec 11, 2005 at 11:28:17PM -0800, Ted Mittelstaedt wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. I strongly disagree. There are many reasons for this. Two of which are increased throughoutput and redundancy. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP or some kind of static route setup by the two ISPs. For an internet cafe, most connections will probably be outgoing so it won't be a problem. I have done this with a Linux router and using Comcast Cable and SpiritOne DSL. We had all incoming connections use DSL and outgoing connections use either line. We balanced them by internal IP addresses, but there might be more sophisticated methods. I do not know what support FreeBSD has for this kind of routing though. At the very minimum, you could get redundancy for outgoing connections by switching the route to use the other line when the first one fails. Note that Steven's scenario below is for 2 circuits that both start at a single entity, and both end at a single entity. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Yance Kowara Sent: Sunday, December 11, 2005 7:03 PM To: freebsd-questions@freebsd.org Subject: FreeBSD router two DSL connections Hi all, I am trying to figure out if *BSD can achieve this: I have two DSL connections to play with, and I would like to configure a *BSD router that can combine the two DSLs together. There is a howto at http://stevenfettig.com/mythoughts/archives/000173.php But it concerns OpenBSD and it was for a T1 connection using a dual T1 card. I would like to configure one on 2 DSLs connected to two individual NICs. Is this feasible at all, or should I just invest in a dual Wan hardware? Kind regards, Yance __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.13.13/197 - Release Date: 12/9/2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: CEE1 AAE2 F66C 59B5 34CA C415 6D35 E847 0118 A3D2 pgpZaVBIsVg6e.pgp Description: PGP signature
Re: FreeBSD router two DSL connections
--- Loren M. Lang [EMAIL PROTECTED] wrote: On Sun, Dec 11, 2005 at 11:28:17PM -0800, Ted Mittelstaedt wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. I strongly disagree. There are many reasons for this. Two of which are increased throughoutput and redundancy. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP or some kind of static route setup by the two ISPs. For an internet cafe, most connections will probably be outgoing so it won't be a problem. Thats not right at all, although in *some* cases it may be desirable. All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. For efficiencies sake, you may argue that sending to the ISP that sent you the traffic will be a better path, but if one of your pipes is saturated and the other running at 20% then its likely more efficient to keep your pipes filled and send to either isp. You can achieve this with per-packet load-balancing with ciscos, or bit-balancing with a product like ETs for FreeBSD. Unless your 2 isps are connected substantially differently (say if one is in Europe and one in the US), you'll do better keeping your pipes balanced, as YOU are the bottleneck, not the upstream, assuming you have quality upstream providers. Danial __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
--- Danial Thom [EMAIL PROTECTED] wrote: --- Loren M. Lang [EMAIL PROTECTED] wrote: On Sun, Dec 11, 2005 at 11:28:17PM -0800, Ted Mittelstaedt wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. I strongly disagree. There are many reasons for this. Two of which are increased throughoutput and redundancy. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP or some kind of static route setup by the two ISPs. For an internet cafe, most connections will probably be outgoing so it won't be a problem. Thats not right at all, although in *some* cases it may be desirable. All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. For efficiencies sake, you may argue that sending to the ISP that sent you the traffic will be a better path, but if one of your pipes is saturated and the other running at 20% then its likely more efficient to keep your pipes filled and send to either isp. You can achieve this with per-packet load-balancing with ciscos, or bit-balancing with a product like ETs for FreeBSD. Unless your 2 isps are connected substantially differently (say if one is in Europe and one in the US), you'll do better keeping your pipes balanced, as YOU are the bottleneck, not the upstream, assuming you have quality upstream providers. Danial Another thought, if you are just an internet cafe, just send all of your requests on one pipe (whichever has the best peering), since the vast majority of your bandwidth is incoming. You don't need 2 pipes going out; you're only sending small packets, syns and acks for the most part. It greatly simplifies your situation. DT __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: Loren M. Lang [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:47 AM To: Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections On Sun, Dec 11, 2005 at 11:28:17PM -0800, Ted Mittelstaedt wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. I strongly disagree. There are many reasons for this. Two of which are increased throughoutput and redundancy. If you have read this thread you will have already seen that you cannot get increased throughput this way. As I asked before, explain how a DSL line to SpiritOne running at 1MBit/sec and a Comcast cable connection running at 1MBit/sec will allow you to download the FreeBSD release iso file at 2MBit/sec. This will be interesting. If you can't do it, which I will tell you that you can't, you have not increased throughput. And as for redundancy, I already explained that while this setup increases redundancy, the redundancy must be manually done - monitored by a human, and switched over when needed - or it will not react to the most common redundancy problems. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. No, not at all. The primary problem is that the incoming data that is in response to the outgoing connection will come in on the same line that the outgoing connection used. