Re: [SLUG] Multiple Offices with redundant DSL Connection
Sven Peters <[EMAIL PROTECTED]> writes: G'day Sven. As an administrative note, I find it much easier to respond to your messages if you edit your comments inline rather than top-posting like this; it can be otherwise impossible to know what, exactly, you mean... > Yes, you're right. ...by this, since you just cut all the context away from the statement. > I'm intending to use simple linux hardware without snmp. SNMP is a network protocol, and Linux has both SNMP clients and servers. I am not sure you quite follow what it would be for. > Was wondering if heartbeat could be used to see if the hardware breaks No, because heartbeat doesn't offer hardware monitoring at that level. You /could/ use an OCF agent to monitor the hardware, I guess, but I don't think that does quite what you think it does. > and do the activation of the inactive interfaces on a second similar > machine. Unless you have *extremely* uncommon hardware there will be no inactive interface on the machine; both will be connected, full time, to the modem and -- unless the modem hardware fails -- will always be "active." (You /could/ be intending to run PPPoE on the server and have been referring to the PPP interface above, but I don't think so?) > VPNwise I was thinking about OpenVPN but still open to any other > products which are open source. I would not advise any other open source product except, perhaps, an IPSec based solution; the others are a security minefield to try and walk. Personally, I don't like IPSec much, as it is very complex, especially with vendor extensions, but it has the virtue of being at least standard where OpenVPN is a one implementation wonder. > I had already a look at http://lartc.org/howto/ and got some ideas but > it'll still be a lot of work to put together all the scripts. I think you probably need to do a lot more work on your design before you get to writing scripts: work out how everything should hang together logically, then implement it. Once you know what you are implementing most of the scripting is relatively easy, in my experience. The hard part is the network design. > As it isn't such an uncommon problem I was wondering if somebody else > has a similar setup and likes to exchange experiences, ideas and > pitfalls. You can reach me off list. Sadly, it is actually a pretty uncommon problem; most people don't have the resources to install multiple redundant links, or the need for availability to maintain them. Worse, because everyone has /different/ requirements you end up with multiple solutions, each to a slightly different problem. Regards, Daniel -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Multiple Offices with redundant DSL Connection
Hi I have seen similar setups, I ran on with multiple site, but only base having multiple gateways (cable and adsl). all the firewalls where running on openwrt (linksys wrt52Gs careful though they with die under a lot of openvpn encrypted traffic) http://lartc.org/howto/ is the place to start with multiple isp's. You have to decide on your networking policy, is it going to shared, load balance, fail over. You could also look at setting up a tun device sitting on top of openvpn and try and aggregate the lines - but very complex setup. I would suggest to keep it simple if you have 3 offices A, B & C.and 2 connections at each site (same spec) 1 & 2 then something like this (forgetting about DMZ's, presuming its all private traffic) A2 -> B1 B2 -> C1 C2 -> A1 These can be the primary paths - this is simple to do with weight/metric is the routing table and then the failback (backup routes) A1 -> B2 B1 -> C2 C1 -> A2 you could have 2 instances of openvpn running at the same time and again you will need to setup routing with weights/metrics so on A you would have something link (private LAN) ip r a B/24 via metric 5 ip r a B/24 via metric 10 this way primary route would be used until it is not available. NOTE this doesn't do any load balancing, so you don't get the benefit of 2 lines. as for userid's, is this for vpn login, workstation login ? What is the predominant OS used in the company, probably stick with that. I am not sure if you can link AD and/or ldap into openvpn with cert's and userid password. Alex On Tue, Jul 15, 2008 at 03:11:57PM +1000, Sven Peters wrote: > Yes, you're right. > > I'm intending to use simple linux hardware without snmp. Was wondering > if heartbeat could be used to see if the hardware breaks and do the > activation of the inactive interfaces on a second similar machine. > > VPNwise I was thinking about OpenVPN but still open to any other > products which are open source. > > I had already a look at http://lartc.org/howto/ and got some ideas but > it'll still be a lot of work to put together all the scripts. > > As it isn't such an uncommon problem I was wondering if somebody else > has a similar setup and likes to exchange experiences, ideas and > pitfalls. You can reach me off list. > > Sven > > > Daniel Pittman wrote: >> Sven Peters <[EMAIL PROTECTED]> writes: >> >> G'day Sven. >> >> >>> I'm about to start to set up multiple offices with the normal services >>> (SMB, IMAP, etc) in different cities. I want all of them connected via >>> VPN and this needs to be as much reliable as possible. VPN Service >>> for people on the road needs to be available as well (with >>> Password+Certificates). I'd love to get all useraccounts into LDAP as >>> well later on. >>> >>> Therefore I've set up every location with two different DSL lines >>> which I now want to use to interconnect the locations. I thought of >>> setting up Linux firewalls with multiple interfaces (one internal, one >>> DMZ, two for the DSL connections) but not sure what's the best way to >>> do it. >>> >>> Has anybody experiences in this setup and can provide some hints, help >>> or even time to help setting this up in the next weeks? >>> >> >> You have chosen to do some relatively difficult networking for someone >> who needs to ask for basic hints on how to implement it; good luck. >> >> The best readily available reference I know of for the sort of thing you >> are looking at doing is the Linux Advanced Routing add Traffic Control >> howto, which has not seem much by way of updates in years: >> >> http://lartc.org/howto/ >> >> The content is still good and it should guide you to the appropriate >> tools for implementing whatever routing and availability policy you want >> to have based on your multiple links, etc. >> >> >> In terms of more specific advice, it is unlikely anyone can help you >> yet: you need to tell us an awful lot more, including what (VPN) >> technologies you intend to use for connecting the sites, what routing >> policies you want to use, what hardware is in play, etc. >> >> After all, recommending that you use SNMP to determine link availability >> for fail-over purposes is going to be useless if your hardware turns out >> to be lacking SNMP capabilities, right? >> >> Regards, >> Daniel >> > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- "The person who runs FEMA is someone who must have the trust of the president. Because the person who runs FEMA is the first voice, often times, of someone whose life has been turned upside down hears from." - George W. Bush 01/04/2001 Austin, TX signature.asc Description: Digital signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Multiple Offices with redundant DSL Connection
Daniel Pittman <[EMAIL PROTECTED]> writes: > Sven Peters <[EMAIL PROTECTED]> writes: Following up to myself: bad form, I know, but in the spirit of the stairway: >> I'm about to start to set up multiple offices with the normal >> services (SMB, IMAP, etc) in different cities. Are you trying to offer SMB file sharing across the VPN link? If so, I *strongly* advise you to revisit your plans: SMB is extremely latency sensitive, and performance is appalling across a link with 50ms latency, and much worse on anything higher. >> I want all of them connected via VPN and this needs to be as much >> reliable as possible. VPN Service for people on the road needs to be >> available as well (with Password+Certificates). What clients are you trying to use here? >> I'd love to get all useraccounts into LDAP as well later on. Why? >> Therefore I've set up every location with two different DSL lines >> which I now want to use to interconnect the locations. I thought of >> setting up Linux firewalls with multiple interfaces (one internal, >> one DMZ, two for the DSL connections) but not sure what's the best >> way to do it. Why two interfaces for the DSL connections? That is unlikely to make a significant difference to performance, and potentially introduces more points of failure into your setup... Regards, Daniel -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Multiple Offices with redundant DSL Connection
