Re: FreeBSD router two DSL connections
Yance Kowara wrote: Hi all, I am trying to figure out if *BSD can achieve this: I have two DSL connections to play with, and I would like to configure a *BSD router that can combine the two DSLs together. There is a howto at http://stevenfettig.com/mythoughts/archives/000173.php But it concerns OpenBSD and it was for a T1 connection using a dual T1 card. I would like to configure one on 2 DSLs connected to two individual NICs. Is this feasible at all, or should I just invest in a dual Wan hardware? Yes its possible, I have such done such a setup. Its actually one ADSL user PPP connection the other connection is direct Ethernet to a small ISP that happens to be in the same building. The aim isn't anything that serves data and doesn't use anything complex such as using routing protocols like the other guys are talking about. Its just using NAT via PF to its users behind the box, all they need 24 hour Internet access and don't have to serve anything which I assume is your same situation. All I have done to make use of the multi Internet connection was if one connection goes down they can just choose the other ISP via a simple menu I created for them which just deletes and changes the route, Just uses something like route flush route add default isp_gateway_ip Or for the PPP link that uses ISP1 profile /usr/sbin/ppp -quiet -ddial isp1 and a /etc/rc.d/pf resync afterwards. Its just as easy to hack your own self monitoring link changer script but I felt it was better to leave it in the hands of the people with a menu. The core of the problem is just scripting something to change routes / connection using scripting. Because you appear to be using to DSL and probably pppoe links you would need to put something like this with two profiles in your /etc/ppp/ppp.conf file default: # set log CBCP CCP Chat Connect Command IPCP tun Phase Warning Debug LCP sync set device PPPoE:dc0:isp1 set speed sync disable ipv6cp set cd 5 set dial set login set redial 0 0 add default HISADDR set timeout 0 enable dns isp1: set authname [EMAIL PROTECTED] set authkey yancepassword isp2: set authname [EMAIL PROTECTED] set authkey yancepassword and script something to run either /usr/sbin/ppp -quiet -ddial isp1 or /usr/sbin/ppp -quiet -ddial isp2 Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
On Wed, Dec 21, 2005 at 09:55:37AM -0800, Danial Thom wrote: --- Loren M. Lang [EMAIL PROTECTED] wrote: On Sun, Dec 11, 2005 at 11:28:17PM -0800, Ted Mittelstaedt wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. I strongly disagree. There are many reasons for this. Two of which are increased throughoutput and redundancy. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP or some kind of static route setup by the two ISPs. For an internet cafe, most connections will probably be outgoing so it won't be a problem. Thats not right at all, although in *some* cases it may be desirable. All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. For efficiencies sake, you may argue that sending to the ISP that sent you the traffic will be a better path, but if one of your pipes is saturated and the other running at 20% then its likely more efficient to keep your pipes filled and send to either isp. You can achieve this with per-packet load-balancing with ciscos, or bit-balancing with a product like ETs for FreeBSD. Unless your 2 isps are connected substantially differently (say if one is in Europe and one in the US), you'll do better keeping your pipes balanced, as YOU are the bottleneck, not the upstream, assuming you have quality upstream providers. You are correct in the case of a normal router, but this is not a normal router, this is an NAT router with two different incoming pipes with two unique ip addresses. As far as each ISP is concerned, they are providing bandwidth to a single computer that is not the same as the other ISP. There is no information that connects the two together. With NAT, the network behind is hidden and normal routing can't take place. Only outgoing connections can take place, and the from address is modified to be the same as the IP address on the pipeline it is leaving from. Internet routers won't know that the other ip address is the same computer and even if they did know, the NAT software on the router might discard the packets because the data is arriving on the wrong interface. Incoming connections work only if the router is setup to do port forwarding. The problem here with sharing the bandwidth is that each pipeline has it's own address and there is no way to specifiy an address of a computer behind the router because each ISP has only allocated one address to their customer and there are no entries in the routing tables for computers behind them. Bandwidth sharing is possible with an NAT router, but not connection sharing. Danial __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: CEE1 AAE2 F66C 59B5 34CA C415 6D35 E847 0118 A3D2 pgp0pSj6aYzKE.pgp Description: PGP signature
Re: FreeBSD router two DSL connections
On Fri, Dec 23, 2005 at 03:46:50PM -0800, Danial Thom wrote: Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? You are beyond clueless, Ted. Why do you keep opening your mouth? You understand the issues little yourself. I'd recommend getting a good book on NAT and IP routing. With a normal router and either static routes or a good routing protocol setup, this would work fine, but with NAT in the mix, it's much more difficult. The problem is that neither ISP knows about the network behind the NAT router, that's the basic reason for NAT in the first place. There are no official addresses allocated for the computers behind so there can be no routes to the computer behind. NAT causes the entire network behind the router to look like it came from the router itself. And since the router has a different address for each ISP, it looks like two independent computers on the internet. For efficiencies sake, you may argue that sending to the ISP that sent you the traffic will be a better path, but if one of your pipes is saturated and the other running at 20% letsseenow, these are full duplex 'pipes', can we have some direction this saturation is taking place in? I mean, since you are at least trying to make a senseless explanation sound right, you might as well try a bit harder. Its not senseless, you just don't understand how the internet works, apparently. I do this for a living, and you just yap. You could use a good book too. If you were able to send back the data on the pipe it arrived on then you would have uneven use of the pipes. So one could be saturation the the other highly unused. Balancing the outgoing data would reduce the latency that occurs when a pipe is saturated. Its hard to explain calculus to some who can't add or subtract ted, so you should figure out how routing works before you try something this complicated. then its likely more efficient to keep your pipes filled and send to either isp. You can achieve this with per-packet load-balancing with ciscos, per packet load balancing is for parallel links between 2 endpoints. Not three, as in you, your first ISP, and your second ISP. Wrong again, Ted. Usually thats how it is used to gain extra throughput, but thats not the only thing that it can be used for. Since the internet is connectionless (back to school for you Ted), per packet balancing can utilize 2 outgoing pipes to different ISPs as well. Obviously since failover on dual-homed network works, you can send your packets to any ISP you want. Routers route based on destination address, as anyone who knows how routers work knows. You can even use per packet load balancing on 2 lines to the same ISP when the other end doesn't support it; using 2 pipes in one direction and only one in the other. You can be innovative when you actually understand how things work, Ted. Surprising you would drag up a Ciscoism as your such a big fan of BSD-based routers. or bit-balancing with a product like ETs for FreeBSD. Unless your 2 isps are connected substantially differently (say if one is in Europe and one in the US), you'll do better keeping your pipes balanced, as YOU are the bottleneck, not the upstream, assuming you have quality upstream providers. Sometimes you run into someone who is so ignorant of the subject of which he is trying to speak, - routing in this case - that you can't even argue with the person. Kind of like trying to explain the concept of the fossil record to a creationist. This is one of these times. Yes Ted. People run into you, the ultimate ignoramous. I have 3000 ISP customers. This is not just theory; its being done. You are wrong about every single thing you
RE: FreeBSD router two DSL connections
-Original Message- From: Loren M. Lang [mailto:[EMAIL PROTECTED] Sent: Saturday, December 31, 2005 6:31 PM To: Danial Thom Cc: Loren M. Lang; Ted Mittelstaedt; Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections On Wed, Dec 21, 2005 at 09:55:37AM -0800, Danial Thom wrote: --- Loren M. Lang [EMAIL PROTECTED] wrote: On Sun, Dec 11, 2005 at 11:28:17PM -0800, Ted Mittelstaedt wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. I strongly disagree. There are many reasons for this. Two of which are increased throughoutput and redundancy. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP or some kind of static route setup by the two ISPs. For an internet cafe, most connections will probably be outgoing so it won't be a problem. Thats not right at all, although in *some* cases it may be desirable. All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. For efficiencies sake, you may argue that sending to the ISP that sent you the traffic will be a better path, but if one of your pipes is saturated and the other running at 20% then its likely more efficient to keep your pipes filled and send to either isp. You can achieve this with per-packet load-balancing with ciscos, or bit-balancing with a product like ETs for FreeBSD. Unless your 2 isps are connected substantially differently (say if one is in Europe and one in the US), you'll do better keeping your pipes balanced, as YOU are the bottleneck, not the upstream, assuming you have quality upstream providers. You are correct in the case of a normal router, but this is not a normal router, this is an NAT router with two different incoming pipes with two unique ip addresses. As far as each ISP is concerned, they are providing bandwidth to a single computer that is not the same as the other ISP. There is no information that connects the two together. With NAT, the network behind is hidden and normal routing can't take place. Only outgoing connections can take place, and the from address is modified to be the same as the IP address on the pipeline it is leaving from. On a NORMAL nat device this is correct, what Danial was recommending is a modified NAT that basically favors one of the 2 outside addresses that it has, as the source address for all connections, and sends traffic sourced with this address out both pipes, depending on what pipe might be available at the time. He was arguing more on a theoretical level, I personally don't know of any NAT devices that can do that, but perhaps there are some. Certainly, something like that could be written if it doesen't exist. Internet routers won't know that the other ip address is the same computer it doesen't matter if they know or not. and even if they did know, the NAT software on the router might discard the packets because the data is arriving on the wrong interface. Yes, that is one of the things the NAT would have to keep track of. It could certainly be done. I maintain that the upstream ISP's would not allow something like this to work, due to antispoof filters. Danial maintained that upstream ISP's don't run antispoof filters, and thus it would work. Incoming connections work only if the router is setup to do port forwarding. The problem here with sharing the bandwidth is that each pipeline has it's own address and there is no way to specifiy an address of a computer behind the router because each ISP has only allocated one address to their customer and there are no entries in the routing tables for computers behind them. None of that is applicable to the scenario that Danial described. Bandwidth sharing is possible with an NAT router, but not connection sharing. If your going to restrict each connection to the max bandwidth of the fastest pipe, you are really not bandwidth sharing. The general public is going to expect that anything labeled a bandwidth sharer that is designed to work with multiple
RE: FreeBSD router two DSL connections
Does it meet the test I already outlined? Download the FreeBSD iso then upload it to a remote server, with both lines connected. Time it. Disconnect 1 line, then repeat the test. If the time to download and upload when both DSL lines are connected is half the time it takes when 1 DSL line is connected, then your load-balancing. If not, then you are not - although if it makes you feel like you haven't wasted your money claim your per session load balancing then I suppose it would be uncharitable to make you feel bad by pointing out that this is purely a marketing term with no networking significance. Oops. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Winelfred G. Pasamba Sent: Monday, December 26, 2005 8:27 PM To: [EMAIL PROTECTED] Cc: Loren M. Lang; Yance Kowara; Ted Mittelstaedt; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections ted, danial, and the rest, i'm learning a lot in this thread. i have a pfsense (freebsd) router that has two connections to the same ISP and one connection to a linux squid (another server). i use the ported openbsd packet filter in freebsd for (whatever) load balancing. i can paste the freebsd-/etc/pf.conf and give you a sample of 'pfctl -s state' which looks like a firewall state table (i'm not sure though). i can also capture traffic graphs on all three interfaces of the pfsense router. just want to know what's happening in the (freebsd) pfsense router. is it route balancing, packet round-robin'ing, connection-round-robining, or what? one thing is that both these isp lines don't have any CIR. one is up to 128kbps and the other is up to 256 kbps. and i don't know which is which, hehe. here are the graphs and dump: http://geocities.com/winelfredpasamba/is_this_load_balancing_or_what/ On 12/26/05, Danial Thom [EMAIL PROTECTED] wrote: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Friday, December 23, 2005 3:47 PM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. I assure you they will not. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? ISP's that are dual-homed have to register their subnets with both providers. For example, suppose I'm a small ISP and I go get a Sprint connection and get assigned a range of 11 IP subnets, 192.168.1.0 - 192.168.10.0 These are Sprint-owned IP addresses of course. As I source traffic from 192.168.1.x, Sprint recognizes it as valid traffic and allows it to pass Sprint's ingress filter to me. Now I get a bit bigger and decide I need a redundant connection. So I contact ARIN and buy an AS number, then contact ATT and get a connection to them, then setup BGP between myself and ATT Sprint. When ATT and I are setting up BGP, ATT's techs will ask me what subnets I'm advertising, I tell them 192.168.1.0 - 192.168.10.0 ATT then checks with ARIN's whois server to make sure Sprint has entered a record for that list of subnets that says I'm authorized to use them. If all that checks out OK then ATT adjusts their ingress filters so I can source traffic to them from those subnets. Now I get even bigger and need more IP's than what Sprint will provide, so I go to ARIN and buy them. Then all my feeds have to adjust their ingress filters to the new subnet. Now I get even more bigger and I start trying to setup peering relationships with other networks, so I don't have to pay them directly. Well now guess what, those networks are now monitoring
RE: FreeBSD router two DSL connections
--- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Monday, December 26, 2005 7:50 AM To: Ted Mittelstaedt; Winelfred G. Pasamba Cc: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections As stated, even by Ted, you have to register ALL of your addresses with ALL of your ISPs, so you can send your packets to ANYONE you want, even if they are filtering. No, what I said is that any ISP that is an end-node AS and gets a feed from a network must tell that network what IP blocks they are using to send traffic from. You're a very sick person, Ted. If you use BGP, both of your providers have to know about all of your address blocks. So if they know about your address blocks, then you can load balance instead of using BGP. Its the same damn thing, you incompetent blob :) There's little point in being multi-homed if you can't send all of your traffic up EITHER pipe. If you couldn't, you'd be out of business if one of your pipes was down,which simply isn't the case. I really don't know what's wrong with you, except that you seem obsessed with being on the opposite side of whatever arguement I'm one. You're making a goddamned fool of yourself. DT __ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Ted Mittelstaedt [EMAIL PROTECTED] wrote: Does it meet the test I already outlined? Download the FreeBSD iso then upload it to a remote server, with both lines connected. Time it. Disconnect 1 line, then repeat the test. If the time to download and upload when both DSL lines are connected is half the time it takes when 1 DSL line is connected, then your load-balancing. If not, then you are not - although if it makes you feel like you haven't wasted your money claim your per session load balancing then I suppose it would be uncharitable to make you feel bad by pointing out that this is purely a marketing term with no networking significance. Oops. Ted Ted seems incapable of grasping how things work, so I don't recommend wasting your time on anything he says. As I stated, you cannot control how traffic comes into your network, so Ted's little download test is sure not to work. Traffic is routed to whichever ISP has the best route. You can only control how traffic goes OUT of your network. So load-balancing can only increase your upload speeds, not your download speeds. If you are hosting this is useful. If you have mostly download traffic, then its probably not worth is. I don't know if Ted is trying to boondoggle you into thinking his view is correct, or he just doesn't understand it. I suspect its a bit of both. You should really try the freebsd-isp list, as there are at least some people on there that have a clue. Although even Ted's resume looks good on paper, so you really can't tell. Incompetence is widespread. DT __ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Danial Thom [EMAIL PROTECTED] wrote: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: Does it meet the test I already outlined? Download the FreeBSD iso then upload it to a remote server, with both lines connected. Time it. Disconnect 1 line, then repeat the test. If the time to download and upload when both DSL lines are connected is half the time it takes when 1 DSL line is connected, then your load-balancing. If not, then you are not - although if it makes you feel like you haven't wasted your money claim your per session load balancing then I suppose it would be uncharitable to make you feel bad by pointing out that this is purely a marketing term with no networking significance. Oops. Ted Ted seems incapable of grasping how things work, so I don't recommend wasting your time on anything he says. As I stated, you cannot control how traffic comes into your network, so Ted's little download test is sure not to work. Traffic is routed to whichever ISP has the best route. You can only control how traffic goes OUT of your network. So load-balancing can only increase your upload speeds, not your download speeds. If you are hosting this is useful. If you have mostly download traffic, then its probably not worth is. I don't know if Ted is trying to boondoggle you into thinking his view is correct, or he just doesn't understand it. I suspect its a bit of both. You should really try the freebsd-isp list, as there are at least some people on there that have a clue. Although even Ted's resume looks good on paper, so you really can't tell. Incompetence is widespread. DT To sooth the nerves of the OP, the truth about this is that it might work and it might not. Ted's assertion that all ISPs do ingress address filtering is simply wrong. Not even close. My assumption that none do isn't right either. IF when one of your lines goes down you are still online then you can load-balance outbound. IF you are multi-homed or have a working backup scenario, then you can load balance outbound. There is much discussion on the trade-offs of ingress address filtering, and many believe its the old cut off your nose to spite your face. It reduces the cpu power of your router by causing it to test every packet coming in, it makes multi-homing not work, and it makes changing addresses on a large network extremely more difficult, in order to thwart an unlikely event. I recommend that my customers isolate co-location customers so when worms hit they can find the problem easier. Few do because its easier to have everyone on the same wire. My cable company, for example, changes their networking scheme every few months, and if they had to change ingress filters on 100s of routers manually it would be ridiculously difficult to do. So they don't address filter. Ted is somehow in denial that 100s of people load balance to different destinations. Since he doesn't know the terms (such as round-robin, etc) you can be sure he's never done any of it. The simple truth is that you have to try things. You never know what your upstream is doing. DSL is a strange animal that requires muxes in often very complicated meshes. If you can move your default router to your other router then you are likely not filtered. There are many issues more important than address-spoofing, such as stability and performance. I have customers that are so disorganized that they can't isolate any known address group to any specific router, and others that require that you register your MAC address with them or nothing will work at all. You can't postulate what your situation is. You have to do testing and figure out what you can and can't do. The more you know about how things REALLY work, the more innovative you can be in your implementation. DT __ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
Quoting Danial Thom [EMAIL PROTECTED]: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Monday, December 26, 2005 7:50 AM To: Ted Mittelstaedt; Winelfred G. Pasamba Cc: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections As stated, even by Ted, you have to register ALL of your addresses with ALL of your ISPs, so you can send your packets to ANYONE you want, even if they are filtering. No, what I said is that any ISP that is an end-node AS and gets a feed from a network must tell that network what IP blocks they are using to send traffic from. You're a very sick person, Ted. If you use BGP, both of your providers have to know about all of your address blocks. My VERY FIRST response to the original poster was that their scheme would not work UNLESS they were running BGP. So if they know about your address blocks, then you can load balance instead of using BGP. Its the same damn thing, you incompetent blob :) There's little point in being multi-homed if you can't send all of your traffic up EITHER pipe. If you couldn't, you'd be out of business if one of your pipes was down,which simply isn't the case. I really don't know what's wrong with you, except that you seem obsessed with being on the opposite side of whatever arguement I'm one. You're making a goddamned fool of yourself. I think you are arguing with a series of straw men. Perhaps you might try READING THE RESPONSES for a change? Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
Quoting Danial Thom [EMAIL PROTECTED]: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: Does it meet the test I already outlined? Download the FreeBSD iso then upload it to a remote server, with both lines connected. Time it. Disconnect 1 line, then repeat the test. If the time to download and upload when both DSL lines are connected is half the time it takes when 1 DSL line is connected, then your load-balancing. If not, then you are not - although if it makes you feel like you haven't wasted your money claim your per session load balancing then I suppose it would be uncharitable to make you feel bad by pointing out that this is purely a marketing term with no networking significance. Oops. Ted Ted seems incapable of grasping how things work, so I don't recommend wasting your time on anything he says. As I stated, you cannot control how traffic comes into your network, so Ted's little download test is sure not to work. Danial, once again your having trouble reading. That little test was for BOTH a download AND an upload test. So, are you sure that the upload component of my little test WILL work? Perhaps we might have the poster I responded to actually RUN the test and report the results? Traffic is routed to whichever ISP has the best route. You can only control how traffic goes OUT of your network. So load-balancing can only increase your upload speeds, not your download speeds. If you are hosting this is useful. If you have mostly download traffic, then its probably not worth is. Once again Danial you flee to arguing from theory and not reality. Until the second poster tries the test I proposed and reports the results, you are really wasting time. As I said before, try the test. If your download speed is doubled with both DSL lines turned on, your load balancing. If your upload speed is doubled with both DSL lines turned on then your load balancing. If your download speed is NOT doubled YET your upload speed IS doubled with both DSL lines connected, then you are also load balancing - after a fashion - although the reason this works is that one of the ISP's is not properly ingress filtering. (assuming the DSL lines are connected to different ISPs, presumably if they are connected to the same ISP you would have already got multilink PPP or some other kind of real load balancing setup with that ISP) And if that is the case, then the ISP that isn't ingress filtering, has a network full of spoofed traffic from DDoS trojans and such, and it is unlikely you would find their bandwidth that useable in the first place. Additionally, since your making use of the failure of one of the ISP's to properly ingress filter, this sort of 'load balance' could disappear without warning. It is not something you would depend on for production use and few ISP's are like this anymore. In any case, I think chances that the second poster would observed doubled upload speed with both lines connected, on the file test I illustrated, are virtually zero. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
Quoting Danial Thom [EMAIL PROTECTED]: --- Danial Thom [EMAIL PROTECTED] wrote: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: Does it meet the test I already outlined? Download the FreeBSD iso then upload it to a remote server, with both lines connected. Time it. Disconnect 1 line, then repeat the test. If the time to download and upload when both DSL lines are connected is half the time it takes when 1 DSL line is connected, then your load-balancing. If not, then you are not - although if it makes you feel like you haven't wasted your money claim your per session load balancing then I suppose it would be uncharitable to make you feel bad by pointing out that this is purely a marketing term with no networking significance. Oops. Ted Ted seems incapable of grasping how things work, so I don't recommend wasting your time on anything he says. As I stated, you cannot control how traffic comes into your network, so Ted's little download test is sure not to work. Traffic is routed to whichever ISP has the best route. You can only control how traffic goes OUT of your network. So load-balancing can only increase your upload speeds, not your download speeds. If you are hosting this is useful. If you have mostly download traffic, then its probably not worth is. I don't know if Ted is trying to boondoggle you into thinking his view is correct, or he just doesn't understand it. I suspect its a bit of both. You should really try the freebsd-isp list, as there are at least some people on there that have a clue. Although even Ted's resume looks good on paper, so you really can't tell. Incompetence is widespread. DT To sooth the nerves of the OP, the truth about this is that it might work and it might not. Ted's assertion that all ISPs do ingress address filtering is simply wrong. I will concede this because of all the ISP's in the world, chances are that there is at least 1 that is run so incompetently, connected to a backbone network that is also unbelievably incompetent, that they are not filtering. Not even close. My assumption that none do isn't right either. Finally you are admitting that antispoofing filtering is a reality. I am glad to see that. However, you are wrong when you IMPLY that antispoofing access lists are not widespread. Anti spoof lists have a long history. Why even as far back as 1997 Cisco was unofficially offering to assist ISP's to put them in, this was in response to land.c, see here: http://www.apnic.net/mailing-lists/apnic-talk/archive/1997/11/msg2.html Then in 2000, the IETF decided to codify the requirements for this in the following RFC's: ftp://ftp.ietf.org/rfc/rfc2827.txt ftp://ftp.ietf.org/rfc/rfc3013.txt We also saw then a pledge from the 9 founders of the Internet Security Alliance (http://www.isalliance.org/) to institute antispoofing on their networks, that article is here: http://news.zdnet.com/2100-9595_22-518743.html We also saw calls for this from SANS: http://www.sans.org/dosstep/index.php and that gadfly, Steve Gibson: http://grc.com/dos/grcdos.htm This was 5 years ago. Today, the practice is firmly established, Cisco provides instructions for it: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a 1a55.shtml and the US Department of Homeland Security has recommended it: http://www.dhs.gov/interweb/assetlibrary/NIAC_HardeningInternetPaper_Jan05.pdf and yes, these are the same people that have installed the black boxes that the NSA has used to electronically eavesdrop on the Internet without a search warrant, as was just reported a week or so ago in the NYT, and caused Congress to kill the extension of the Patriot Act. So don't think that those large networks aren't listening to the Feds - by contrast they are actively helping the Feds to spy on us!!! To assert as Danial is doing that they aren't following the Feds when the Feds tell them to anti-spoof is absurd. IF when one of your lines goes down you are still online then you can load-balance outbound. IF you are multi-homed or have a working backup scenario, then you can load balance outbound. I am afraid though that none of that is useful to the OP who wanted to know if he could shoestring load balance to 2 different ISP's for an Internet Cafe. Unless I am quite mistaken, Internet Cafe's are mainly inbound bandwidth consumers. There is much discussion on the trade-offs of ingress address filtering, and many believe its the old cut off your nose to spite your face. There WAS much discussion about 5 years ago when the Land worm hit, as I recall. There is very little today. Anyone authoratative strongly recommends it, and I know that some neworks are even now requiring ISP customers to do it. MANY isp's (such as the one I work for) automatically
RE: FreeBSD router two DSL connections
-Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Friday, December 23, 2005 3:47 PM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. I assure you they will not. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? ISP's that are dual-homed have to register their subnets with both providers. For example, suppose I'm a small ISP and I go get a Sprint connection and get assigned a range of 11 IP subnets, 192.168.1.0 - 192.168.10.0 These are Sprint-owned IP addresses of course. As I source traffic from 192.168.1.x, Sprint recognizes it as valid traffic and allows it to pass Sprint's ingress filter to me. Now I get a bit bigger and decide I need a redundant connection. So I contact ARIN and buy an AS number, then contact ATT and get a connection to them, then setup BGP between myself and ATT Sprint. When ATT and I are setting up BGP, ATT's techs will ask me what subnets I'm advertising, I tell them 192.168.1.0 - 192.168.10.0 ATT then checks with ARIN's whois server to make sure Sprint has entered a record for that list of subnets that says I'm authorized to use them. If all that checks out OK then ATT adjusts their ingress filters so I can source traffic to them from those subnets. Now I get even bigger and need more IP's than what Sprint will provide, so I go to ARIN and buy them. Then all my feeds have to adjust their ingress filters to the new subnet. Now I get even more bigger and I start trying to setup peering relationships with other networks, so I don't have to pay them directly. Well now guess what, those networks are now monitoring the traffic volume I'm sending them, because they don't want me to use and abuse them and give them little peering in return. So I now have an enormous financial incentive to make sure that any traffic coming from any of my end users is in fact valid traffic, so you better believe I'm going to enforce that with ingress filters to my downstream customers. Anyway, this is all academic because the wrongly-sourced packet won't even get into my network to be forwarded and blocked by ATT or Sprint, or my peer routers, in the first place. Why? Because every wrongly-sourced packet I allow a customer to send to me, can potentially displace a correct packet from a customer, making their traffic slower and setting up potential for complaints. The ONLY Internet routers that don't igress filter today are transit routers run by transit ASs, and no network that is worth anything allows direct connections to those routers to their end-user customers. There is just too much potential for abuse, and even more potential for being blackholed as a rogue network by the rest of the Internet. Everybody today that knows anything about what they are doing, applies ingress filters, or they require their downstreams to ingress filter. In fact I'd say this is one of the reasons Cisco was disloged as the core router vendor by Juniper, because of the need for enough CPU in routers closer and closer to the core to be able to run access lists. Chances today that a cable line or a DSL line going to an end user could get a packet with a non-network source very far in to the Internet are zilch. One of the largest sources of bogus source IP numbers in fact are those cheap-as-shit DSL/Cable routers, as some of those models will ARP both their legal WAN IP address, and the LAN IP addresses, on their WAN port. All of the ActionTec routers do this in bridged mode, for example, and Qwest has thousands of them deployed. And the second largest source are infected PC's that have DDoS trojans on them, which some mothership has programmed to try to DDoS some poor bugger, with bougs sources. You are beyond clueless, Ted. Why do you keep opening your mouth