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP Explain how to run BGP with a DSL line to Spirit One and a cable line to Comcast. or some kind of static route setup by the two ISPs. Rubbish. Explain how this would work. It won't. I have done this with a Linux router and using Comcast Cable and SpiritOne DSL. We had all incoming connections use DSL and outgoing connections use either line. You used the dual-NAT package that was detailed earlier which is the only one that can do that - is specific to Linux - and as I explained before, also will not permit you to take a 1MB DSL line from one provider and a 1MB cable line from the cable company and download a freebsd iso at 2MB. Thus it is not load-balancing because it does not actually use both lines for a connection. We balanced them by internal IP addresses, You did not balance them, you had some of the inside IP numbers use one line, and others use the other line. This isn't load balancing. but there might be more sophisticated methods. I do not know what support FreeBSD has for this kind of routing though. At the very minimum, you could get redundancy for outgoing connections by switching the route to use the other line when the first one fails. Which is not redundant. Considering the OP asked for specifics on how to do this and your response as been a bunch of theoretical gobbdleygook that is flat out wrong network theory, you haven't done anything to help the poor bastard. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Yance Kowara Sent: Monday, December 12, 2005 6:47 PM To: freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections Hmm, what about putting zebra into the picture ... a solution or chaos? What feature in Zebra exactly do you think will help in this scenario? Ted ___ I am just crawling in the dark here... Please, this is like trying to learn how to do open heart surgery via e-mail. It is somewhat insulting that you think that network administrators have such boneheaded jobs that you could actually learn networking fundamentals from posts on a mailing list. Please, do youself a favor and spend the next 3-6 months immersed in a number of networking and routing fundamentals books. If the upstream packets can be send through a supposedly working load-balancing FreeBSD router, You can't load balance in this way, there is no such thing as a working freebsd router in this kind of configuration. it will only handle upstream packets.., i.e. the router may be able to balance the upstream packets... No, it cannot - because it is still sourcing them from two different IP addresses. Now, who's going to handle the routing and balancing the downstream packet? Would Zebra has such feature Are both ISP's running Zebra? I am sorry if it makes not much sense. You need to learn about networking fundamentals, your understanding of how networking operates is simply incorrect, that is why it's not making sense. Actually the funny thing is that I understand what your asking, probably better than you do. And I keep telling you that it's impossible and why, and you are not grokking the answers I'm giving you. I just cannot make it any more basic as to why this will not work. I am just trying to figure out what I can do to optimise two ADSL uplinks. Internet Cafe's are not known for generating large amounts of upstream traffic. I doubt that upstream traffic is bottlenecked. If there are other things I can do to optimise it, please give me some pointers. Read some books on networking before trying to play network administrator, please. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
Ted, Thanks for checking on me. I've been only two days with pfSense, and about 5 days with freebsd, and about 1.5 weeks with openbsd. However i would like to point out that i did not use, or did not know how to use, or have found the load balancing feature in the pfSense web interface. I also don't know if the load balancing mentioned in the docs is the same that i used. I was happy with pfSense because of the Packet Filter port to freebsd. I've been using Packet Filter of OpenBSD to load balance traffic to the same ISP with two lines. So far it looks like OpenBSD's Packet Filter's packet round-robin'ing is working nicely with FreeBSD. On 12/13/05, Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Winelfred G. Pasamba Sent: Monday, December 12, 2005 8:26 AM To: Yance Kowara Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections i use pfSense (www.pfsense.com) pfSense is a open source firewall derived from the m0n0wall operating system platform with radically different goals such as using Packet Filter, FreeBSD 6.X (or DragonFly BSD when ALTQ and CARP is finished) ALTQ for excellent packet queueing and finally an integrated package management system for extending the environment with new features. then i edit /etc/pf.conf and paste the openbsd pf tutorial for load balancing outgoing traffic ( http://www.openbsd.org/faq/pf/pools.html#outexample) then i pfctl -f /etc/pf.conf and watch the traffic on both WAN interfaces Sigh. THIS IS NOT LOAD BALANCING PLEASE QUIT BEING SLOPPY WITH YOUR NETWORKING TERMS I refer you to the pfsense website itself: http://faq.pfsense.org/index.php?sid=13525lang=enaction=artikelcat=6i d=18artlang=en Load balancing is on per connection basis, not a bandwidth basis. All packets in a given flow will go over only one link. In other words, they are redefining the term load balancing into something that is not understood by any previously accepted definition of load balancing, so that people like you can think your getting something for nothing. Once more - FTP to a remote site with your dual DSL links. Copy a FreeBSD ISO file to there. Watch as the upload speed IS NO FASTER THAN ONE OF THE LINKS. Load balancing is accomplished with multilink PPP and that is in FreeBSD, I have run it before over dual modem links and it works great. But the links must terminate at the same ISP. Ted -- Seek ye first the kingdom of God and all these things shall be added unto you. Winelfred G. Pasamba Adventist University of the Philippines Computer Science Department, AUP Online Information System ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ted Mittelstaedt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Winelfred G. Pasamba Sent: Monday, December 12, 2005 8:26 AM To: Yance Kowara Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections i use pfSense (www.pfsense.com) Sigh. THIS IS NOT LOAD BALANCING PLEASE QUIT BEING SLOPPY WITH YOUR NETWORKING TERMS I refer you to the pfsense website itself: http://faq.pfsense.org/index.php?sid=13525lang=enaction=artikelcat=6; id=18artlang=en Load balancing is on per connection basis, not a bandwidth basis. All packets in a given flow will go over only one link. In other words, they are redefining the term load balancing into something that is not understood by any previously accepted definition of load balancing, so that people like you can think your getting something for nothing. Once more - FTP to a remote site with your dual DSL links. Copy a FreeBSD ISO file to there. Watch as the upload speed IS NO FASTER THAN ONE OF THE LINKS. Ted I just looked at the pfsense site, and for an Internet Café, it looks promising. Two DSL lines to different ISP's does give a small amount of redundancy. Whether you use two routers or pfsense, you get some sort of load sharing but not load balancing. A more appropriate performance test for an Internet Café would be: Take a dozen PC's each to transfer a FreeBSD 6.0R ISO file from a dozen different mirror sites. Start them at the same time and see how long the all of the transfers take. You can test one DSL connection at N kbps and two DSL connections both at N kbps. You'll undoubtedly see the effect of load sharing if the dozen PC's are more or less evenly divided over the two DSL lines. The redundancy isn't great, and you will pay for it. Namely, two N kbps connections will cost you more than one 2N connection. If you ran my benchmark on a 2N connection you might actually see an improvement over two N kbps connections due to to its inherent load balancing. In any case, with a single (or a small number) of users (Ted's benchmark test) you would definitely see an improvement over two N kbps connections. Now the question: is a faster AND cheaper 2N connection a better setup than two N kbps connections for our fabled Internet Café? I'd personally go with the 2N connection. Almost all the time it would be better. Most large ISPs, for a little more money of course, will give you a faster response time on repairs. The ISP might even provide a bank of modems and you could implement multilink PPP as your backup. Regarding a combination of DSL and cable, that would be where pfsense may shine. This combo would definitely give a little better redundancy than two DSL connections to two ISP because the cable comes in to you building differently than the DSL/phone lines. A backhoe would have less chance of taking both out. Honestly, I still think a 2N connection would be better. -gayn Bristol Systems Inc. 714/532-6776 www.bristolsystems.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gayn Winters Sent: Tuesday, December 13, 2005 7:49 AM To: 'Ted Mittelstaedt'; 'Winelfred G. Pasamba'; 'Yance Kowara' Cc: freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ted Mittelstaedt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Winelfred G. Pasamba Sent: Monday, December 12, 2005 8:26 AM To: Yance Kowara Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections i use pfSense (www.pfsense.com) Sigh. THIS IS NOT LOAD BALANCING PLEASE QUIT BEING SLOPPY WITH YOUR NETWORKING TERMS I refer you to the pfsense website itself: http://faq.pfsense.org/index.php?sid=13525lang=enaction=artikelcat=6; id=18artlang=en Load balancing is on per connection basis, not a bandwidth basis. All packets in a given flow will go over only one link. In other words, they are redefining the term load balancing into something that is not understood by any previously accepted definition of load balancing, so that people like you can think your getting something for nothing. Once more - FTP to a remote site with your dual DSL links. Copy a FreeBSD ISO file to there. Watch as the upload speed IS NO FASTER THAN ONE OF THE LINKS. Ted I just looked at the pfsense site, and for an Internet Café, it looks promising. Two DSL lines to different ISP's does give a small amount of redundancy. Whether you use two routers or pfsense, you get some sort of load sharing but not load balancing. A more appropriate performance test for an Internet Café would be: Take a dozen PC's each to transfer a FreeBSD 6.0R ISO file from a dozen different mirror sites. Start them at the same time and see how long the all of the transfers take. You can test one DSL connection at N kbps and two DSL connections both at N kbps. You'll undoubtedly see the effect of load sharing if the dozen PC's are more or less evenly divided over the two DSL lines. The redundancy isn't great, and you will pay for it. Namely, two N kbps connections will cost you more than one 2N connection. If you ran my benchmark on a 2N connection you might actually see an improvement over two N kbps connections due to to its inherent load balancing. In any case, with a single (or a small number) of users (Ted's benchmark test) you would definitely see an improvement over two N kbps connections. Now the question: is a faster AND cheaper 2N connection a better setup than two N kbps connections for our fabled Internet Café? NO. As I pointed out the MOST COMMON failure mode on DSL is SLOWNESS not DISCONNECTS. If you have a 2N connection and one of the DSL modems starts going gunnysack, you are really going to have to know your stuff to be able to detect this and fix it. If the modem picks 9:35pm at night to do this, or some other inconvenient time, like seems to be the normal time for failures to happen, I guarentee your not going to get anyone at the ISP who knows shit from shinola to help you, and your going to be spinning your wheels. For the fabled Internet Cafe, really and truly and honestly, the crude solution that the previous owner worked out is the best - it is easy for relatively unsophisticated people (such as the minimum wage high school student you hired to watch the place after school) to troubleshoot, it is easy to get assistance from the ISP on the failed leg, since the configuration is very basic and standard, and it is dirt cheap. I realize the temptation to mess with a running setup is strong, and the temptation to change around something you buy so as to put your own stamp on it is even stronger. But it is a great way to have terrible monsters come storming out of the closet that the existing config was developed to work around. I'd personally go with the 2N connection. Almost all the time it would be better. Most large ISPs, for a little more money of course, will give you a faster response time on repairs. The ISP might even provide a bank of modems and you could implement multilink PPP as your backup. 