So in a follow up to the thread of last week about dual Internet connections, I managed to do that which I though impossible over teh weekend for a client.
The layout: |---------------| |---------------| /-----\ |192.168.1.0/24 | | |----ISP1---| | | LAN |------| Firewall | | 0/0 | | | | |----ISP2---| | |---------------| |---------------| \-----/ The outbound side is reasonably easy to deal with using iproute2 and weighting/ equalizing the routes. However, the difficult (and therefore rewarding part) was getting the firewall to track and properly forward connections to an internal system *regardless of which connection it came in on*. The goal was to have 2 MX records in public DNS, one weighted higher than the other, so that if the connection to ISP1 goes down, inbound e-mail will simply come in over the other line. In my looking around for systems or appliances that perform this magic, I came up basically empty (short of $10k NetScreen/ Barracuda/ Cisco gear) and was under the impression that it's simply not possible under Linux without employing some sort of source routing, which would then require either separate IP addresses and routing tables on the internal server, or dual NICs on the server. Then connections to the server from ISP1 could be forwarded to NIC1 on the server, and connections via ISP2 would be forwarded to NIC2. However, that's messy and inelegant, and flies in the face of how I like to do things :) Enter my OCD, and a couple days worth of Googling, and I stumbled across fwmark and --ctorigdst in the iptables stack [1] An afternoon of pfutzing with iproute2 and iptables, and voila!!! It Works! You can now telnet to port 25 on either interface of the firewall, via either ISP and connect to the internal server, and there is absolutely no reconfiguration needed on the server itself. *Rubin does a victory lap around the abandoned office*. Since this thread generated a fair amount of interest last week, I thought I'd share my little victory with y'all :) When I was working on this, I was tinkering with the load balancing and weighting, and observed that my OpenVPN connection is very tolerant of load balancing and cutting my traffic from ISP to ISP. The VPN stayed running despite several forcible changes in which ISP the data from my laptop was being sent out. Next steps: Implement a monitoring daemon of some sort that catches when a connection drops immediately and takes the defunct connection out of the routing rules (there are a few shell scripts out there, but they only check once every few seconds or at most once/second and I'd like it to be instantaneous). [1] http://blog.taragana.com/index.php/archive/how-to-load-balancing-failover-with-dual-multi-wan-adsl-cable-connections-on-linux/ -- Rubin Bennett rbTechnologies, LLC 80 Carleton Boulevard East Montpelier, VT 05651 (802)223-4448 http://thatitguy.com "Think for yourselves and let others enjoy the privilege to do so too." Voltaire, Essay on Tolerance French author, humanist, rationalist, & satirist (1694 - 1778)