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Yance Kowara Sent: Saturday, December 24, 2005 6:09 AM To: freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Ted, you have to think outside the box. Life is more than one connection. While you can't increase the throughput of a single connection, you can increase the throughput of your network, which is usually the point. Throughput in this context is capacity. Throughput is not only what you can get on a download; its the sum total of all of your activites. You can upload at 2Mb/s on one connection if you balance your outbound traffic, but not download, because while you can control where outgoing packets are sent, you can't control over which pipe incoming traffic arrives. Believe me, ted. It works. Its not theory. Its being done. For example a hosting ISP saturates its pipes outgoing and has very little traffic incoming. They can load balance in the outgoing only direction and have all of their incoming traffic on a single pipe and double the capacity of their network. Since they never exceed the incoming bandwidth of a single pipe there is no need to balance it. DT Ted and Daniel, I am still following this thread and am getting all confused here. Back to my original question: 2 ADSL uplinks - 2 different ISPs can they be merged? (Load balanced, load shared, whatever it is) No, as I already said, they can not. OpenBSD's PF has something that looks promising: http://www.openbsd.org/faq/pf/pools.html#outgoing Is this what I am looking for? Yance, I said no once, I'll say no again, you still don't believe me, please go set the thing up and see for yourself. As I said, set it up, plug one DSL line in, download the FreeBSD ISO, time it, plug the second DSL line in, download the FreeBSD ISO again, and measure the time it takes, there will be no difference. Then when your finished doing that, repeast the test but this time try uploading the ISO file to some remote server, with one line connected, then with both lines connected, and once again, you will see no difference. By that definition, no they are not merged/Load balanced/ load shared. If you have something else in mind, then load balancing, then maybe the software will do something that you want. But it will not load balance 2 lines to different ISP's. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Danial Thom Sent: Saturday, December 24, 2005 7:48 AM To: [EMAIL PROTECTED]; Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections --- Danial Thom [EMAIL PROTECTED] wrote: --- Yance Kowara [EMAIL PROTECTED] wrote: Ted, you have to think outside the box. Life is more than one connection. While you can't increase the throughput of a single connection, you can increase the throughput of your network, which is usually the point. Throughput in this context is capacity. Throughput is not only what you can get on a download; its the sum total of all of your activites. You can upload at 2Mb/s on one connection if you balance your outbound traffic, but not download, because while you can control where outgoing packets are sent, you can't control over which pipe incoming traffic arrives. Believe me, ted. It works. Its not theory. Its being done. For example a hosting ISP saturates its pipes outgoing and has very little traffic incoming. They can load balance in the outgoing only direction and have all of their incoming traffic on a single pipe and double the capacity of their network. Since they never exceed the incoming bandwidth of a single pipe there is no need to balance it. DT Ted and Daniel, I am still following this thread and am getting all confused here. Back to my original question: 2 ADSL uplinks - 2 different ISPs can they be merged? (Load balanced, load shared, whatever it is) OpenBSD's PF has something that looks promising: http://www.openbsd.org/faq/pf/pools.html#outgoing Is this what I am looking for? Kind regards, Yance Kowara merged is not the correct word. You cannot change how your traffic comes in (ie from which ISP it arrives). You can use various techniques (source routing, static routing tables, load balancing) to increase your outgoing capacity. What you should be discussing is how you can use each of these techniques within a FreeBSd environment. Unfortunately we have to teach Ted how routing works in the meantime, which muddles the issue. DT As an example, I had a customer that had a T1 and a T3 connection to different ISPs (they kept the T1 because of the IPs they didn't want to relinquish, and as a backup), and BGP worked on hops at the time so clearly that doesnt work when you have unbalanced pipes, because arguable the T3 is always the better route). More baloney. The better route with BGP is the route with fewer AS hops not the one that goes out the biggest pipe. It is quite possible to have a T1 to a backbone that is very well connected (ie: uunet) and a DS3 to a backbone that is poorly connected (ie: Wiltel) and have all the inbound and outbound traffic favor the T1 Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Saturday, December 24, 2005 7:59 AM To: Ted Mittelstaedt; Winelfred G. Pasamba Cc: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: http://www.edimax.com/html/english/products/PRI582.htm ...Performs Outbound load balancing by session, weight round robin or traffic... Note that they say by SESSION not by PACKET. It's marketingspeak. They are simply using the term load balancing for a device that doesen't actually load balance. Apparently they figure that if they say session load balancing even though there is no such accepted definition, that then they are somehow not lying. It's akin to someone saying that FreeBSD is a kind of Linux in a sentence that uses Linux to indicate open source operating systems Apparently you never heard the old saying A grain of truth is buried in all great lies I'm not sure what your primary language is, but round robin IS packet balancing. In an engineers treatise, perhaps. but this is a marketing document and your just assuming that they mean per packet they could have easily meant that the sessions were round-robined. Suppose you have 2 pipes: Round Robin: 1 packet to pipe1 1 packet to pipe2 1 packet to pipe1 1 packet to pipe2 Weighted round Robin, weighted 2 to 1: 1 packet to pipe1 1 packet to pipe1 1 packet to pipe2 1 packet to pipe1 1 packet to pipe1 1 packet to pipe2 Per session balancing may be useful when you have paths that are not very equal. If you load balance to different ISPs packets could arrive out of order (in fact they are likely to). You cannot load balance to 2 different ISPs unless your running BGP I already went over this. Does this product speak BGP? Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Friday, December 23, 2005 3:47 PM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. I assure you they will not. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? ISP's that are dual-homed have to register their subnets with both providers. For example, suppose I'm a small ISP and I go get a Sprint connection and get assigned a range of 11 IP subnets, 192.168.1.0 - 192.168.10.0 These are Sprint-owned IP addresses of course. As I source traffic from 192.168.1.x, Sprint recognizes it as valid traffic and allows it to pass Sprint's ingress filter to me. Now I get a bit bigger and decide I need a redundant connection. So I contact ARIN and buy an AS number, then contact ATT and get a connection to them, then setup BGP between myself and ATT Sprint. When ATT and I are setting up BGP, ATT's techs will ask me what subnets I'm advertising, I tell them 192.168.1.0 - 192.168.10.0 ATT then checks with ARIN's whois server to make sure Sprint has entered a record for that list of subnets that says I'm authorized to use them. If all that checks out OK then ATT adjusts their ingress filters so I can source traffic to them from those subnets. So if you have 2 ISPs, then both of them know about both of your address groups, so you can load balance any way you want, right? Which is why the scenario I've suggested will work in all cases. I also know tons of secondary peering ISPs that don't do any filtering at all on incoming traffic. If you're peering with multiple networks the combinations of source addresses that are possible to go through your network are too mind-boggling to load your server with. Most T3 routers deployed can barely handle their loads without filtering every incoming packet through ingress filters. You may think they do it, but most don't For example, in my office I have a cable modem and a 100Mb/s link to an ISP that happens to be in my building. I can set my default router to either router and it works fine. The cable modem company will accept ANY source address and so will the ISP. I assure you that the cable company doesn't know of my other addresses. DT __ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Saturday, December 24, 2005 7:59 AM To: Ted Mittelstaedt; Winelfred G. Pasamba Cc: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: http://www.edimax.com/html/english/products/PRI582.htm ...Performs Outbound load balancing by session, weight round robin or traffic... Note that they say by SESSION not by PACKET. It's marketingspeak. They are simply using the term load balancing for a device that doesen't actually load balance. Apparently they figure that if they say session load balancing even though there is no such accepted definition, that then they are somehow not lying. It's akin to someone saying that FreeBSD is a kind of Linux in a sentence that uses Linux to indicate open source operating systems Apparently you never heard the old saying A grain of truth is buried in all great lies I'm not sure what your primary language is, but round robin IS packet balancing. In an engineers treatise, perhaps. but this is a marketing document and your just assuming that they mean per packet they could have easily meant that the sessions were round-robined. Suppose you have 2 pipes: Round Robin: 1 packet to pipe1 1 packet to pipe2 1 packet to pipe1 1 packet to pipe2 Weighted round Robin, weighted 2 to 1: 1 packet to pipe1 1 packet to pipe1 1 packet to pipe2 1 packet to pipe1 1 packet to pipe1 1 packet to pipe2 Per session balancing may be useful when you have paths that are not very equal. If you load balance to different ISPs packets could arrive out of order (in fact they are likely to). You cannot load balance to 2 different ISPs unless your running BGP I already went over this. Does this product speak BGP? Ted I've seen your resume, Ted how do you get jobs? Are people hiring so incompetent? As stated, even by Ted, you have to register ALL of your addresses with ALL of your ISPs, so you can send your packets to ANYONE you want, even if they are filtering. Please stop listening to Ted. He doesnt understand this. DT __ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Friday, December 23, 2005 3:47 PM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. I assure you they will not. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? ISP's that are dual-homed have to register their subnets with both providers. For example, suppose I'm a small ISP and I go get a Sprint connection and get assigned a range of 11 IP subnets, 192.168.1.0 - 192.168.10.0 These are Sprint-owned IP addresses of course. As I source traffic from 192.168.1.x, Sprint recognizes it as valid traffic and allows it to pass Sprint's ingress filter to me. Now I get a bit bigger and decide I need a redundant connection. So I contact ARIN and buy an AS number, then contact ATT and get a connection to them, then setup BGP between myself and ATT Sprint. When ATT and I are setting up BGP, ATT's techs will ask me what subnets I'm advertising, I tell them 192.168.1.0 - 192.168.10.0 ATT then checks with ARIN's whois server to make sure Sprint has entered a record for that list of subnets that says I'm authorized to use them. If all that checks out OK then ATT adjusts their ingress filters so I can source traffic to them from those subnets. Now I get even bigger and need more IP's than what Sprint will provide, so I go to ARIN and buy them. Then all my feeds have to adjust their ingress filters to the new subnet. Now I get even more bigger and I start trying to setup peering relationships with other networks, so I don't have to pay them directly. Well now guess what, those networks are now monitoring the traffic volume I'm sending them, because they don't want me to use and abuse them and give them little peering in return. So I now have an enormous financial incentive to make sure that any traffic coming from any of my end users is in fact valid traffic, so you better believe I'm going to enforce that with ingress filters to my downstream customers. Anyway, this is all academic because the wrongly-sourced packet won't even get into my network to be forwarded and blocked by ATT or Sprint, or my peer routers, in the first place. Why? Because every wrongly-sourced packet I allow a customer to send to me, can potentially displace a correct packet from a customer, making their traffic slower and setting up potential for complaints. The ONLY Internet routers that don't igress filter today are transit routers run by transit ASs, and no network that is worth anything allows direct connections to those routers to their end-user customers. There is just too much potential for abuse, and even more potential for being blackholed as a rogue network by the rest of the Internet. Everybody today that knows anything about what they are doing, applies ingress filters, or they require their downstreams to ingress filter. In fact I'd say this is one of the reasons Cisco was disloged as the core router vendor by Juniper, because of the need for enough CPU in routers closer and closer to the core to be able to run access lists. Chances today that a cable line or a DSL line going to an end user could get a packet with a non-network source very far in to the Internet are zilch. One of the largest sources of bogus source IP numbers in fact are those cheap-as-shit DSL/Cable routers, as some of those models will ARP both their legal WAN IP address, and the LAN IP addresses, on their WAN port. All of the ActionTec routers do this in bridged mode, for example, and Qwest has thousands of them deployed
Re: FreeBSD router two DSL connections
ted, danial, and the rest, i'm learning a lot in this thread. i have a pfsense (freebsd) router that has two connections to the same ISP and one connection to a linux squid (another server). i use the ported openbsd packet filter in freebsd for (whatever) load balancing. i can paste the freebsd-/etc/pf.conf and give you a sample of 'pfctl -s state' which looks like a firewall state table (i'm not sure though). i can also capture traffic graphs on all three interfaces of the pfsense router. just want to know what's happening in the (freebsd) pfsense router. is it route balancing, packet round-robin'ing, connection-round-robining, or what? one thing is that both these isp lines don't have any CIR. one is up to 128kbps and the other is up to 256 kbps. and i don't know which is which, hehe. here are the graphs and dump: http://geocities.com/winelfredpasamba/is_this_load_balancing_or_what/ On 12/26/05, Danial Thom [EMAIL PROTECTED] wrote: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Friday, December 23, 2005 3:47 PM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. I assure you they will not. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? ISP's that are dual-homed have to register their subnets with both providers. For example, suppose I'm a small ISP and I go get a Sprint connection and get assigned a range of 11 IP subnets, 192.168.1.0 - 192.168.10.0 These are Sprint-owned IP addresses of course. As I source traffic from 192.168.1.x, Sprint recognizes it as valid traffic and allows it to pass Sprint's ingress filter to me. Now I get a bit bigger and decide I need a redundant connection. So I contact ARIN and buy an AS number, then contact ATT and get a connection to them, then setup BGP between myself and ATT Sprint. When ATT and I are setting up BGP, ATT's techs will ask me what subnets I'm advertising, I tell them 192.168.1.0 - 192.168.10.0 ATT then checks with ARIN's whois server to make sure Sprint has entered a record for that list of subnets that says I'm authorized to use them. If all that checks out OK then ATT adjusts their ingress filters so I can source traffic to them from those subnets. Now I get even bigger and need more IP's than what Sprint will provide, so I go to ARIN and buy them. Then all my feeds have to adjust their ingress filters to the new subnet. Now I get even more bigger and I start trying to setup peering relationships with other networks, so I don't have to pay them directly. Well now guess what, those networks are now monitoring the traffic volume I'm sending them, because they don't want me to use and abuse them and give them little peering in return. So I now have an enormous financial incentive to make sure that any traffic coming from any of my end users is in fact valid traffic, so you better believe I'm going to enforce that with ingress filters to my downstream customers. Anyway, this is all academic because the wrongly-sourced packet won't even get into my network to be forwarded and blocked by ATT or Sprint, or my peer routers, in the first place. Why? Because every wrongly-sourced packet I allow a customer to send to me, can potentially displace a correct packet from a customer, making their traffic slower and setting up potential for complaints. The ONLY Internet routers that don't igress filter today are transit routers run by transit ASs, and no network