2N is great if you need to ship large data items around and your site is way far away from the DSLAM. But it is more complex and so you need to be using it when the big guns both at the ISP and the organization are not in bed - meaning 9-5 - so that if problems happen they are available to get them solved. Think office environments for this. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
Ted, Thanks for the advice. A friend of mine has just acquired an Internet Cafe. The previous owner connected the lan to 2 different ADSL (two different ISPs) one is a back up he said. So, two ADSL routers with half the Lan connected to one router and another half to the other router. I am just thingking of a way to optimise the connection and came accross Steven's article. I thought I could do something similar with *BSD + pf. There is such thing as Dual Wan ADSL router: http://www.infosmart.com.tw/p-ndr3024.htm However, they are quite pricey compare to setting up a *BSD box (using old readily available hardware). So, if this load balancing idea does not work, any other thing I can do to optimise two DSLs? I also came accross this (linux way): http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.html Is this worth trying? Kind regards, Yance Kowara --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. Note that Steven's scenario below is for 2 circuits that both start at a single entity, and both end at a single entity. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Yance Kowara Sent: Sunday, December 11, 2005 7:03 PM To: freebsd-questions@freebsd.org Subject: FreeBSD router two DSL connections Hi all, I am trying to figure out if *BSD can achieve this: I have two DSL connections to play with, and I would like to configure a *BSD router that can combine the two DSLs together. There is a howto at http://stevenfettig.com/mythoughts/archives/000173.php But it concerns OpenBSD and it was for a T1 connection using a dual T1 card. I would like to configure one on 2 DSLs connected to two individual NICs. Is this feasible at all, or should I just invest in a dual Wan hardware? Kind regards, Yance __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.13.13/197 - Release Date: 12/9/2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
On Dec 12, 2005, at 2:05 AM, Yance Kowara wrote: Ted, Thanks for the advice. A friend of mine has just acquired an Internet Cafe. The previous owner connected the lan to 2 different ADSL (two different ISPs) one is a back up he said. So, two ADSL routers with half the Lan connected to one router and another half to the other router. I am just thingking of a way to optimise the connection and came accross Steven's article. I thought I could do something similar with *BSD + pf. There is such thing as Dual Wan ADSL router: http://www.infosmart.com.tw/p-ndr3024.htm However, they are quite pricey compare to setting up a *BSD box (using old readily available hardware). So, if this load balancing idea does not work, any other thing I can do to optimise two DSLs? I also came accross this (linux way): http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple- links.html Is this worth trying? Kind regards, Yance, The reason, without a pretty heavily involved configuration, this won't work is packet routing. Unless you're using BGP, Border Gateway Protocol, you're not going to reliably route return packets to any interface other than the interface it was transmitted from. I'm guessing that the dual-wan device you speak of handles some things differently. Something like a large file download is going to fail to utilize the full bandwidth, however, because of the nature of the traffic. If you really need to boost network bandwidth, you're going to be forced into either working directly with an ISP to link multiple DSL channels, or, more likely, obtain business-class service over a T1/T3 setup. HTH - Eric F Crist Secure Computing Networks http://www.secure-computing.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
--- Eric F Crist [EMAIL PROTECTED] wrote: On Dec 12, 2005, at 2:05 AM, Yance Kowara wrote: Ted, Thanks for the advice. A friend of mine has just acquired an Internet Cafe. The previous owner connected the lan to 2 different ADSL (two different ISPs) one is a back up he said. So, two ADSL routers with half the Lan connected to one router and another half to the other router. I am just thingking of a way to optimise the connection and came accross Steven's article. I thought I could do something similar with *BSD + pf. There is such thing as Dual Wan ADSL router: http://www.infosmart.com.tw/p-ndr3024.htm However, they are quite pricey compare to setting up a *BSD box (using old readily available hardware). So, if this load balancing idea does not work, any other thing I can do to optimise two DSLs? I also came accross this (linux way): http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple- links.html Is this worth trying? Kind regards, Yance, The reason, without a pretty heavily involved configuration, this won't work is packet routing. Unless you're using BGP, Border Gateway Protocol, you're not going to reliably route return packets to any interface other than the interface it was transmitted from. I'm guessing that the dual-wan device you speak of handles some things differently. Something like a large file download is going to fail to utilize the full bandwidth, however, because of the nature of the traffic. If you really need to boost network bandwidth, you're going to be forced into either working directly with an ISP to link multiple DSL channels, or, more likely, obtain business-class service over a T1/T3 setup. HTH - Eric F Crist Secure Computing Networks http://www.secure-computing.