Re: [Vyatta-users] WAN Load Balancing

[abhilash s]

Hi,

   This makes sense. We will try the multi WAN load balancing.

Thanks,

Abhilash S
Ascella Technologies, Inc.
www.ascellatech.com


On Feb 5, 2008 11:59 AM, Dave Roberts [EMAIL PROTECTED] wrote:

  Thanks for your quick reply. I am agreed that we can test the
  multiple WAN load balancing feature before it is released to
  help with your testing. But one thing I forgot to mention
  about the broadband connection, is that it has a maximum data
  transfer of 20GB per month.
  That is why we were using the below plan:
 
  * The leased line connection is all traffic till 11 AM  (it
  is set to the default gateway)
  * After 11:00AM, we switch the default gateway to the
  broadband connection for all internet traffic, and add a
  static route so that VPN traffic remains on the leased line.
  * After 5:00PM, we reset this back to the original configuration
 
  We don't want to exceed the maximum limit of 20GB on the
  broadband connection.
 
  Is it possible to limit the bandwidth usage of the broadband
  connection using the multiple WAN loadbalancing ?  That is
  why we were thinking of using OSPF, so that we could increase
  the cost of the 2Mb connection as we approach the maximum.
  With this new requirement, does OSPF still make sense for us?
   If not, could you explain why OSPF may not be the choice for us?

 OSPF would allow you to assign a cost to a given route, but it's a hard
 cost. Paths with the lowest cost will receive all the traffic until a
 lower-cost path becomes available. If that's exactly what you want, then
 that's one way to achieve it, but it feels like overkill because OSPF is a
 hugely complex protocol and you really aren't using it for doing what it
 was intended.

 One thing you could do is use the WAN load balancing feature and change
 the weight factors between the links as you approach the maximum. There is
 currently no way to do this automatically, though coupled with QoS you
 might be able to work something out. Personally, I would go this route
 with WAN LB weight adjustment rather than OSPF.

 -- Dave


___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] Vyatta network architecture / OSPF

[abhilash s]

Hi All,

We are planning to do some upgrade in our network. The present network
has one vyatta router and two internet connections (one is 1Mb leased
line and the other is 2Mb Broadband), Since the broadband connection
is limited, we are manually changing the default gateway

* The leased line connection is all traffic till 11 AM  (it is set to
the default gateway)
* After 11:00AM, we switch the default gateway to the broadband
connection for all internet traffic, and add a static route so that
VPN traffic remains on the leased line.
* After 5:00PM, we reset this back to the original configuraton

Here are the drawbacks of the system we currently use:

* Requires manual shifting of routes (twice a day)
* If the leased line connection goes down then we have to remove the
static route and restart the VPN process so that it utilizes the
broadband connection
* If the broadband connection goes down between 11-5, then we have to
switch the default gateway to the leased line.

In an attempt to fix these issues we were thinking about something
like the below diagram (3 Router setup) and utilize dynamic routing
protocols.

 Router A (ISP1-Leased Line)
Router B(ISP2-Broadband)
   |
|
   |
|
   |
|
   Router C
(Connected to LAN)

The first idea we had was to configure Router A and B so that both
servers have the VPN process started (so both can reach the server).
This way there are two paths to reach the same destination.  We were
then planning on setting the cost of the VPN route through Router A as
the lowest cost so that is used by default. If Router A goes down,
then Router C knows to automatically route VPN traffic from the LAN to
Router B.  Can we use OSPF to perform this?

The second idea that we would like to try is to modify route cost
based on time of day.  For example, between 11-5, we want Router C to
shift Internet traffic from Router A to Router B with the exception of
VPN.  Can this be done by utilizing OSPF?  What is the best way to
update the cost dynamically?  Is there a way to do it within Vyatta
OFR or do we need to utilize a bash/perl script?  Has anyone created
rules like this that take into account bandwidth or latency?

Any suggestions that can be offered about this architecture would be
great before we start testing this.

Thanks

Abhilash S
Ascella Technologies, Inc
www.ascellatech.com
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] WAN Load Balancing

[abhilash s]

Hi ,

Thanks for your quick reply. I am agreed that we can test the multiple
WAN load balancing feature before it is released to help with your
testing. But one thing I forgot to mention about the broadband
connection, is that it has a maximum data transfer of 20GB per month.
That is why we were using the below plan:

* The leased line connection is all traffic till 11 AM  (it is set to
the default gateway)
* After 11:00AM, we switch the default gateway to the broadband
connection for all internet traffic, and add a static route so that
VPN traffic remains on the leased line.
* After 5:00PM, we reset this back to the original configuration

We don't want to exceed the maximum limit of 20GB on the broadband connection.

Is it possible to limit the bandwidth usage of the broadband
connection using the multiple WAN loadbalancing ?  That is why we were
thinking of using OSPF, so that we could increase the cost of the
2Mb connection as we approach the maximum.  With this new requirement,
does OSPF still make sense for us?  If not, could you explain why OSPF
may not be the choice for us?