RE: FreeBSD router two DSL connections
-Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Monday, December 26, 2005 7:48 AM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Friday, December 23, 2005 3:47 PM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. I assure you they will not. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? ISP's that are dual-homed have to register their subnets with both providers. For example, suppose I'm a small ISP and I go get a Sprint connection and get assigned a range of 11 IP subnets, 192.168.1.0 - 192.168.10.0 These are Sprint-owned IP addresses of course. As I source traffic from 192.168.1.x, Sprint recognizes it as valid traffic and allows it to pass Sprint's ingress filter to me. Now I get a bit bigger and decide I need a redundant connection. So I contact ARIN and buy an AS number, then contact ATT and get a connection to them, then setup BGP between myself and ATT Sprint. When ATT and I are setting up BGP, ATT's techs will ask me what subnets I'm advertising, I tell them 192.168.1.0 - 192.168.10.0 ATT then checks with ARIN's whois server to make sure Sprint has entered a record for that list of subnets that says I'm authorized to use them. If all that checks out OK then ATT adjusts their ingress filters so I can source traffic to them from those subnets. So if you have 2 ISPs, then both of them know about both of your address groups, so you can load balance any way you want, right? No, they don't know about those groups as I have just finished explaining. Which is why the scenario I've suggested will work in all cases. Which is why it won't work in all cases. I also know tons of secondary peering ISPs that don't do any filtering at all on incoming traffic. Bullcrap. Prove it. Start naming names and I'll post them on NANOG and ask others opinions. I'm sure the script kiddies looking for DDoS hosts will appreciate knowing who to concentrate their attacks on. If you're peering with multiple networks the combinations of source addresses that are possible to go through your network are too mind-boggling to load your server with. Most T3 routers deployed can barely handle their loads without filtering every incoming packet through ingress filters. You may think they do it, but most don't As I already said core routers don't filter. However, networks that do multiple peering have edge routers that they use to connect to end-node ASs and those filter. For example, in my office I have a cable modem and a 100Mb/s link to an ISP that happens to be in my building. I can set my default router to either router and it works fine. The cable modem company will accept ANY source address and so will the ISP. I assure you that the cable company doesn't know of my other addresses. Bullcrap. Once again, prove it. If you think this scenario really exists, post who is involved instead of hiding. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Monday, December 26, 2005 7:50 AM To: Ted Mittelstaedt; Winelfred G. Pasamba Cc: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections As stated, even by Ted, you have to register ALL of your addresses with ALL of your ISPs, so you can send your packets to ANYONE you want, even if they are filtering. No, what I said is that any ISP that is an end-node AS and gets a feed from a network must tell that network what IP blocks they are using to send traffic from. Network to network peering is a different story - but you won't find DSL or cable providers running DSL lines from their peering routers to end users. All that has to happen is for the end user to start pumping a ton of traffic into the peering router with the source IP number of, say, www.fbi.gov and a destination IP of, say www.whitehouse.gov and all kinds if interesting and unpleasant things will start happening to the operators of that cable or DSL provider once the feds finish tracking them down. Think about it. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Monday, December 26, 2005 7:58 AM To: Ted Mittelstaedt; Loren M. Lang Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections You're not using illegal addresses when you load balance, Ted. You're using real address that all of your upstream ISPs need to know about. Why can't you grasp this concept? So you finally figured it out, Danial. These get one DSL line from one ISP and a cable line from another ISP schemes will not work precisely because while the upstream ISP's need to know about your real addresses, they don't. ISP A that you have a DSL line to and assigns you 10.0.0.1 as an IP number is expecting traffic to come from you with a destination IP number of anywhere on the Internet, and a source IP number of 10.0.0.1 ISP B that you have a cable line to and assigns you 192.168.0.1 as an IP number is expecting traffic to come from you with a destination IP number of anywhere on the Internet, and a source IP number of 192.168.0.1 If you use 10.0.0.1 as a source IP for a packet that you send to ISP B, then ISP B's ingress filters will not see this packet with a source IP of 192.168.0.1, and assume it's bogus, and drop it. If you use 192.168.0.1 as a source IP for a packet that you send to ISP A, then ISP A's ingress filters will not see this packet with a source IP of 10.0.0.1, and assume it's bogus, and drop it. Very simple concept for anyone to grasp. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
http://www.edimax.com/html/english/products/PRI582.htm ...Performs Outbound load balancing by session, weight round robin or traffic... Note that they say by SESSION not by PACKET. It's marketingspeak. They are simply using the term load balancing for a device that doesen't actually load balance. Apparently they figure that if they say session load balancing even though there is no such accepted definition, that then they are somehow not lying. It's akin to someone saying that FreeBSD is a kind of Linux in a sentence that uses Linux to indicate open source operating systems Apparently you never heard the old saying A grain of truth is buried in all great lies Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Winelfred G. Pasamba Sent: Thursday, December 22, 2005 11:30 PM To: Ted Mittelstaedt Cc: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections I wonder if these routers are using freebsd http://www.edimax.com/html/english/products/list-router.htm 2 WAN, 4 WAN, etc... and i also wonder what happens if one WAN goes down? or if the WANs are of different speeds? On 12/23/05, Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 22, 2005 3:09 AM To: freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Which is not redundant. Considering the OP asked for specifics on how to do this and your response as been a bunch of theoretical gobbdleygook that is flat out wrong network theory, you haven't done anything to help the poor bastard. Hi, This is a pretty firey debate. I have a question along the lines of this thread. I currently have a 1.5Mbit ADSL tail at the school that I work for. This tail connects to the Education Office which hosts a variety of websites, we then get internet access through the education office. We currently also have 230 PCs, and the connection is slowing down significantly. What I planned on doing was purchasing a 20Mbit ADSL 2+ connection and setting up a FreeBSD router which forwards all internet traffic through the ADSL2+ connection, and the Education Office traffic would be forwarded through the existing connection. Is this feasible? The easiest way would be to purchase a DSL modem/router for use with the ADSL2 connection (or a ADSL2 modem coupled to a etherent-to-ethernet DSL router) Set this up as a network address translator, plug it into your school network. (you can use FreeBSD for this if you want) You will need to do a bit of exploring to find out the subnets that the ED office is using. For example, suppose ED office has assigned IP subnet 10.0.10.0/24 to your school. Their existing DSL tail has an IP number of 10.0.10.1 on it. You have your PC's seup to use IP addresses 10.0.10.10 - 10.0.10.240 with a subnet mask of 255.255.255.0 and a gateway of 10.0.10.1 You do some queries with nslookup to find out all the IP adresses of the Ed servers, and you find they are on subnets 10.0.12.x, 10.0.15.x, 192.168.4.x, etc. So, first thing you do is you setup your BSD system/DSL router/DSl modem as a translator, and set it's internal interface IP address to 10.0.10.2 Then you add in a bunch of static routes into it for the ED subnets you discovered, pointing those subnets to 10.0.10.1 Last you set your PC's to use 10.0.10.2 as their default gateway. When the PC's send traffic to the Internet the router sends that out the ADSL2 line When the PC's send traffic to ED, the router issues an ICMP redirect that installs an ICMP route in the PC's that points to 10.0.10.1 for that host. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Seek ye first the kingdom of God and all these things shall be added unto you. Winelfred G. Pasamba Adventist University of the Philippines Computer Science Department, AUP Online Information System ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.5/212 - Release Date: 12/23/2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
Ted, you have to think outside the box. Life is more than one connection. While you can't increase the throughput of a single connection, you can increase the throughput of your network, which is usually the point. Throughput in this context is capacity. Throughput is not only what you can get on a download; its the sum total of all of your activites. You can upload at 2Mb/s on one connection if you balance your outbound traffic, but not download, because while you can control where outgoing packets are sent, you can't control over which pipe incoming traffic arrives. Believe me, ted. It works. Its not theory. Its being done. For example a hosting ISP saturates its pipes outgoing and has very little traffic incoming. They can load balance in the outgoing only direction and have all of their incoming traffic on a single pipe and double the capacity of their network. Since they never exceed the incoming bandwidth of a single pipe there is no need to balance it. DT Ted and Daniel, I am still following this thread and am getting all confused here. Back to my original question: 2 ADSL uplinks - 2 different ISPs can they be merged? (Load balanced, load shared, whatever it is) OpenBSD's PF has something that looks promising: http://www.openbsd.org/faq/pf/pools.html#outgoing Is this what I am looking for? Kind regards, Yance Kowara __ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Yance Kowara [EMAIL PROTECTED] wrote: Ted, you have to think outside the box. Life is more than one connection. While you can't increase the throughput of a single connection, you can increase the throughput of your network, which is usually the point. Throughput in this context is capacity. Throughput is not only what you can get on a download; its the sum total of all of your activites. You can upload at 2Mb/s on one connection if you balance your outbound traffic, but not download, because while you can control where outgoing packets are sent, you can't control over which pipe incoming traffic arrives. Believe me, ted. It works. Its not theory. Its being done. For example a hosting ISP saturates its pipes outgoing and has very little traffic incoming. They can load balance in the outgoing only direction and have all of their incoming traffic on a single pipe and double the capacity of their network. Since they never exceed the incoming bandwidth of a single pipe there is no need to balance it. DT Ted and Daniel, I am still following this thread and am getting all confused here. Back to my original question: 2 ADSL uplinks - 2 different ISPs can they be merged? (Load balanced, load shared, whatever it is) OpenBSD's PF has something that looks promising: http://www.openbsd.org/faq/pf/pools.html#outgoing Is this what I am looking for? Kind regards, Yance Kowara merged is not the correct word. You cannot change how your traffic comes in (ie from which ISP it arrives). You can use various techniques (source routing, static routing tables, load balancing) to increase your outgoing capacity. What you should be discussing is how you can use each of these techniques within a FreeBSd environment. Unfortunately we have to teach Ted how routing works in the meantime, which muddles the issue. DT __ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Danial Thom [EMAIL PROTECTED] wrote: --- Yance Kowara [EMAIL PROTECTED] wrote: Ted, you have to think outside the box. Life is more than one connection. While you can't increase the throughput of a single connection, you can increase the throughput of your network, which is usually the point. Throughput in this context is capacity. Throughput is not only what you can get on a download; its the sum total of all of your activites. You can upload at 2Mb/s on one connection if you balance your outbound traffic, but not download, because while you can control where outgoing packets are sent, you can't control over which pipe incoming traffic arrives. Believe me, ted. It works. Its not theory. Its being done. For example a hosting ISP saturates its pipes outgoing and has very little traffic incoming. They can load balance in the outgoing only direction and have all of their incoming traffic on a single pipe and double the capacity of their network. Since they never exceed the incoming bandwidth of a single pipe there is no need to balance it. DT Ted and Daniel, I am still following this thread and am getting all confused here. Back to my original question: 2 ADSL uplinks - 2 different ISPs can they be merged? (Load balanced, load shared, whatever it is) OpenBSD's PF has something that looks promising: http://www.openbsd.org/faq/pf/pools.html#outgoing Is this what I am looking for? Kind regards, Yance Kowara merged is not the correct word. You cannot change how your traffic comes in (ie from which ISP it arrives). You can use various techniques (source routing, static routing tables, load balancing) to increase your outgoing capacity. What you should be discussing is how you can use each of these techniques within a FreeBSd environment. Unfortunately we have to teach Ted how routing works in the meantime, which muddles the issue. DT As an example, I had a customer that had a T1 and a T3 connection to different ISPs (they kept the T1 because of the IPs they didn't want to relinquish, and as a backup), and BGP worked on hops at the time so clearly that doesnt work when you have unbalanced pipes, because arguable the T3 is always the better route). So they source routed all of their dial-up traffic via the T1 and their more profitable hosting traffic to the T3. You're not going to be able to advertise 2Mb/s downloads if thats what you're trying to do. DT __ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Ted Mittelstaedt [EMAIL PROTECTED] wrote: http://www.edimax.com/html/english/products/PRI582.htm ...Performs Outbound load balancing by session, weight round robin or traffic... Note that they say by SESSION not by PACKET. It's marketingspeak. They are simply using the term load balancing for a device that doesen't actually load balance. Apparently they figure that if they say session load balancing even though there is no such accepted definition, that then they are somehow not lying. It's akin to someone saying that FreeBSD is a kind of Linux in a sentence that uses Linux to indicate open source operating systems Apparently you never heard the old saying A grain of truth is buried in all great lies I'm not sure what your primary language is, but round robin IS packet balancing. Suppose you have 2 pipes: Round Robin: 1 packet to pipe1 1 packet to pipe2 1 packet to pipe1 1 packet to pipe2 Weighted round Robin, weighted 2 to 1: 1 packet to pipe1 1 packet to pipe1 1 packet to pipe2 1 packet to pipe1 1 packet to pipe1 1 packet to pipe2 Per session balancing may be useful when you have paths that are not very equal. If you load balance to different ISPs packets could arrive out of order (in fact they are likely to). This is not really a problem for modern TCP stacks. Session balancing, if done properly, should guarantee that the ACKs for a download go out the same pipe as the data is arriving. Its not clear from the datasheet if thats the case, but thats the correct way to do it. Its seems like a quite comprehensive product to me, from the docs. Ted's analysis is backwards. load balancing is a vague term. Weighted Round Robin is a more specific term for how they have implemented the load balancing. Danial __ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
