Re: Two Isp Fault Tollerance Help
I have the same issue. Resolved it with ifstated.
In OpenBSD 3.8 comes in base system.
With pf switches route-to.
my setup:
ifstated.conf:
$OpenBSD: ifstated.conf,v 1.6 2005/02/07 06:08:10 david Exp $
init-state primary
net = '( ping -t 128 -q -c 1 -w 1 159.148.60.20 /dev/null every 10 || \
ping -t 128 -q -c 1 -w 1 159.148.95.16 /dev/null every 10 || \
ping -t 128 -q -c 1 -w 1 195.2.123.94 /dev/null every 10)'
state primary {
init {
run echo `date` up /var/log/ifstated.log
run /sbin/pfctl -a nattelia -Fn
run /sbin/pfctl -a telia -Fr
}
if ! $net
set-state demoted
}
state demoted {
init {
run echo `date` down /var/log/ifstated.log
run echo nat on rl0 from 192.168.0.0/16 to any -\ \(rl0\) |
/sbin/pfctl -a nattelia -f -
run echo pass in quick on \{ rl1 rl2 \} route-to \(rl0 `cat
/etc/mygate.dhcp`\) \
from 192.168.0.0/16 to any modulate state | /sbin/pfctl -a
telia -f -
}
if $net
set-state primary
}
Re: Two Isp Fault Tollerance Help
On Sun, 9 Oct 2005 15:04:42 +0300, nikns wrote:
I have the same issue. Resolved it with ifstated.
In OpenBSD 3.8 comes in base system.
With pf switches route-to.
my setup:
ifstated.conf:
$OpenBSD: ifstated.conf,v 1.6 2005/02/07 06:08:10 david Exp $
init-state primary
net = '( ping -t 128 -q -c 1 -w 1 159.148.60.20 /dev/null every 10 || \
ping -t 128 -q -c 1 -w 1 159.148.95.16 /dev/null every 10 || \
ping -t 128 -q -c 1 -w 1 195.2.123.94 /dev/null every 10)'
state primary {
init {
run echo `date` up /var/log/ifstated.log
run /sbin/pfctl -a nattelia -Fn
run /sbin/pfctl -a telia -Fr
}
if ! $net
set-state demoted
}
state demoted {
init {
run echo `date` down /var/log/ifstated.log
run echo nat on rl0 from 192.168.0.0/16 to any -\ \(rl0\) |
/sbin/pfctl -a nattelia -f -
run echo pass in quick on \{ rl1 rl2 \} route-to \(rl0 `cat
/etc/mygate.dhcp`\) \
from 192.168.0.0/16 to any modulate state | /sbin/pfctl -a
telia -f -
}
if $net
set-state primary
}
It would be instructive to see an example pf.conf which your ifstated
modifies. It is easy to see what the latter does when you know the
pf.conf as only its author does.
I've done quite a few but I'm still guessing at how yours looks for
sure and I think it might assist those who are just starting too.
Thanks,
Rod.
From the land down under: Australia.
Do we look umop apisdn from up over?
Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.