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hmm, what about putting zebra into the picture ... a solution or chaos? Regards, Yance __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: Yance Kowara [mailto:[EMAIL PROTECTED] Sent: Sunday, December 11, 2005 11:57 PM To: Ted Mittelstaedt Subject: RE: FreeBSD router two DSL connections Ted, Thanks for the advice. A friend of mine has just acquired an Internet Cafe. The previous owner connected the lan to 2 different ADSL (two different ISPs) one is a back up he said. So, two ADSL routers with half the Lan connected to one router and another half to the other router. Most likely the trick used was to setup 2 independent routers, one on each DSL line, and set half of the machines to use one router as their default gateway, and half of the systems to use the other. If they really did use separate physical networks that is a dumb idea, because you now have problems copying update files and such in between systems in the Cafe. It is a very crude form of redundancy but this is NOT a load-sharing scenario. Keep in mind the real need of an Internet Cafe is redundancy, not bandwidth, so although crude, this solution is one of the few solutions that is available on a shoestring that is really effective. I am just thingking of a way to optimise the connection and came accross Steven's article. I thought I could do something similar with *BSD + pf. There is such thing as Dual Wan ADSL router: http://www.infosmart.com.tw/p-ndr3024.htm And they do NOT work to combine bandwidth. What these devices do is they split the NAT translation table and whichever DSL line is unused gets the next translation slot allocated. However the restriction is each translation slot still only gets the bandwidth available for that DSL line. Thus if your web-surfing and 1 DSL line is busy, you get shunted to the next, but you cannot get the bandwidth available from both lines at the same time, on the same PC. Now, if you happened to open 2 separate FTP sessions on your PC, and if the load-sharer was sophisticated enough, it might be able to put 1 session on 1 DSL line, and the other on the other. But each session is still limited to the top speed of the DSL line. To the uninitiated, however, that might APPEAR to work as a bandwidth load balancer. The challenge I have always posed to the proponents of this trick was to post results of downloading the latest FreeBSD iso file that show they got the iso file in half the time. Never been met, of course. These devices also have a lot of trouble detecting when one of the DSL lines is having a problem. For example you could have 1 DSL line going very, very slow, the router thinks that circuit is still up because all it can do is decide if a DSL line is up or not - but traffic going through this is dog-slow. If for example one of those Internet Cafe PC's got infected with a mass-mailing virus, it would cause exactly that scenario. Would you rather have 1/2 of the PC's in the Internet cafe that are using the slow DSL line as their default gateway just get dog-slow, and the other 1/2 continue to work normally, or would you rather have every single PC in the Cafe become intermittently slow when one of the DSL lines gets slow? However, they are quite pricey compare to setting up a *BSD box (using old readily available hardware). The NAT software in FreeBSD (and indeed, in any UNIX os) does not have the notion of separate route tables and cannot do this. In fact, just about all Cisco or other high-end routers cannot deal with multiple, independent route tables in the same box. So, if this load balancing idea does not work, any other thing I can do to optimise two DSLs? I also came accross this (linux way): http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple- links.html Is this worth trying? It is the same issue - would you rather have half the PCs in the Cafe get slow if there's a problem, or all of them become intermittently slow? I know about that Linux howto. It came about a few years or so ago when the bozo that wrote it, who had no understanding of networking, posted exactly the same question you posted on one of the major networking mailing lists, and when he was told it wasn't possible, he got so pisssed off he was going to show those upity mucks that he knew better than they did. The result is a scheme that appeared to work enough to satisfy this guy's ego, he never of course has posted any followup as to how well it works when presented with the kinds of failure scenarios (fiber-seeking backhoe, etc.) that are common in real life. It's easier for the proctor of the Internet Cafe to simply tell the customer if one PC is acting up to go to another one that isn't. Also keep in mind that unless both DSL lines are coming in on completely separate wiring plants, you really don't have true redundancy. If your going to do this on the cheap, it would be more effective to use 1 DSL line for some of the machines, and a cable modem for the other. Like the other guy said, if your friend wants more bandidth, buy a business-class DSL line for more money
Re: FreeBSD router two DSL connections