Ted the incompetent, wrong on all counts once again: --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. Yes they will. Routers route based on dest address only. Are you somehow suggesting that an ISP can't be dual homed and use only one link if one goes down, since some of the addresses sent up the remaining pipe wouldn't have source addresses assigned by that upstream provider? You are beyond clueless, Ted. Why do you keep opening your mouth? For efficiencies sake, you may argue that sending to the ISP that sent you the traffic will be a better path, but if one of your pipes is saturated and the other running at 20% letsseenow, these are full duplex 'pipes', can we have some direction this saturation is taking place in? I mean, since you are at least trying to make a senseless explanation sound right, you might as well try a bit harder. Its not senseless, you just don't understand how the internet works, apparently. I do this for a living, and you just yap. If you were able to send back the data on the pipe it arrived on then you would have uneven use of the pipes. So one could be saturation the the other highly unused. Balancing the outgoing data would reduce the latency that occurs when a pipe is saturated. Its hard to explain calculus to some who can't add or subtract ted, so you should figure out how routing works before you try something this complicated. then its likely more efficient to keep your pipes filled and send to either isp. You can achieve this with per-packet load-balancing with ciscos, per packet load balancing is for parallel links between 2 endpoints. Not three, as in you, your first ISP, and your second ISP. Wrong again, Ted. Usually thats how it is used to gain extra throughput, but thats not the only thing that it can be used for. Since the internet is connectionless (back to school for you Ted), per packet balancing can utilize 2 outgoing pipes to different ISPs as well. Obviously since failover on dual-homed network works, you can send your packets to any ISP you want. Routers route based on destination address, as anyone who knows how routers work knows. You can even use per packet load balancing on 2 lines to the same ISP when the other end doesn't support it; using 2 pipes in one direction and only one in the other. You can be innovative when you actually understand how things work, Ted. Surprising you would drag up a Ciscoism as your such a big fan of BSD-based routers. or bit-balancing with a product like ETs for FreeBSD. Unless your 2 isps are connected substantially differently (say if one is in Europe and one in the US), you'll do better keeping your pipes balanced, as YOU are the bottleneck, not the upstream, assuming you have quality upstream providers. Sometimes you run into someone who is so ignorant of the subject of which he is trying to speak, - routing in this case - that you can't even argue with the person. Kind of like trying to explain the concept of the fossil record to a creationist. This is one of these times. Yes Ted. People run into you, the ultimate ignoramous. I have 3000 ISP customers. This is not just theory; its being done. You are wrong about every single thing you said in this thread. DT __ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
--- Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: Loren M. Lang [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:47 AM To: Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections On Sun, Dec 11, 2005 at 11:28:17PM -0800, Ted Mittelstaedt wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. I strongly disagree. There are many reasons for this. Two of which are increased throughoutput and redundancy. If you have read this thread you will have already seen that you cannot get increased throughput this way. As I asked before, explain how a DSL line to SpiritOne running at 1MBit/sec and a Comcast cable connection running at 1MBit/sec will allow you to download the FreeBSD release iso file at 2MBit/sec. This will be interesting. If you can't do it, which I will tell you that you can't, you have not increased throughput. And as for redundancy, I already explained that while this setup increases redundancy, the redundancy must be manually done - monitored by a human, and switched over when needed - or it will not react to the most common redundancy problems. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. No, not at all. The primary problem is that the incoming data that is in response to the outgoing connection will come in on the same line that the outgoing connection used. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP Explain how to run BGP with a DSL line to Spirit One and a cable line to Comcast. or some kind of static route setup by the two ISPs. Rubbish. Explain how this would work. It won't. I have done this with a Linux router and using Comcast Cable and SpiritOne DSL. We had all incoming connections use DSL and outgoing connections use either line. You used the dual-NAT package that was detailed earlier which is the only one that can do that - is specific to Linux - and as I explained before, also will not permit you to take a 1MB DSL line from one provider and a 1MB cable line from the cable company and download a freebsd iso at 2MB. Thus it is not load-balancing because it does not actually use both lines for a connection. Ted, you have to think outside the box. Life is more than one connection. While you can't increase the throughput of a single connection, you can increase the throughput of your network, which is usually the point. Throughput in this context is capacity. Throughput is not only what you can get on a download; its the sum total of all of your activites. You can upload at 2Mb/s on one connection if you balance your outbound traffic, but not download, because while you can control where outgoing packets are sent, you can't control over which pipe incoming traffic arrives. Believe me, ted. It works. Its not theory. Its being done. For example a hosting ISP saturates its pipes outgoing and has very little traffic incoming. They can load balance in the outgoing only direction and have all of their incoming traffic on a single pipe and double the capacity of their network. Since they never exceed the incoming bandwidth of a single pipe there is no need to balance it. DT __ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: Danial Thom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:56 AM To: Loren M. Lang; Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. They aren't going to forward your traffic unless it's sourced by an IP number they assign. To do otherwise means they would permit you to spoof IP numbers. And while it's possible some very small ISP's run by idiots that don't know any better might still permit this, their feeds certainly will not. For efficiencies sake, you may argue that sending to the ISP that sent you the traffic will be a better path, but if one of your pipes is saturated and the other running at 20% letsseenow, these are full duplex 'pipes', can we have some direction this saturation is taking place in? I mean, since you are at least trying to make a senseless explanation sound right, you might as well try a bit harder. then its likely more efficient to keep your pipes filled and send to either isp. You can achieve this with per-packet load-balancing with ciscos, per packet load balancing is for parallel links between 2 endpoints. Not three, as in you, your first ISP, and your second ISP. Surprising you would drag up a Ciscoism as your such a big fan of BSD-based routers. or bit-balancing with a product like ETs for FreeBSD. Unless your 2 isps are connected substantially differently (say if one is in Europe and one in the US), you'll do better keeping your pipes balanced, as YOU are the bottleneck, not the upstream, assuming you have quality upstream providers. Sometimes you run into someone who is so ignorant of the subject of which he is trying to speak, - routing in this case - that you can't even argue with the person. Kind of like trying to explain the concept of the fossil record to a creationist. This is one of these times. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
Which is not redundant. Considering the OP asked for specifics on how to do this and your response as been a bunch of theoretical gobbdleygook that is flat out wrong network theory, you haven't done anything to help the poor bastard. Hi, This is a pretty firey debate. I have a question along the lines of this thread. I currently have a 1.5Mbit ADSL tail at the school that I work for. This tail connects to the Education Office which hosts a variety of websites, we then get internet access through the education office. We currently also have 230 PCs, and the connection is slowing down significantly. What I planned on doing was purchasing a 20Mbit ADSL 2+ connection and setting up a FreeBSD router which forwards all internet traffic through the ADSL2+ connection, and the Education Office traffic would be forwarded through the existing connection. Is this feasible? I would assume that it would be a simple matter of letting the router know what ranges need to be forwarded to the existing connection, and defaulting the rest to the new connection. Note there is NO load balancing in this scenario, so don't flame my head off. Sorry if this is not making sense, I've had a long day. Cheers, Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
[EMAIL PROTECTED] wrote: Which is not redundant. Considering the OP asked for specifics on how to do this and your response as been a bunch of theoretical gobbdleygook that is flat out wrong network theory, you haven't done anything to help the poor bastard. Hi, This is a pretty firey debate. I have a question along the lines of this thread. I currently have a 1.5Mbit ADSL tail at the school that I work for. This tail connects to the Education Office which hosts a variety of websites, we then get internet access through the education office. We currently also have 230 PCs, and the connection is slowing down significantly. What I planned on doing was purchasing a 20Mbit ADSL 2+ connection and setting up a FreeBSD router which forwards all internet traffic through the ADSL2+ connection, and the Education Office traffic would be forwarded through the existing connection. Is this feasible? I would assume that it would be a simple matter of letting the router know what ranges need to be forwarded to the existing connection, and defaulting the rest to the new connection. Note there is NO load balancing in this scenario, so don't flame my head off. Sorry if this is not making sense, I've had a long day. Cheers, Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] First off, you might have posted this under a new subject/thread to avoid getting into the debate and to potentially get replies from those not interested in agruing this one anymore. That said - there's all the flame you'll get from me. You should be able to connect both of your 'tails' (interesting term btw - never heard a pipe/connection called a 'tail') - and yes, specify which are to go out the pipe to your education office, set the default route to the other connection and you should be off to the races, ie: Con1 (education office) xxx.xxx.xxx.xxx Con2 (Large ADSL pipe) yyy.yyy.yyy.yyy route add 0.0.0.0 yyy.yyy.yyy.yyy route add some.ip.net.work/24 xxx.xxx.xxx.xxx route add some.other.ip.range/26 xxx.xxx.xxx.xxx etc... Of course, depending on your configuration, you may have to use your upstream provided default route instead of the interface IP as indicated in the above example, (PPPoE uses your own IP as the default gateway, which is the case in -most- DSL setups). Anyhow, should be relatively straight-forward, just add the static routes to a script called when the connection is made, (for ppp, use ppp.links). -- Nathan Vidican [EMAIL PROTECTED] Windsor Match Plate Tool Ltd. http://www.wmptl.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
If you have read this thread you will have already seen that you cannot get increased throughput this way. As I asked before, explain how a DSL line to SpiritOne running at 1MBit/sec and a Comcast cable connection running at 1MBit/sec will allow you to download the FreeBSD release iso file at 2MBit/sec. This will be interesting. If you can't do it, which I will tell you that you can't, you have not increased throughput. I agree with this whole-heartedly. And as for redundancy, I already explained that while this setup increases redundancy, the redundancy must be manually done - monitored by a human, and switched over when needed - or it will not react to the most common redundancy problems. Well, technically, it could be scripted: - load balancer pings primary upstream gateway - primary upstream gateway does not respond - run script that reconfigures routing tables, NAT etc accordingly Which I wouldn't trust in a critical uptime environment. Plus, this would NOT have the effect of increasing throughput. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. No, not at all. The primary problem is that the incoming data that is in response to the outgoing connection will come in on the same line that the outgoing connection used. Yes indeed. Unless you mask or 'spoof' your IP in the packet header as it's going out, the traffic will always come back via the same pipe. Unless of course your upstream allows this, which I doubt very much. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP Explain how to run BGP with a DSL line to Spirit One and a cable line to Comcast. BGP with two separate Internet providers such as those you speak of is nearly impossible. Realistically, to run BGP, you have to have utmost co-ordination between yourself, and BOTH providers. As soon as either one disagrees (which they will), this will not work. BGP is typically used in Point-to-Point connections. Generally, it's used by ISP's to THEIR upstream providers. For instance, at the ISP at which I work, part of the feed consists of three T-1's. Two of the T-1's are bound together as a single channel (effectively doubling the throughput), and the third is for load-balancing and redundancy. BGP is used for this, but if I want to make a change, I have to get on the phone with my upstream provider, and do the BGP changes together at both ends. Trying to do BGP with a single $40 to $80 DSL customer would not only be financially wasteful because of wasted time and resources, most networks are not set up to do this easily. As a matter of fact, just thinking about it makes my head hurt. If you really want this type of redundancy, and reliable throughput, especially for a business, go the proper way and get your connection(s) from an ISP's upstream provider. (Allstream, MCI, Sprint etc). or some kind of static route setup by the two ISPs. We are a small ISP (10,000 clients), and I wouldn't even do this. This is easily something that could be forgotten it was done, slip through the cracks, and cause all sorts of havoc down the road once the client has up and left. Especially if the second provider mucks up their end. Again, personally, the way I look at it is if you want to pay $40-$80 for your Internet connection, you technically get what you pay for. If you REALLY wanted this done, you would have to personally know someone inside the ISP who actually has direct and full access to the infrastructure. I assure you, calling Comcast support desk and asking them to 'please apply this routing structure for me' will get you no where. You would have lost them at 'apply' :) I have done this with a Linux router and using Comcast Cable and SpiritOne DSL. We had all incoming connections use DSL and outgoing connections use either line. You used the dual-NAT package that was detailed earlier which is the only one that can do that - is specific to Linux - and as I explained before, also will not permit you to take a 1MB DSL line from one provider and a 1MB cable line from the cable company and download a freebsd iso at 2MB. Thus it is not load-balancing because it does not actually use both lines for a connection. We balanced them by internal IP addresses, You did not balance them, you had some of the inside IP numbers use one line, and others use the other line. This isn't load balancing. Which, AFAICT, if the device sent data out one of the lines, it would have come back in the same. Essentially, you are 'preserving' throughput simply by dividing your network in half. This is not balancing. Balancing is 'least-used'. In this configuration, you could have one pipe maxed out, while the other at 2%.