Yes, you're right. I'm intending to use simple linux hardware without snmp. Was wondering if heartbeat could be used to see if the hardware breaks and do the activation of the inactive interfaces on a second similar machine. VPNwise I was thinking about OpenVPN but still open to any other products which are open source. I had already a look at http://lartc.org/howto/ and got some ideas but it'll still be a lot of work to put together all the scripts. As it isn't such an uncommon problem I was wondering if somebody else has a similar setup and likes to exchange experiences, ideas and pitfalls. You can reach me off list. Sven Daniel Pittman wrote: Sven Peters <[EMAIL PROTECTED]> writes: G'day Sven. I'm about to start to set up multiple offices with the normal services (SMB, IMAP, etc) in different cities. I want all of them connected via VPN and this needs to be as much reliable as possible. VPN Service for people on the road needs to be available as well (with Password+Certificates). I'd love to get all useraccounts into LDAP as well later on. Therefore I've set up every location with two different DSL lines which I now want to use to interconnect the locations. I thought of setting up Linux firewalls with multiple interfaces (one internal, one DMZ, two for the DSL connections) but not sure what's the best way to do it. Has anybody experiences in this setup and can provide some hints, help or even time to help setting this up in the next weeks? You have chosen to do some relatively difficult networking for someone who needs to ask for basic hints on how to implement it; good luck. The best readily available reference I know of for the sort of thing you are looking at doing is the Linux Advanced Routing add Traffic Control howto, which has not seem much by way of updates in years: http://lartc.org/howto/ The content is still good and it should guide you to the appropriate tools for implementing whatever routing and availability policy you want to have based on your multiple links, etc. In terms of more specific advice, it is unlikely anyone can help you yet: you need to tell us an awful lot more, including what (VPN) technologies you intend to use for connecting the sites, what routing policies you want to use, what hardware is in play, etc. After all, recommending that you use SNMP to determine link availability for fail-over purposes is going to be useless if your hardware turns out to be lacking SNMP capabilities, right? Regards, Daniel -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Multiple Offices with redundant DSL Connection
Sven Peters <[EMAIL PROTECTED]> writes: G'day Sven. > I'm about to start to set up multiple offices with the normal services > (SMB, IMAP, etc) in different cities. I want all of them connected via > VPN and this needs to be as much reliable as possible. VPN Service > for people on the road needs to be available as well (with > Password+Certificates). I'd love to get all useraccounts into LDAP as > well later on. > > Therefore I've set up every location with two different DSL lines > which I now want to use to interconnect the locations. I thought of > setting up Linux firewalls with multiple interfaces (one internal, one > DMZ, two for the DSL connections) but not sure what's the best way to > do it. > > Has anybody experiences in this setup and can provide some hints, help > or even time to help setting this up in the next weeks? You have chosen to do some relatively difficult networking for someone who needs to ask for basic hints on how to implement it; good luck. The best readily available reference I know of for the sort of thing you are looking at doing is the Linux Advanced Routing add Traffic Control howto, which has not seem much by way of updates in years: http://lartc.org/howto/ The content is still good and it should guide you to the appropriate tools for implementing whatever routing and availability policy you want to have based on your multiple links, etc. In terms of more specific advice, it is unlikely anyone can help you yet: you need to tell us an awful lot more, including what (VPN) technologies you intend to use for connecting the sites, what routing policies you want to use, what hardware is in play, etc. After all, recommending that you use SNMP to determine link availability for fail-over purposes is going to be useless if your hardware turns out to be lacking SNMP capabilities, right? Regards, Daniel -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Multiple Offices with redundant DSL Connection
G'Day, I'm about to start to set up multiple offices with the normal services (SMB, IMAP, etc) in different cities. I want all of them connected via VPN and this needs to be as much reliable as possible. VPN Service for people on the road needs to be available as well (with Password+Certificates). I'd love to get all useraccounts into LDAP as well later on. Therefore I've set up every location with two different DSL lines which I now want to use to interconnect the locations. I thought of setting up Linux firewalls with multiple interfaces (one internal, one DMZ, two for the DSL connections) but not sure what's the best way to do it. Has anybody experiences in this setup and can provide some hints, help or even time to help setting this up in the next weeks? Thanks for any help Sven -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html