Re: Two Isp Fault Tollerance Help
On 07/10/05, Roberto Pereyra [EMAIL PROTECTED] wrote: Hi Where I can find bgp uses examples (simples, for newbies) ? Thanks roberto Unless you know what you are doing here you will not improve on the situation. If you have a bad connection, replace it. With bgp routing you will participate more actively on the internet, it also means the more of the responsibility falls on you, and you will see problems of a different nature, and problems at any of your providers may affect you. Bad connectivity, which provider do you contact ? Those providers will get back to you with an entirely new set of questions for you to answer. And in worst case the providers themselves completely lack a clue. BGP routing and multiple upstreams may a good thing if you have the knowledge and resources to handle it, otherwise it isn't. I recommend the book Internet Routing Architectures from cisco press. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: Two Isp Fault Tollerance Help
On Thursday 06 October 2005 10.24, you wrote: Hi to all. One of my clients has got an Internet connection with a no much affidable provider. He reports continual disconnection and so on. I would like to do a second connection with another provider to obtain a sort of redundancy, a fault tollerance. What I have to do to obtain the automatic connection with both of the providers and to shift to the one that is connected when the other is in trouble? ( without problems for the client). Border Gateway Protocol. See bgpd(8). Regards Johan M:son
Re: Two Isp Fault Tollerance Help
On Fri, 7 Oct 2005 14:29:08 +0200 Johan M:son Lindman [EMAIL PROTECTED] wrote: One of my clients has got an Internet connection with a no much affidable provider. He reports continual disconnection and so on. I would like to do a second connection with another provider to obtain a sort of redundancy, a fault tollerance. What I have to do to obtain the automatic connection with both of the providers and to shift to the one that is connected when the other is in trouble? ( without problems for the client). Border Gateway Protocol. Doesn't it imply that said client has its own IP addresses range and not NATing behind one single ISP-provided address ? -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: Two Isp Fault Tollerance Help
Absolutely, you need an AS The address space can be given by one of the provider. Lio -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Olivier Mehani Envoyi : vendredi 7 octobre 2005 15:34 @ : misc@openbsd.org Objet : Re: Two Isp Fault Tollerance Help On Fri, 7 Oct 2005 14:29:08 +0200 Johan M:son Lindman [EMAIL PROTECTED] wrote: One of my clients has got an Internet connection with a no much affidable provider. He reports continual disconnection and so on. I would like to do a second connection with another provider to obtain a sort of redundancy, a fault tollerance. What I have to do to obtain the automatic connection with both of the providers and to shift to the one that is connected when the other is in trouble? ( without problems for the client). Border Gateway Protocol. Doesn't it imply that said client has its own IP addresses range and not NATing behind one single ISP-provided address ? -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: Two Isp Fault Tollerance Help
On 10/7/05, Olivier Mehani [EMAIL PROTECTED] wrote: On Fri, 7 Oct 2005 14:29:08 +0200 Johan M:son Lindman [EMAIL PROTECTED] wrote: One of my clients has got an Internet connection with a no much affidable provider. He reports continual disconnection and so on. I would like to do a second connection with another provider to obtain a sort of redundancy, a fault tollerance. What I have to do to obtain the automatic connection with both of the providers and to shift to the one that is connected when the other is in trouble? ( without problems for the client). Border Gateway Protocol. Doesn't it imply that said client has its own IP addresses range and not NATing behind one single ISP-provided address ? yes. Alternatively, look at route-to in pf.conf -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 -- Abe Al-Saleh And then came the Apocolypse. It actually wasn't that bad, everyone got the day off and there were barbeques all around.
Re: Two Isp Fault Tollerance Help
On Friday 07 October 2005 15.33, you wrote: On Fri, 7 Oct 2005 14:29:08 +0200 Johan M:son Lindman [EMAIL PROTECTED] wrote: One of my clients has got an Internet connection with a no much affidable provider. He reports continual disconnection and so on. I would like to do a second connection with another provider to obtain a sort of redundancy, a fault tollerance. What I have to do to obtain the automatic connection with both of the providers and to shift to the one that is connected when the other is in trouble? ( without problems for the client). Border Gateway Protocol. Doesn't it imply that said client has its own IP addresses range and not NATing behind one single ISP-provided address ? Well the original post doesn't tell us jack about the type of connections this client of his has, really. It merely state that there's problem with connectivity at customer site. I'm not going to make assumptions either way, but for proper fault tolerant internet connectivity BGP is one (the?) way to go and is very well supported by OBSD. Regards Johan M:son
BGP (was Re: Two Isp Fault Tollerance Help)
On Fri, 7 Oct 2005 16:09:28 +0200 Lio Goehrs [EMAIL PROTECTED] wrote: The address space can be given by one of the provider. But then, I understand that the route to these addresses will go through the address-providing ISP. Correct ? Or is the very role of bgpd to tell the _other_ provider that the adresses are also reachable through his routers, which will then propagate the information to the whole internet ? (I absolutely don't know about BGP, thought it was time I started getting information ;)) Morevover, I guess not every provider accepts BGP information from its clients. And what prevents me from sending crafted BGP packects saying that I can route to a specific address space I actually don't own ? -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: Two Isp Fault Tollerance Help
Hi Where I can find bgp uses examples (simples, for newbies) ? Thanks roberto 2005/10/7, Abraham Al-Saleh [EMAIL PROTECTED]: On 10/7/05, Olivier Mehani [EMAIL PROTECTED] wrote: On Fri, 7 Oct 2005 14:29:08 +0200 Johan M:son Lindman [EMAIL PROTECTED] wrote: One of my clients has got an Internet connection with a no much affidable provider. He reports continual disconnection and so on. I would like to do a second connection with another provider to obtain a sort of redundancy, a fault tollerance. What I have to do to obtain the automatic connection with both of the providers and to shift to the one that is connected when the other is in trouble? ( without problems for the client). Border Gateway Protocol. Doesn't it imply that said client has its own IP addresses range and not NATing behind one single ISP-provided address ? yes. Alternatively, look at route-to in pf.conf -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 -- Abe Al-Saleh And then came the Apocolypse. It actually wasn't that bad, everyone got the day off and there were barbeques all around.