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 22, 2005 3:09 AM To: freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Which is not redundant. Considering the OP asked for specifics on how to do this and your response as been a bunch of theoretical gobbdleygook that is flat out wrong network theory, you haven't done anything to help the poor bastard. Hi, This is a pretty firey debate. I have a question along the lines of this thread. I currently have a 1.5Mbit ADSL tail at the school that I work for. This tail connects to the Education Office which hosts a variety of websites, we then get internet access through the education office. We currently also have 230 PCs, and the connection is slowing down significantly. What I planned on doing was purchasing a 20Mbit ADSL 2+ connection and setting up a FreeBSD router which forwards all internet traffic through the ADSL2+ connection, and the Education Office traffic would be forwarded through the existing connection. Is this feasible? The easiest way would be to purchase a DSL modem/router for use with the ADSL2 connection (or a ADSL2 modem coupled to a etherent-to-ethernet DSL router) Set this up as a network address translator, plug it into your school network. (you can use FreeBSD for this if you want) You will need to do a bit of exploring to find out the subnets that the ED office is using. For example, suppose ED office has assigned IP subnet 10.0.10.0/24 to your school. Their existing DSL tail has an IP number of 10.0.10.1 on it. You have your PC's seup to use IP addresses 10.0.10.10 - 10.0.10.240 with a subnet mask of 255.255.255.0 and a gateway of 10.0.10.1 You do some queries with nslookup to find out all the IP adresses of the Ed servers, and you find they are on subnets 10.0.12.x, 10.0.15.x, 192.168.4.x, etc. So, first thing you do is you setup your BSD system/DSL router/DSl modem as a translator, and set it's internal interface IP address to 10.0.10.2 Then you add in a bunch of static routes into it for the ED subnets you discovered, pointing those subnets to 10.0.10.1 Last you set your PC's to use 10.0.10.2 as their default gateway. When the PC's send traffic to the Internet the router sends that out the ADSL2 line When the PC's send traffic to ED, the router issues an ICMP redirect that installs an ICMP route in the PC's that points to 10.0.10.1 for that host. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
I wonder if these routers are using freebsd http://www.edimax.com/html/english/products/list-router.htm 2 WAN, 4 WAN, etc... and i also wonder what happens if one WAN goes down? or if the WANs are of different speeds? On 12/23/05, Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 22, 2005 3:09 AM To: freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Which is not redundant. Considering the OP asked for specifics on how to do this and your response as been a bunch of theoretical gobbdleygook that is flat out wrong network theory, you haven't done anything to help the poor bastard. Hi, This is a pretty firey debate. I have a question along the lines of this thread. I currently have a 1.5Mbit ADSL tail at the school that I work for. This tail connects to the Education Office which hosts a variety of websites, we then get internet access through the education office. We currently also have 230 PCs, and the connection is slowing down significantly. What I planned on doing was purchasing a 20Mbit ADSL 2+ connection and setting up a FreeBSD router which forwards all internet traffic through the ADSL2+ connection, and the Education Office traffic would be forwarded through the existing connection. Is this feasible? The easiest way would be to purchase a DSL modem/router for use with the ADSL2 connection (or a ADSL2 modem coupled to a etherent-to-ethernet DSL router) Set this up as a network address translator, plug it into your school network. (you can use FreeBSD for this if you want) You will need to do a bit of exploring to find out the subnets that the ED office is using. For example, suppose ED office has assigned IP subnet 10.0.10.0/24 to your school. Their existing DSL tail has an IP number of 10.0.10.1 on it. You have your PC's seup to use IP addresses 10.0.10.10 - 10.0.10.240 with a subnet mask of 255.255.255.0 and a gateway of 10.0.10.1 You do some queries with nslookup to find out all the IP adresses of the Ed servers, and you find they are on subnets 10.0.12.x, 10.0.15.x, 192.168.4.x, etc. So, first thing you do is you setup your BSD system/DSL router/DSl modem as a translator, and set it's internal interface IP address to 10.0.10.2 Then you add in a bunch of static routes into it for the ED subnets you discovered, pointing those subnets to 10.0.10.1 Last you set your PC's to use 10.0.10.2 as their default gateway. When the PC's send traffic to the Internet the router sends that out the ADSL2 line When the PC's send traffic to ED, the router issues an ICMP redirect that installs an ICMP route in the PC's that points to 10.0.10.1 for that host. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Seek ye first the kingdom of God and all these things shall be added unto you. Winelfred G. Pasamba Adventist University of the Philippines Computer Science Department, AUP Online Information System ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
On Sun, Dec 11, 2005 at 11:28:17PM -0800, Ted Mittelstaedt wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. I strongly disagree. There are many reasons for this. Two of which are increased throughoutput and redundancy. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP or some kind of static route setup by the two ISPs. For an internet cafe, most connections will probably be outgoing so it won't be a problem. I have done this with a Linux router and using Comcast Cable and SpiritOne DSL. We had all incoming connections use DSL and outgoing connections use either line. We balanced them by internal IP addresses, but there might be more sophisticated methods. I do not know what support FreeBSD has for this kind of routing though. At the very minimum, you could get redundancy for outgoing connections by switching the route to use the other line when the first one fails. Note that Steven's scenario below is for 2 circuits that both start at a single entity, and both end at a single entity. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Yance Kowara Sent: Sunday, December 11, 2005 7:03 PM To: freebsd-questions@freebsd.org Subject: FreeBSD router two DSL connections Hi all, I am trying to figure out if *BSD can achieve this: I have two DSL connections to play with, and I would like to configure a *BSD router that can combine the two DSLs together. There is a howto at http://stevenfettig.com/mythoughts/archives/000173.php But it concerns OpenBSD and it was for a T1 connection using a dual T1 card. I would like to configure one on 2 DSLs connected to two individual NICs. Is this feasible at all, or should I just invest in a dual Wan hardware? Kind regards, Yance __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.13.13/197 - Release Date: 12/9/2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: CEE1 AAE2 F66C 59B5 34CA C415 6D35 E847 0118 A3D2 pgpZaVBIsVg6e.pgp Description: PGP signature
Re: FreeBSD router two DSL connections
--- Loren M. Lang [EMAIL PROTECTED] wrote: On Sun, Dec 11, 2005 at 11:28:17PM -0800, Ted Mittelstaedt wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. I strongly disagree. There are many reasons for this. Two of which are increased throughoutput and redundancy. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP or some kind of static route setup by the two ISPs. For an internet cafe, most connections will probably be outgoing so it won't be a problem. Thats not right at all, although in *some* cases it may be desirable. All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. For efficiencies sake, you may argue that sending to the ISP that sent you the traffic will be a better path, but if one of your pipes is saturated and the other running at 20% then its likely more efficient to keep your pipes filled and send to either isp. You can achieve this with per-packet load-balancing with ciscos, or bit-balancing with a product like ETs for FreeBSD. Unless your 2 isps are connected substantially differently (say if one is in Europe and one in the US), you'll do better keeping your pipes balanced, as YOU are the bottleneck, not the upstream, assuming you have quality upstream providers. Danial __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
--- Danial Thom [EMAIL PROTECTED] wrote: --- Loren M. Lang [EMAIL PROTECTED] wrote: On Sun, Dec 11, 2005 at 11:28:17PM -0800, Ted Mittelstaedt wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. I strongly disagree. There are many reasons for this. Two of which are increased throughoutput and redundancy. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP or some kind of static route setup by the two ISPs. For an internet cafe, most connections will probably be outgoing so it won't be a problem. Thats not right at all, although in *some* cases it may be desirable. All upstream ISPs are connected to everyone on the internet, so it doesn't matter which you send your packets to (the entire point of a connectionless network. They both can forward your traffic to wherever its going. For efficiencies sake, you may argue that sending to the ISP that sent you the traffic will be a better path, but if one of your pipes is saturated and the other running at 20% then its likely more efficient to keep your pipes filled and send to either isp. You can achieve this with per-packet load-balancing with ciscos, or bit-balancing with a product like ETs for FreeBSD. Unless your 2 isps are connected substantially differently (say if one is in Europe and one in the US), you'll do better keeping your pipes balanced, as YOU are the bottleneck, not the upstream, assuming you have quality upstream providers. Danial Another thought, if you are just an internet cafe, just send all of your requests on one pipe (whichever has the best peering), since the vast majority of your bandwidth is incoming. You don't need 2 pipes going out; you're only sending small packets, syns and acks for the most part. It greatly simplifies your situation. DT __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: Loren M. Lang [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 9:47 AM To: Ted Mittelstaedt Cc: Yance Kowara; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections On Sun, Dec 11, 2005 at 11:28:17PM -0800, Ted Mittelstaedt wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. I strongly disagree. There are many reasons for this. Two of which are increased throughoutput and redundancy. If you have read this thread you will have already seen that you cannot get increased throughput this way. As I asked before, explain how a DSL line to SpiritOne running at 1MBit/sec and a Comcast cable connection running at 1MBit/sec will allow you to download the FreeBSD release iso file at 2MBit/sec. This will be interesting. If you can't do it, which I will tell you that you can't, you have not increased throughput. And as for redundancy, I already explained that while this setup increases redundancy, the redundancy must be manually done - monitored by a human, and switched over when needed - or it will not react to the most common redundancy problems. The primary problem is that you need to make sure outgoing data for a connection is using the same line as the incoming connection. No, not at all. The primary problem is that the incoming data that is in response to the outgoing connection will come in on the same line that the outgoing connection used. If the majority to all connections are outgoing and both lines use NAT and have unique IP addresses, it's simpler to setup. If you have incoming connections as well, either only one of the two lines will be used or you'll need BGP Explain how to run BGP with a DSL line to Spirit One and a cable line to Comcast. or some kind of static route setup by the two ISPs. Rubbish. Explain how this would work. It won't. I have done this with a Linux router and using Comcast Cable and SpiritOne DSL. We had all incoming connections use DSL and outgoing connections use either line. You used the dual-NAT package that was detailed earlier which is the only one that can do that - is specific to Linux - and as I explained before, also will not permit you to take a 1MB DSL line from one provider and a 1MB cable line from the cable company and download a freebsd iso at 2MB. Thus it is not load-balancing because it does not actually use both lines for a connection. We balanced them by internal IP addresses, You did not balance them, you had some of the inside IP numbers use one line, and others use the other line. This isn't load balancing. but there might be more sophisticated methods. I do not know what support FreeBSD has for this kind of routing though. At the very minimum, you could get redundancy for outgoing connections by switching the route to use the other line when the first one fails. Which is not redundant. Considering the OP asked for specifics on how to do this and your response as been a bunch of theoretical gobbdleygook that is flat out wrong network theory, you haven't done anything to help the poor bastard. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Yance Kowara Sent: Monday, December 12, 2005 6:47 PM To: freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections Hmm, what about putting zebra into the picture ... a solution or chaos? What feature in Zebra exactly do you think will help in this scenario? Ted ___ I am just crawling in the dark here... Please, this is like trying to learn how to do open heart surgery via e-mail. It is somewhat insulting that you think that network administrators have such boneheaded jobs that you could actually learn networking fundamentals from posts on a mailing list. Please, do youself a favor and spend the next 3-6 months immersed in a number of networking and routing fundamentals books. If the upstream packets can be send through a supposedly working load-balancing FreeBSD router, You can't load balance in this way, there is no such thing as a working freebsd router in this kind of configuration. it will only handle upstream packets.., i.e. the router may be able to balance the upstream packets... No, it cannot - because it is still sourcing them from two different IP addresses. Now, who's going to handle the routing and balancing the downstream packet? Would Zebra has such feature Are both ISP's running Zebra? I am sorry if it makes not much sense. You need to learn about networking fundamentals, your understanding of how networking operates is simply incorrect, that is why it's not making sense. Actually the funny thing is that I understand what your asking, probably better than you do. And I keep telling you that it's impossible and why, and you are not grokking the answers I'm giving you. I just cannot make it any more basic as to why this will not work. I am just trying to figure out what I can do to optimise two ADSL uplinks. Internet Cafe's are not known for generating large amounts of upstream traffic. I doubt that upstream traffic is bottlenecked. If there are other things I can do to optimise it, please give me some pointers. Read some books on networking before trying to play network administrator, please. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