i use pfSense (www.pfsense.com) pfSense is a open source firewall derived from the m0n0wall operating system platform with radically different goals such as using Packet Filter, FreeBSD 6.X (or DragonFly BSD when ALTQ and CARP is finished) ALTQ for excellent packet queueing and finally an integrated package management system for extending the environment with new features. then i edit /etc/pf.conf and paste the openbsd pf tutorial for load balancing outgoing traffic ( http://www.openbsd.org/faq/pf/pools.html#outexample) then i pfctl -f /etc/pf.conf and watch the traffic on both WAN interfaces On 12/12/05, Yance Kowara [EMAIL PROTECTED] wrote: Hi all, I am trying to figure out if *BSD can achieve this: I have two DSL connections to play with, and I would like to configure a *BSD router that can combine the two DSLs together. There is a howto at http://stevenfettig.com/mythoughts/archives/000173.php But it concerns OpenBSD and it was for a T1 connection using a dual T1 card. I would like to configure one on 2 DSLs connected to two individual NICs. Is this feasible at all, or should I just invest in a dual Wan hardware? Kind regards, Yance __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Seek ye first the kingdom of God and all these things shall be added unto you. Winelfred G. Pasamba Adventist University of the Philippines Computer Science Department, AUP Online Information System ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Yance Kowara Sent: Monday, December 12, 2005 4:33 AM To: freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections --- Eric F Crist [EMAIL PROTECTED] wrote: On Dec 12, 2005, at 2:05 AM, Yance Kowara wrote: Ted, Thanks for the advice. A friend of mine has just acquired an Internet Cafe. The previous owner connected the lan to 2 different ADSL (two different ISPs) one is a back up he said. So, two ADSL routers with half the Lan connected to one router and another half to the other router. I am just thingking of a way to optimise the connection and came accross Steven's article. I thought I could do something similar with *BSD + pf. There is such thing as Dual Wan ADSL router: http://www.infosmart.com.tw/p-ndr3024.htm However, they are quite pricey compare to setting up a *BSD box (using old readily available hardware). So, if this load balancing idea does not work, any other thing I can do to optimise two DSLs? I also came accross this (linux way): http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple- links.html Is this worth trying? Kind regards, Yance, The reason, without a pretty heavily involved configuration, this won't work is packet routing. Unless you're using BGP, Border Gateway Protocol, you're not going to reliably route return packets to any interface other than the interface it was transmitted from. I'm guessing that the dual-wan device you speak of handles some things differently. Something like a large file download is going to fail to utilize the full bandwidth, however, because of the nature of the traffic. If you really need to boost network bandwidth, you're going to be forced into either working directly with an ISP to link multiple DSL channels, or, more likely, obtain business-class service over a T1/T3 setup. HTH - Eric F Crist Secure Computing Networks http://www.secure-computing.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hmm, what about putting zebra into the picture ... a solution or chaos? What feature in Zebra exactly do you think will help in this scenario? Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
Ted Mittelstaedt wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Yance Kowara Sent: Monday, December 12, 2005 4:33 AM To: freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections --- Eric F Crist [EMAIL PROTECTED] wrote: On Dec 12, 2005, at 2:05 AM, Yance Kowara wrote: Ted, Thanks for the advice. A friend of mine has just acquired an Internet Cafe. The previous owner connected the lan to 2 different ADSL (two different ISPs) one is a back up he said. So, two ADSL routers with half the Lan connected to one router and another half to the other router. I am just thingking of a way to optimise the connection and came accross Steven's article. I thought I could do something similar with *BSD + pf. There is such thing as Dual Wan ADSL router: http://www.infosmart.com.tw/p-ndr3024.htm However, they are quite pricey compare to setting up a *BSD box (using old readily available hardware). So, if this load balancing idea does not work, any other thing I can do to optimise two DSLs? I also came accross this (linux way): http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple- links.html Is this worth trying? Kind regards, Yance, The reason, without a pretty heavily involved configuration, this won't work is packet routing. Unless you're using BGP, Border Gateway Protocol, you're not going to reliably route return packets to any interface other than the interface it was transmitted from. I'm guessing that the dual-wan device you speak of handles some things differently. Something like a large file download is going to fail to utilize the full bandwidth, however, because of the nature of the traffic. If you really need to boost network bandwidth, you're going to be forced into either working directly with an ISP to link multiple DSL channels, or, more likely, obtain business-class service over a T1/T3 setup. HTH - Eric F Crist Secure Computing Networks http://www.secure-computing.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hmm, what about putting zebra into the picture ... a solution or chaos? What feature in Zebra exactly do you think will help in this scenario? Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] You could, if the purpose is to combine bandwidth accross multiple DSL links, use multi-link PPP, afaik - the only way to do so is through mpd (/usr/ports/net/mpd) ... not catch the whole thread, so feel free to correct me if wrong, mpd should work for you. -- Nathan Vidican [EMAIL PROTECTED] Windsor Match Plate Tool Ltd. http://www.wmptl.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
Hmm, what about putting zebra into the picture ... a solution or chaos? What feature in Zebra exactly do you think will help in this scenario? Ted ___ I am just crawling in the dark here... If the upstream packets can be send through a supposedly working load-balancing FreeBSD router, it will only handle upstream packets.., i.e. the router may be able to balance the upstream packets... Now, who's going to handle the routing and balancing the downstream packet? Would Zebra has such feature I am sorry if it makes not much sense. I am just trying to figure out what I can do to optimise two ADSL uplinks. If there are other things I can do to optimise it, please give me some pointers. Regards, Yance __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