Re: BGP (was Re: Two Isp Fault Tollerance Help)
On Fri, Oct 07, 2005 at 04:35:51PM +0200, Olivier Mehani wrote: On Fri, 7 Oct 2005 16:09:28 +0200 Lio Goehrs [EMAIL PROTECTED] wrote: The address space can be given by one of the provider. But then, I understand that the route to these addresses will go through the address-providing ISP. Correct ? No. You need provider independent address space for such setups plus a AS number. At least for IPv4 it goes this way. In IPv6 land it is no longer possible to get provider independent address space and so multihoming is broken and this makes IPv6 unusable in the real life. Or is the very role of bgpd to tell the _other_ provider that the adresses are also reachable through his routers, which will then propagate the information to the whole internet ? The role of bgp is just to exchange routing information and selecting the best path. So yes that's the role of bgpd. (I absolutely don't know about BGP, thought it was time I started getting information ;)) Morevover, I guess not every provider accepts BGP information from its clients. And what prevents me from sending crafted BGP packects saying that I can route to a specific address space I actually don't own ? Getting a bgp session from a provider is normaly the smallest problem. OK most will refuse to do that for a private customer but for business customers with fat pipes this is mostly no porblem. Address spoofing is a known problem at that's why the upstream providers should filter what you send to them. It is possible to hijack address room at least for part of the internet. As an example it happend once through missconfiguration that a small customer started to announce a /8 as individual /24 networks. This resulted in a major internet outage because some backbone cisco routers started to reload because of memory shortage. -- :wq Claudio
Re: BGP (was Re: Two Isp Fault Tollerance Help)
Claudio Jeker wrote: On Fri, Oct 07, 2005 at 04:35:51PM +0200, Olivier Mehani wrote: On Fri, 7 Oct 2005 16:09:28 +0200 Lio Goehrs [EMAIL PROTECTED] wrote: The address space can be given by one of the provider. But then, I understand that the route to these addresses will go through the address-providing ISP. Correct ? No. You need provider independent address space for such setups plus a AS number. At least for IPv4 it goes this way. In IPv6 land it is no longer possible to get provider independent address space and so multihoming is broken and this makes IPv6 unusable in the real life. You don't have to have PI space at all, many providers will let you punch a hole in their PA allocation if you do not have your own PA allocation (Not technically a great practice, but it adds the same extra NLRI to the routing table as PI space would). However I am guessing in this situation that BGP is going to be overkill and the providers wouldn't configure it unless we're talking about leased lines/E1, T1 etc. etc. Thanks, Karl Austin
Two Isp Fault Tollerance Help
Hi to all. One of my clients has got an Internet connection with a no much affidable provider. He reports continual disconnection and so on. I would like to do a second connection with another provider to obtain a sort of redundancy, a fault tollerance. What I have to do to obtain the automatic connection with both of the providers and to shift to the one that is connected when the other is in trouble? ( without problems for the client). Ale