Ted, Thanks for checking on me. I've been only two days with pfSense, and about 5 days with freebsd, and about 1.5 weeks with openbsd. However i would like to point out that i did not use, or did not know how to use, or have found the load balancing feature in the pfSense web interface. I also don't know if the load balancing mentioned in the docs is the same that i used. I was happy with pfSense because of the Packet Filter port to freebsd. I've been using Packet Filter of OpenBSD to load balance traffic to the same ISP with two lines. So far it looks like OpenBSD's Packet Filter's packet round-robin'ing is working nicely with FreeBSD. On 12/13/05, Ted Mittelstaedt [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Winelfred G. Pasamba Sent: Monday, December 12, 2005 8:26 AM To: Yance Kowara Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections i use pfSense (www.pfsense.com) pfSense is a open source firewall derived from the m0n0wall operating system platform with radically different goals such as using Packet Filter, FreeBSD 6.X (or DragonFly BSD when ALTQ and CARP is finished) ALTQ for excellent packet queueing and finally an integrated package management system for extending the environment with new features. then i edit /etc/pf.conf and paste the openbsd pf tutorial for load balancing outgoing traffic ( http://www.openbsd.org/faq/pf/pools.html#outexample) then i pfctl -f /etc/pf.conf and watch the traffic on both WAN interfaces Sigh. THIS IS NOT LOAD BALANCING PLEASE QUIT BEING SLOPPY WITH YOUR NETWORKING TERMS I refer you to the pfsense website itself: http://faq.pfsense.org/index.php?sid=13525lang=enaction=artikelcat=6i d=18artlang=en Load balancing is on per connection basis, not a bandwidth basis. All packets in a given flow will go over only one link. In other words, they are redefining the term load balancing into something that is not understood by any previously accepted definition of load balancing, so that people like you can think your getting something for nothing. Once more - FTP to a remote site with your dual DSL links. Copy a FreeBSD ISO file to there. Watch as the upload speed IS NO FASTER THAN ONE OF THE LINKS. Load balancing is accomplished with multilink PPP and that is in FreeBSD, I have run it before over dual modem links and it works great. But the links must terminate at the same ISP. Ted -- Seek ye first the kingdom of God and all these things shall be added unto you. Winelfred G. Pasamba Adventist University of the Philippines Computer Science Department, AUP Online Information System ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ted Mittelstaedt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Winelfred G. Pasamba Sent: Monday, December 12, 2005 8:26 AM To: Yance Kowara Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections i use pfSense (www.pfsense.com) Sigh. THIS IS NOT LOAD BALANCING PLEASE QUIT BEING SLOPPY WITH YOUR NETWORKING TERMS I refer you to the pfsense website itself: http://faq.pfsense.org/index.php?sid=13525lang=enaction=artikelcat=6; id=18artlang=en Load balancing is on per connection basis, not a bandwidth basis. All packets in a given flow will go over only one link. In other words, they are redefining the term load balancing into something that is not understood by any previously accepted definition of load balancing, so that people like you can think your getting something for nothing. Once more - FTP to a remote site with your dual DSL links. Copy a FreeBSD ISO file to there. Watch as the upload speed IS NO FASTER THAN ONE OF THE LINKS. Ted I just looked at the pfsense site, and for an Internet Café, it looks promising. Two DSL lines to different ISP's does give a small amount of redundancy. Whether you use two routers or pfsense, you get some sort of load sharing but not load balancing. A more appropriate performance test for an Internet Café would be: Take a dozen PC's each to transfer a FreeBSD 6.0R ISO file from a dozen different mirror sites. Start them at the same time and see how long the all of the transfers take. You can test one DSL connection at N kbps and two DSL connections both at N kbps. You'll undoubtedly see the effect of load sharing if the dozen PC's are more or less evenly divided over the two DSL lines. The redundancy isn't great, and you will pay for it. Namely, two N kbps connections will cost you more than one 2N connection. If you ran my benchmark on a 2N connection you might actually see an improvement over two N kbps connections due to to its inherent load balancing. In any case, with a single (or a small number) of users (Ted's benchmark test) you would definitely see an improvement over two N kbps connections. Now the question: is a faster AND cheaper 2N connection a better setup than two N kbps connections for our fabled Internet Café? I'd personally go with the 2N connection. Almost all the time it would be better. Most large ISPs, for a little more money of course, will give you a faster response time on repairs. The ISP might even provide a bank of modems and you could implement multilink PPP as your backup. Regarding a combination of DSL and cable, that would be where pfsense may shine. This combo would definitely give a little better redundancy than two DSL connections to two ISP because the cable comes in to you building differently than the DSL/phone lines. A backhoe would have less chance of taking both out. Honestly, I still think a 2N connection would be better. -gayn Bristol Systems Inc. 714/532-6776 www.bristolsystems.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gayn Winters Sent: Tuesday, December 13, 2005 7:49 AM To: 'Ted Mittelstaedt'; 'Winelfred G. Pasamba'; 'Yance Kowara' Cc: freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ted Mittelstaedt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Winelfred G. Pasamba Sent: Monday, December 12, 2005 8:26 AM To: Yance Kowara Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections i use pfSense (www.pfsense.com) Sigh. THIS IS NOT LOAD BALANCING PLEASE QUIT BEING SLOPPY WITH YOUR NETWORKING TERMS I refer you to the pfsense website itself: http://faq.pfsense.org/index.php?sid=13525lang=enaction=artikelcat=6; id=18artlang=en Load balancing is on per connection basis, not a bandwidth basis. All packets in a given flow will go over only one link. In other words, they are redefining the term load balancing into something that is not understood by any previously accepted definition of load balancing, so that people like you can think your getting something for nothing. Once more - FTP to a remote site with your dual DSL links. Copy a FreeBSD ISO file to there. Watch as the upload speed IS NO FASTER THAN ONE OF THE LINKS. Ted I just looked at the pfsense site, and for an Internet Café, it looks promising. Two DSL lines to different ISP's does give a small amount of redundancy. Whether you use two routers or pfsense, you get some sort of load sharing but not load balancing. A more appropriate performance test for an Internet Café would be: Take a dozen PC's each to transfer a FreeBSD 6.0R ISO file from a dozen different mirror sites. Start them at the same time and see how long the all of the transfers take. You can test one DSL connection at N kbps and two DSL connections both at N kbps. You'll undoubtedly see the effect of load sharing if the dozen PC's are more or less evenly divided over the two DSL lines. The redundancy isn't great, and you will pay for it. Namely, two N kbps connections will cost you more than one 2N connection. If you ran my benchmark on a 2N connection you might actually see an improvement over two N kbps connections due to to its inherent load balancing. In any case, with a single (or a small number) of users (Ted's benchmark test) you would definitely see an improvement over two N kbps connections. Now the question: is a faster AND cheaper 2N connection a better setup than two N kbps connections for our fabled Internet Café? NO. As I pointed out the MOST COMMON failure mode on DSL is SLOWNESS not DISCONNECTS. If you have a 2N connection and one of the DSL modems starts going gunnysack, you are really going to have to know your stuff to be able to detect this and fix it. If the modem picks 9:35pm at night to do this, or some other inconvenient time, like seems to be the normal time for failures to happen, I guarentee your not going to get anyone at the ISP who knows shit from shinola to help you, and your going to be spinning your wheels. For the fabled Internet Cafe, really and truly and honestly, the crude solution that the previous owner worked out is the best - it is easy for relatively unsophisticated people (such as the minimum wage high school student you hired to watch the place after school) to troubleshoot, it is easy to get assistance from the ISP on the failed leg, since the configuration is very basic and standard, and it is dirt cheap. I realize the temptation to mess with a running setup is strong, and the temptation to change around something you buy so as to put your own stamp on it is even stronger. But it is a great way to have terrible monsters come storming out of the closet that the existing config was developed to work around. I'd personally go with the 2N connection. Almost all the time it would be better. Most large ISPs, for a little more money of course, will give you a faster response time on repairs. The ISP might even provide a bank of modems and you could implement multilink PPP as your backup. 2N is great if you need to ship large data items around and your site is way far away from the DSLAM. But it is more complex and so you need to be using it when the big guns both at the ISP and the organization are not in bed - meaning 9-5 - so that if problems happen they are available to get them solved. Think office environments for this. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
Ted, Thanks for the advice. A friend of mine has just acquired an Internet Cafe. The previous owner connected the lan to 2 different ADSL (two different ISPs) one is a back up he said. So, two ADSL routers with half the Lan connected to one router and another half to the other router. I am just thingking of a way to optimise the connection and came accross Steven's article. I thought I could do something similar with *BSD + pf. There is such thing as Dual Wan ADSL router: http://www.infosmart.com.tw/p-ndr3024.htm However, they are quite pricey compare to setting up a *BSD box (using old readily available hardware). So, if this load balancing idea does not work, any other thing I can do to optimise two DSLs? I also came accross this (linux way): http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.html Is this worth trying? Kind regards, Yance Kowara --- Ted Mittelstaedt [EMAIL PROTECTED] wrote: If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. Note that Steven's scenario below is for 2 circuits that both start at a single entity, and both end at a single entity. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Yance Kowara Sent: Sunday, December 11, 2005 7:03 PM To: freebsd-questions@freebsd.org Subject: FreeBSD router two DSL connections Hi all, I am trying to figure out if *BSD can achieve this: I have two DSL connections to play with, and I would like to configure a *BSD router that can combine the two DSLs together. There is a howto at http://stevenfettig.com/mythoughts/archives/000173.php But it concerns OpenBSD and it was for a T1 connection using a dual T1 card. I would like to configure one on 2 DSLs connected to two individual NICs. Is this feasible at all, or should I just invest in a dual Wan hardware? Kind regards, Yance __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.13.13/197 - Release Date: 12/9/2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
On Dec 12, 2005, at 2:05 AM, Yance Kowara wrote: Ted, Thanks for the advice. A friend of mine has just acquired an Internet Cafe. The previous owner connected the lan to 2 different ADSL (two different ISPs) one is a back up he said. So, two ADSL routers with half the Lan connected to one router and another half to the other router. I am just thingking of a way to optimise the connection and came accross Steven's article. I thought I could do something similar with *BSD + pf. There is such thing as Dual Wan ADSL router: http://www.infosmart.com.tw/p-ndr3024.htm However, they are quite pricey compare to setting up a *BSD box (using old readily available hardware). So, if this load balancing idea does not work, any other thing I can do to optimise two DSLs? I also came accross this (linux way): http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple- links.html Is this worth trying? Kind regards, Yance, The reason, without a pretty heavily involved configuration, this won't work is packet routing. Unless you're using BGP, Border Gateway Protocol, you're not going to reliably route return packets to any interface other than the interface it was transmitted from. I'm guessing that the dual-wan device you speak of handles some things differently. Something like a large file download is going to fail to utilize the full bandwidth, however, because of the nature of the traffic. If you really need to boost network bandwidth, you're going to be forced into either working directly with an ISP to link multiple DSL channels, or, more likely, obtain business-class service over a T1/T3 setup. HTH - Eric F Crist Secure Computing Networks http://www.secure-computing.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
--- Eric F Crist [EMAIL PROTECTED] wrote: On Dec 12, 2005, at 2:05 AM, Yance Kowara wrote: Ted, Thanks for the advice. A friend of mine has just acquired an Internet Cafe. The previous owner connected the lan to 2 different ADSL (two different ISPs) one is a back up he said. So, two ADSL routers with half the Lan connected to one router and another half to the other router. I am just thingking of a way to optimise the connection and came accross Steven's article. I thought I could do something similar with *BSD + pf. There is such thing as Dual Wan ADSL router: http://www.infosmart.com.tw/p-ndr3024.htm However, they are quite pricey compare to setting up a *BSD box (using old readily available hardware). So, if this load balancing idea does not work, any other thing I can do to optimise two DSLs? I also came accross this (linux way): http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple- links.html Is this worth trying? Kind regards, Yance, The reason, without a pretty heavily involved configuration, this won't work is packet routing. Unless you're using BGP, Border Gateway Protocol, you're not going to reliably route return packets to any interface other than the interface it was transmitted from. I'm guessing that the dual-wan device you speak of handles some things differently. Something like a large file download is going to fail to utilize the full bandwidth, however, because of the nature of the traffic. If you really need to boost network bandwidth, you're going to be forced into either working directly with an ISP to link multiple DSL channels, or, more likely, obtain business-class service over a T1/T3 setup. HTH - Eric F Crist Secure Computing Networks http://www.secure-computing.