This is for an internet cafe, right? Not a mission-critical system? Yes, I realize your mission is providing internet, but Buy two DSL feeds, and two WAPs. Put one WAP on each feed. Set them to different SSIDs and different RF channels. Then the wi-fi clients will associate with one or the other, hopefully on a 50/50 basis, or perhaps geographically distributed in proportion to how far (or how line-of-sight) they are from either WAP. If one WAP fails, odds are good that clients will still be in radio range of the other. So there you go, redundant fail-over in case one feed goes down. For a $1.75 cup of Americano, that's about the most your customers will have reason to expect. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Winelfred G. Pasamba Sent: Monday, December 12, 2005 8:26 AM To: Yance Kowara Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections i use pfSense (www.pfsense.com) pfSense is a open source firewall derived from the m0n0wall operating system platform with radically different goals such as using Packet Filter, FreeBSD 6.X (or DragonFly BSD when ALTQ and CARP is finished) ALTQ for excellent packet queueing and finally an integrated package management system for extending the environment with new features. then i edit /etc/pf.conf and paste the openbsd pf tutorial for load balancing outgoing traffic ( http://www.openbsd.org/faq/pf/pools.html#outexample) then i pfctl -f /etc/pf.conf and watch the traffic on both WAN interfaces Sigh. THIS IS NOT LOAD BALANCING PLEASE QUIT BEING SLOPPY WITH YOUR NETWORKING TERMS I refer you to the pfsense website itself: http://faq.pfsense.org/index.php?sid=13525lang=enaction=artikelcat=6i d=18artlang=en Load balancing is on per connection basis, not a bandwidth basis. All packets in a given flow will go over only one link. In other words, they are redefining the term load balancing into something that is not understood by any previously accepted definition of load balancing, so that people like you can think your getting something for nothing. Once more - FTP to a remote site with your dual DSL links. Copy a FreeBSD ISO file to there. Watch as the upload speed IS NO FASTER THAN ONE OF THE LINKS. Load balancing is accomplished with multilink PPP and that is in FreeBSD, I have run it before over dual modem links and it works great. But the links must terminate at the same ISP. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: Nathan Vidican [mailto:[EMAIL PROTECTED] Sent: Monday, December 12, 2005 11:08 AM To: Ted Mittelstaedt Cc: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections You could, if the purpose is to combine bandwidth accross multiple DSL links, use multi-link PPP, afaik - the only way to do so is through mpd (/usr/ports/net/mpd) ... not catch the whole thread, so feel free to correct me if wrong, mpd should work for you. It works great when both links go to the same ISP, which in this case they are not. Undoubtedly the OP wants to avoid spending money for better circuits, and undoubtedly any ISP willing to run multiple DSL links to the customer would charge more money. (The ISP I work at would be one such willing ISP, and we definitely would charge more) Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD router two DSL connections
Hi all, I am trying to figure out if *BSD can achieve this: I have two DSL connections to play with, and I would like to configure a *BSD router that can combine the two DSLs together. There is a howto at http://stevenfettig.com/mythoughts/archives/000173.php But it concerns OpenBSD and it was for a T1 connection using a dual T1 card. I would like to configure one on 2 DSLs connected to two individual NICs. Is this feasible at all, or should I just invest in a dual Wan hardware? Kind regards, Yance __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. Note that Steven's scenario below is for 2 circuits that both start at a single entity, and both end at a single entity. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Yance Kowara Sent: Sunday, December 11, 2005 7:03 PM To: freebsd-questions@freebsd.org Subject: FreeBSD router two DSL connections Hi all, I am trying to figure out if *BSD can achieve this: I have two DSL connections to play with, and I would like to configure a *BSD router that can combine the two DSLs together. There is a howto at http://stevenfettig.com/mythoughts/archives/000173.php But it concerns OpenBSD and it was for a T1 connection using a dual T1 card. I would like to configure one on 2 DSLs connected to two individual NICs. Is this feasible at all, or should I just invest in a dual Wan hardware? Kind regards, Yance __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.13.13/197 - Release Date: 12/9/2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: freebsd router
-Original Message- From: ann kok [mailto:[EMAIL PROTECTED] Sent: Thursday, August 05, 2004 9:29 PM To: [EMAIL PROTECTED] Subject: freebsd router Hello I am running zebra in freebsd 5.2 as router Can you teach me how to optimize the box to designate router only? I don't need to run any application and Which command to monitor and box performance and the network also the top command will give you performance information. For real time network monitoring try iftop and trafshow in ports Michael Clark Nemschoff Chairs Inc mclark at nemschoff dot com CompTIA A+, Network+, Server+, MCP Voice: (920) 457 7726 x294 Fax: (920) 453 6594 CONFIDENTIALITY NOTE: This electronic transmission, including all attachments, is directed in confidence solely to the person(s) to whom it is addressed, or an authorized recipient, and may not otherwise be distributed, copied or disclosed. The contents of the transmission may also be subject to intellectual property rights and all such rights are expressly claimed and are not waived. If you have received this transmission in error, please notify the sender immediately by return electronic transmission and then immediately delete this transmission, including all attachments, without copying, distributing or disclosing same. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
freebsd router