Thanks,

Abhilash S
Ascella Technologies, Inc.
www.ascellatech.com
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] VC3 firewall problem

[abhilash s]

Hi All,

I have upgraded VC2 to VC3. But when I tried to implement
firewall, all traffic to internet stops. Here is my old and new
firewall configuration:


OLD FIREWALL CONFIGURATION:


firewall {
log-martians: enable
send-redirects: disable
receive-redirects: disable
ip-src-route: disable
broadcast-ping: disable
syn-cookies: enable
name inbound {
rule 1 {
protocol: all
state {
established: enable
related: enable
}
action: accept
log: disable
}
rule 2 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name: ssh
}
}
rule 3 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name: ssh
}
}
rule 4 {
protocol: icmp
icmp {
type: 8
}
action: accept
log: disable
}
rule 5 {
protocol: icmp
icmp {
type: 11
}
action: accept
log: disable
}
rule 6 {
protocol: udp
action: accept
log: disable
destination {
port-number: xxx
}
}
rule 7 {
protocol: all
action: drop
log: disable
source {
network: 0.0.0.0/0
}
}
}
}

NEW FIREWALL CONFIGURATION:

firewall {
log-martians: enable
send-redirects: disable
receive-redirects: disable
ip-src-route: disable
broadcast-ping: disable
syn-cookies: enable
name inbound {
description: inbound firewall
rule 1 {
protocol: tcp
state {
established: enable
related: enable
}
action: accept
log: disable
}
rule 2 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name ssh
}
}
rule 3 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name ssh
}
}
rule 4 {
protocol: icmp
icmp {
type: 8
}
action: accept
log: disable
}
rule 5 {
protocol: icmp
icmp {
type: 11
}
action: accept
log: disable
}
rule 6 {
protocol: udp
action: accept
log: disable
destination {
port-number xxx
}
}
rule 7 {
protocol: udp
action: accept
log: disable
destination {
port-number xxx
}
}
rule 8 {
protocol: all
action: drop
log: disable
source {
network: 0.0.0.0/0
}
}
}
}

I have applied this setting to my interface's firewall as : in and local .
When I try to enable this firewall setting , I can't ping to my ISP
gateway (modem IP) too.
Please tell me what I want to change to implement it on VC3 ?

Thanks in Advance,

Regards,

Abhilash S
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] VC3 firewall problem

[abhilash s]

Hi Robyn,

 This works for me. Thank you very much.

Thanks and Regards,

Abhilash.S

On Jan 10, 2008 10:11 AM, Robyn Orosz [EMAIL PROTECTED] wrote:
 Hi Abhilash,

 There is an issue in VC3 that restricts the related/ established rule
 (your rule number 1) to TCP only.  Most likely, the reason your VC2
 firewall was working is because return traffic of any type (ICMP, UDP,
 TCP, etc.) was allowed back in via rule number 1.  Your new rule number
 1 on VC3 only allows return traffic on TCP.

 For more information on the bug and to fix this issue on your system,
 see the following post to the user's list:

 http://mailman.vyatta.com/pipermail/vyatta-users/2007-November/002406.html

 This bug has been fixed and will no longer be an issue in the next release.

 Thank you,

 Robyn



 abhilash s wrote:
  Hi All,
 
  I have upgraded VC2 to VC3. But when I tried to implement
  firewall, all traffic to internet stops. Here is my old and new
  firewall configuration:
 
 
  OLD FIREWALL CONFIGURATION:
 
 
  firewall {
  log-martians: enable
  send-redirects: disable
  receive-redirects: disable
  ip-src-route: disable
  broadcast-ping: disable
  syn-cookies: enable
  name inbound {
  rule 1 {
  protocol: all
  state {
  established: enable
  related: enable
  }
  action: accept
  log: disable
  }
  rule 2 {
  protocol: tcp
  action: accept
  log: disable
  source {
  address: x.x.x.x
  }
  destination {
  port-name: ssh
  }
  }
  rule 3 {
  protocol: tcp
  action: accept
  log: disable
  source {
  address: x.x.x.x
  }
  destination {
  port-name: ssh
  }
  }
  rule 4 {
  protocol: icmp
  icmp {
  type: 8
  }
  action: accept
  log: disable
  }
  rule 5 {
  protocol: icmp
  icmp {
  type: 11
  }
  action: accept
  log: disable
  }
  rule 6 {
  protocol: udp
  action: accept
  log: disable
  destination {
  port-number: xxx
  }
  }
  rule 7 {
  protocol: all
  action: drop
  log: disable
  source {
  network: 0.0.0.0/0
  }
  }
  }
  }
 
  NEW FIREWALL CONFIGURATION:
 
  firewall {
  log-martians: enable
  send-redirects: disable
  receive-redirects: disable
  ip-src-route: disable
  broadcast-ping: disable
  syn-cookies: enable
  name inbound {
  description: inbound firewall
  rule 1 {
  protocol: tcp
  state {
  established: enable
  related: enable
  }
  action: accept
  log: disable
  }
  rule 2 {
  protocol: tcp
  action: accept
  log: disable
  source {
  address: x.x.x.x
  }
  destination {
  port-name ssh
  }
  }
  rule 3 {
  protocol: tcp
  action: accept
  log: disable
  source {
  address: x.x.x.x
  }
  destination {
  port-name ssh
  }
  }
  rule 4 {
  protocol: icmp
  icmp {
  type: 8
  }
  action: accept
  log: disable
  }
  rule 5 {
  protocol: icmp
  icmp {
  type: 11
  }
  action: accept
  log: disable
  }
  rule 6 {
  protocol: udp
  action: accept
  log: disable
  destination {
  port-number xxx
  }
  }
  rule 7 {
  protocol: udp
  action: accept
  log: disable
  destination {
  port-number xxx
  }
  }
  rule 8 {
  protocol: all
  action: drop
  log: disable
  source {
  network: 0.0.0.0/0
  }
  }
  }
  }
 
  I have applied this setting to my interface's firewall as : in and local .
  When I try to enable this firewall setting , I can't ping to my ISP
  gateway (modem IP) too.
  Please tell me what I want to change to implement it on VC3 ?
 
  Thanks in Advance