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hmm, what about putting zebra into the picture ... a solution or chaos? Regards, Yance __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: Yance Kowara [mailto:[EMAIL PROTECTED] Sent: Sunday, December 11, 2005 11:57 PM To: Ted Mittelstaedt Subject: RE: FreeBSD router two DSL connections Ted, Thanks for the advice. A friend of mine has just acquired an Internet Cafe. The previous owner connected the lan to 2 different ADSL (two different ISPs) one is a back up he said. So, two ADSL routers with half the Lan connected to one router and another half to the other router. Most likely the trick used was to setup 2 independent routers, one on each DSL line, and set half of the machines to use one router as their default gateway, and half of the systems to use the other. If they really did use separate physical networks that is a dumb idea, because you now have problems copying update files and such in between systems in the Cafe. It is a very crude form of redundancy but this is NOT a load-sharing scenario. Keep in mind the real need of an Internet Cafe is redundancy, not bandwidth, so although crude, this solution is one of the few solutions that is available on a shoestring that is really effective. I am just thingking of a way to optimise the connection and came accross Steven's article. I thought I could do something similar with *BSD + pf. There is such thing as Dual Wan ADSL router: http://www.infosmart.com.tw/p-ndr3024.htm And they do NOT work to combine bandwidth. What these devices do is they split the NAT translation table and whichever DSL line is unused gets the next translation slot allocated. However the restriction is each translation slot still only gets the bandwidth available for that DSL line. Thus if your web-surfing and 1 DSL line is busy, you get shunted to the next, but you cannot get the bandwidth available from both lines at the same time, on the same PC. Now, if you happened to open 2 separate FTP sessions on your PC, and if the load-sharer was sophisticated enough, it might be able to put 1 session on 1 DSL line, and the other on the other. But each session is still limited to the top speed of the DSL line. To the uninitiated, however, that might APPEAR to work as a bandwidth load balancer. The challenge I have always posed to the proponents of this trick was to post results of downloading the latest FreeBSD iso file that show they got the iso file in half the time. Never been met, of course. These devices also have a lot of trouble detecting when one of the DSL lines is having a problem. For example you could have 1 DSL line going very, very slow, the router thinks that circuit is still up because all it can do is decide if a DSL line is up or not - but traffic going through this is dog-slow. If for example one of those Internet Cafe PC's got infected with a mass-mailing virus, it would cause exactly that scenario. Would you rather have 1/2 of the PC's in the Internet cafe that are using the slow DSL line as their default gateway just get dog-slow, and the other 1/2 continue to work normally, or would you rather have every single PC in the Cafe become intermittently slow when one of the DSL lines gets slow? However, they are quite pricey compare to setting up a *BSD box (using old readily available hardware). The NAT software in FreeBSD (and indeed, in any UNIX os) does not have the notion of separate route tables and cannot do this. In fact, just about all Cisco or other high-end routers cannot deal with multiple, independent route tables in the same box. So, if this load balancing idea does not work, any other thing I can do to optimise two DSLs? I also came accross this (linux way): http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple- links.html Is this worth trying? It is the same issue - would you rather have half the PCs in the Cafe get slow if there's a problem, or all of them become intermittently slow? I know about that Linux howto. It came about a few years or so ago when the bozo that wrote it, who had no understanding of networking, posted exactly the same question you posted on one of the major networking mailing lists, and when he was told it wasn't possible, he got so pisssed off he was going to show those upity mucks that he knew better than they did. The result is a scheme that appeared to work enough to satisfy this guy's ego, he never of course has posted any followup as to how well it works when presented with the kinds of failure scenarios (fiber-seeking backhoe, etc.) that are common in real life. It's easier for the proctor of the Internet Cafe to simply tell the customer if one PC is acting up to go to another one that isn't. Also keep in mind that unless both DSL lines are coming in on completely separate wiring plants, you really don't have true redundancy. If your going to do this on the cheap, it would be more effective to use 1 DSL line for some of the machines, and a cable modem for the other. Like the other guy said, if your friend wants more bandidth, buy a business-class DSL line for more money
Re: FreeBSD router two DSL connections
i use pfSense (www.pfsense.com) pfSense is a open source firewall derived from the m0n0wall operating system platform with radically different goals such as using Packet Filter, FreeBSD 6.X (or DragonFly BSD when ALTQ and CARP is finished) ALTQ for excellent packet queueing and finally an integrated package management system for extending the environment with new features. then i edit /etc/pf.conf and paste the openbsd pf tutorial for load balancing outgoing traffic ( http://www.openbsd.org/faq/pf/pools.html#outexample) then i pfctl -f /etc/pf.conf and watch the traffic on both WAN interfaces On 12/12/05, Yance Kowara [EMAIL PROTECTED] wrote: Hi all, I am trying to figure out if *BSD can achieve this: I have two DSL connections to play with, and I would like to configure a *BSD router that can combine the two DSLs together. There is a howto at http://stevenfettig.com/mythoughts/archives/000173.php But it concerns OpenBSD and it was for a T1 connection using a dual T1 card. I would like to configure one on 2 DSLs connected to two individual NICs. Is this feasible at all, or should I just invest in a dual Wan hardware? Kind regards, Yance __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Seek ye first the kingdom of God and all these things shall be added unto you. Winelfred G. Pasamba Adventist University of the Philippines Computer Science Department, AUP Online Information System ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Yance Kowara Sent: Monday, December 12, 2005 4:33 AM To: freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections --- Eric F Crist [EMAIL PROTECTED] wrote: On Dec 12, 2005, at 2:05 AM, Yance Kowara wrote: Ted, Thanks for the advice. A friend of mine has just acquired an Internet Cafe. The previous owner connected the lan to 2 different ADSL (two different ISPs) one is a back up he said. So, two ADSL routers with half the Lan connected to one router and another half to the other router. I am just thingking of a way to optimise the connection and came accross Steven's article. I thought I could do something similar with *BSD + pf. There is such thing as Dual Wan ADSL router: http://www.infosmart.com.tw/p-ndr3024.htm However, they are quite pricey compare to setting up a *BSD box (using old readily available hardware). So, if this load balancing idea does not work, any other thing I can do to optimise two DSLs? I also came accross this (linux way): http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple- links.html Is this worth trying? Kind regards, Yance, The reason, without a pretty heavily involved configuration, this won't work is packet routing. Unless you're using BGP, Border Gateway Protocol, you're not going to reliably route return packets to any interface other than the interface it was transmitted from. I'm guessing that the dual-wan device you speak of handles some things differently. Something like a large file download is going to fail to utilize the full bandwidth, however, because of the nature of the traffic. If you really need to boost network bandwidth, you're going to be forced into either working directly with an ISP to link multiple DSL channels, or, more likely, obtain business-class service over a T1/T3 setup. HTH - Eric F Crist Secure Computing Networks http://www.secure-computing.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hmm, what about putting zebra into the picture ... a solution or chaos? What feature in Zebra exactly do you think will help in this scenario? Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
Ted Mittelstaedt wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Yance Kowara Sent: Monday, December 12, 2005 4:33 AM To: freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections --- Eric F Crist [EMAIL PROTECTED] wrote: On Dec 12, 2005, at 2:05 AM, Yance Kowara wrote: Ted, Thanks for the advice. A friend of mine has just acquired an Internet Cafe. The previous owner connected the lan to 2 different ADSL (two different ISPs) one is a back up he said. So, two ADSL routers with half the Lan connected to one router and another half to the other router. I am just thingking of a way to optimise the connection and came accross Steven's article. I thought I could do something similar with *BSD + pf. There is such thing as Dual Wan ADSL router: http://www.infosmart.com.tw/p-ndr3024.htm However, they are quite pricey compare to setting up a *BSD box (using old readily available hardware). So, if this load balancing idea does not work, any other thing I can do to optimise two DSLs? I also came accross this (linux way): http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple- links.html Is this worth trying? Kind regards, Yance, The reason, without a pretty heavily involved configuration, this won't work is packet routing. Unless you're using BGP, Border Gateway Protocol, you're not going to reliably route return packets to any interface other than the interface it was transmitted from. I'm guessing that the dual-wan device you speak of handles some things differently. Something like a large file download is going to fail to utilize the full bandwidth, however, because of the nature of the traffic. If you really need to boost network bandwidth, you're going to be forced into either working directly with an ISP to link multiple DSL channels, or, more likely, obtain business-class service over a T1/T3 setup. HTH - Eric F Crist Secure Computing Networks http://www.secure-computing.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hmm, what about putting zebra into the picture ... a solution or chaos? What feature in Zebra exactly do you think will help in this scenario? Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] You could, if the purpose is to combine bandwidth accross multiple DSL links, use multi-link PPP, afaik - the only way to do so is through mpd (/usr/ports/net/mpd) ... not catch the whole thread, so feel free to correct me if wrong, mpd should work for you. -- Nathan Vidican [EMAIL PROTECTED] Windsor Match Plate Tool Ltd. http://www.wmptl.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
Hmm, what about putting zebra into the picture ... a solution or chaos? What feature in Zebra exactly do you think will help in this scenario? Ted ___ I am just crawling in the dark here... If the upstream packets can be send through a supposedly working load-balancing FreeBSD router, it will only handle upstream packets.., i.e. the router may be able to balance the upstream packets... Now, who's going to handle the routing and balancing the downstream packet? Would Zebra has such feature I am sorry if it makes not much sense. I am just trying to figure out what I can do to optimise two ADSL uplinks. If there are other things I can do to optimise it, please give me some pointers. Regards, Yance __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD router two DSL connections
This is for an internet cafe, right? Not a mission-critical system? Yes, I realize your mission is providing internet, but Buy two DSL feeds, and two WAPs. Put one WAP on each feed. Set them to different SSIDs and different RF channels. Then the wi-fi clients will associate with one or the other, hopefully on a 50/50 basis, or perhaps geographically distributed in proportion to how far (or how line-of-sight) they are from either WAP. If one WAP fails, odds are good that clients will still be in radio range of the other. So there you go, redundant fail-over in case one feed goes down. For a $1.75 cup of Americano, that's about the most your customers will have reason to expect. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Winelfred G. Pasamba Sent: Monday, December 12, 2005 8:26 AM To: Yance Kowara Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections i use pfSense (www.pfsense.com) pfSense is a open source firewall derived from the m0n0wall operating system platform with radically different goals such as using Packet Filter, FreeBSD 6.X (or DragonFly BSD when ALTQ and CARP is finished) ALTQ for excellent packet queueing and finally an integrated package management system for extending the environment with new features. then i edit /etc/pf.conf and paste the openbsd pf tutorial for load balancing outgoing traffic ( http://www.openbsd.org/faq/pf/pools.html#outexample) then i pfctl -f /etc/pf.conf and watch the traffic on both WAN interfaces Sigh. THIS IS NOT LOAD BALANCING PLEASE QUIT BEING SLOPPY WITH YOUR NETWORKING TERMS I refer you to the pfsense website itself: http://faq.pfsense.org/index.php?sid=13525lang=enaction=artikelcat=6i d=18artlang=en Load balancing is on per connection basis, not a bandwidth basis. All packets in a given flow will go over only one link. In other words, they are redefining the term load balancing into something that is not understood by any previously accepted definition of load balancing, so that people like you can think your getting something for nothing. Once more - FTP to a remote site with your dual DSL links. Copy a FreeBSD ISO file to there. Watch as the upload speed IS NO FASTER THAN ONE OF THE LINKS. Load balancing is accomplished with multilink PPP and that is in FreeBSD, I have run it before over dual modem links and it works great. But the links must terminate at the same ISP. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
-Original Message- From: Nathan Vidican [mailto:[EMAIL PROTECTED] Sent: Monday, December 12, 2005 11:08 AM To: Ted Mittelstaedt Cc: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: Re: FreeBSD router two DSL connections You could, if the purpose is to combine bandwidth accross multiple DSL links, use multi-link PPP, afaik - the only way to do so is through mpd (/usr/ports/net/mpd) ... not catch the whole thread, so feel free to correct me if wrong, mpd should work for you. It works great when both links go to the same ISP, which in this case they are not. Undoubtedly the OP wants to avoid spending money for better circuits, and undoubtedly any ISP willing to run multiple DSL links to the customer would charge more money. (The ISP I work at would be one such willing ISP, and we definitely would charge more) Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD router two DSL connections
If both DSL lines go to the same ISP it is easy, run PPP on them and setup multilink PPP. The ISP has to do so also. If they are going to different ISP's then you cannot do it with any operating system or device save BGP - the idea is completely -stupid- to put it simply. If you think different, then explain why and I'll shoot every networking scenario you present so full of holes you will think it's swiss cheese. And if you think your going to run BGP I'll shoot that full of holes also. Note that Steven's scenario below is for 2 circuits that both start at a single entity, and both end at a single entity. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Yance Kowara Sent: Sunday, December 11, 2005 7:03 PM To: freebsd-questions@freebsd.org Subject: FreeBSD router two DSL connections Hi all, I am trying to figure out if *BSD can achieve this: I have two DSL connections to play with, and I would like to configure a *BSD router that can combine the two DSLs together. There is a howto at http://stevenfettig.com/mythoughts/archives/000173.php But it concerns OpenBSD and it was for a T1 connection using a dual T1 card. I would like to configure one on 2 DSLs connected to two individual NICs. Is this feasible at all, or should I just invest in a dual Wan hardware? Kind regards, Yance __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.13.13/197 - Release Date: 12/9/2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