Hello I am running zebra in freebsd 5.2 as router Can you teach me how to optimize the box to designate router only? I don't need to run any application and Which command to monitor and box performance and the network also Thank you for your help __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
2 ISP on one FreeBSD router
Hi. Right now we have one ISP, our servers that uses IP from this ISP are running several services (dns, www, databases, mta etc). We want to increase stability of our network access by obtaining backup internet connection from another ISP. My question is: Is there a way to configure FreeBSD, so the NATed workstations will use two ISP at once and in case of one ISP failure the whole traffic will be put on one connection? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 2 ISP on one FreeBSD router
Piotr Gnyp wrote: My question is: Is there a way to configure FreeBSD, so the NATed workstations will use two ISP at once and in case of one ISP failure the whole traffic will be put on one connection? Sure, that's a standard multihoming scenario. Get an AS number (www.arin.net) and set up BGP peering with your ISPs. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 2 ISP on one FreeBSD router
On Tue, May 25, 2004 at 12:44:04PM -0400, Chuck Swiger wrote: Piotr Gnyp wrote: My question is: Is there a way to configure FreeBSD, so the NATed workstations will use two ISP at once and in case of one ISP failure the whole traffic will be put on one connection? Sure, that's a standard multihoming scenario. Get an AS number (www.arin.net) and set up BGP peering with your ISPs. That's a good answer, but not for this particular question. Piotr, if your FreeBSD router has an Ethernet interface bound to the IP assigned by each ISP, then the easiest way to transfer your NAT from one ISP to the other is probably simply to kill the existing natd and re-run it with a different -n option. This *will* have the effect of taking down your NAT for the transition period -- this is unavoidable. You could achieve the transition with a simple shell script that would ping the active connection, and if it fails, `killall natd`, wait for the process to die, and re-launch with the different command line opts. The exact mechanics are left as an exercise for the reader. Or the consultant he hires. ;) p -- Paul Chvostek [EMAIL PROTECTED] Operations / Abuse / Whatever it.canada, hosting and development http://www.it.ca/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router: Can my internet provider detect my home network?
Rob wrote: I plan to have a FreeBSD (4.9 stable) system serving as a router between my provider and a set of my home computers connected via a home network. My provider does not really like this, but I don't care so much, as long as s/he cannot detect (too easily) my home network. [...] Is it correct, that the combination of firewall and natd divert all requests and thus hide the home network for my provider? Are requests from all other networked home PC's done on behalf of the router, so that my provider will only see requests from my router? If they want to, they can detect that there's more than one computer using that link. They just need to look at the TCP sequence numbers. This way they can associate TCP packets with their individual originating hosts. If they see more than one group of sequentially increasing TCP sequence numbers they know that you're cheating. Whether they really care about it as long as you're not causing excessive network traffic or other trouble is a different matter. The only way to really hide your computers is to block direct Internet connections and instead use proxy software on a gateway server for each and every service. IMHO, quite an effort for probably just a couple of bucks saved. Larger companies do this, but for security reasons and also to control what their employees do on the Internet. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers [EMAIL PROTECTED] | http://www.escapebox.net ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD router: Can my internet provider detect my home network?
Hi, I plan to have a FreeBSD (4.9 stable) system serving as a router between my provider and a set of my home computers connected via a home network. My provider does not really like this, but I don't care so much, as long as s/he cannot detect (too easily) my home network. My plan is to use the following setup in my rc.conf: gateway_enable=YES natd_enable=YES natd_interface=rl0 firewall_enable=YES firewall_type=open (with, of course, the proper options compiled into the kernel). Is it correct, that the combination of firewall and natd divert all requests and thus hide the home network for my provider? Are requests from all other networked home PC's done on behalf of the router, so that my provider will only see requests from my router? Or do I need some better (firewall?) configuration for this? Thanks, Rob. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router: Can my internet provider detect my home network?
On Fri, 9 Apr 2004, Rob wrote: Is it correct, that the combination of firewall and natd divert all requests and thus hide the home network for my provider? Are requests from all other networked home PC's done on behalf of the router, so that my provider will only see requests from my router? Your firewall and natd ensure that anyone outside of your network, including your ISP, will only be aware of your external, routable IP address. What will be visible to the world are the ports accessible on that IP that are being redirected to the RFC 1918 addresses on your local network. The only way to conceal those is to lock them down when you don't need to allow a connection through them, or to reassign them to non-standard ports, as most ISP's are only bothered about ports 25 and 80. I'm not aware of any ISP's that have done any major crackdown on customers merely for having those ports open, generally they monitor traffic and check on ones generating a lot of throughput on the assumption they are hosting porn, warez or a commercial site. Cheers, Viktor ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]