Rubin, If you could package the installation or provide scripts or documentation on what you did, you could probably start whoring yourself out as "The Solution" for solving this kind of problem. You could start your own Sourceforge project or something ... my point is that now that you've figured it out, and that it appears that existing projects to work this problem out are infantile, you could take some sort of lead in helping others across the net solve this problem.
Of course there is the pesky 'not enough time to manage a FOSS project' issue, but who needs a life? Either way - awesome job. Pat yourself on the back from me. I had started down your road and gave up from lack of time to deal with it, and lack of experience in advanced IPTables configuration. That said, I feel like I have a strong appreciation of what you've accomplished. -Nick --- Nicholas Floersch (pr. Floor-sh) Stone Environmental, Inc. > -----Original Message----- > From: Vermont Area Group of Unix Enthusiasts > [mailto:[email protected]] On Behalf Of Rubin Bennett > Sent: Thursday, March 26, 2009 4:36 PM > To: [email protected] > Subject: Re: Routers and Internet load balancing, oh, my! > > On Thu, 2009-03-26 at 16:22 -0400, Rion D'Luz wrote: > > Congrats pard! Nothing beats the sound of happy packets.! Sounds > like.... victory > > > > More ?'s below: > > > > > > On Thursday 26 March 2009, Rubin Bennett wrote: > > > So in a follow up to the thread of last week about dual Internet > > > connections, I managed to do that which I though impossible over > teh > > > weekend for a client. > > > > > > The layout: > > > > > > > > > |---------------| |---------------| /-----\ > > > |192.168.1.0/24 | | |----ISP1---| | > > > | LAN |------| Firewall | | 0/0 | > > > | | | |----ISP2---| | > > > |---------------| |---------------| \-----/ > > > > > > The outbound side is reasonably easy to deal with using iproute2 > and > > > weighting/ equalizing the routes. > > Is there a switch somewhere; is fw also THE router? > > > The firewall is the router, there's a switch internal. This is an > extremely simplified diagram of the network: the real deal has a 48 > port switch, with 6 servers behind it. > > The Firewall has 3 network cards: one LAN, one to ISP1 and another to > ISP2. > > The firewall is configured with 2 subnets: > LAN: 192.168.1.0/24 > ISP1: 1.2.3.4/28 > ISP2: 5.6.7.8/28 > > I have a stupid long set of IPTables that does NAT and PAT for both > inbound connections and the outbound Masquerading. I generate those > using FWBuilder because when you have a complicated network, it's > really, really nice to have a graphical representation of it somewhere. > I also like it because it looks and feels a LOT like SecureRemote from > CheckPoint, which I used in a past life, and because it can manage BSD > (pf), ipfwadm, iptables, Cisco ACLs, etc. all from the same XML file. > > > > > > > > However, the difficult (and therefore rewarding part) was getting > the > > > firewall to track and properly forward connections to an internal > system > > > *regardless of which connection it came in on*. The goal was to > have 2 > > > MX records in public DNS, one weighted higher than the other, so > that if > > > the connection to ISP1 goes down, inbound e-mail will simply come > in > > > over the other line. > > > > So, the LAN (or an analog DMZ) is hosting an smtp server and the fw > greenlights port traffic on either IF? > > Cool so far. > > > Greenlights and more importantly tracks which interface the traffic > came > in on so that return traffic is sent out the appropriate interface. > > > > > > In my looking around for systems or appliances that perform this > magic, > > > I came up basically empty (short of $10k NetScreen/ Barracuda/ > Cisco > > > gear) and was under the impression that it's simply not possible > under > > > Linux > > Did you perchance, look into a Vayatta router? > > For about 10 seconds, but then I got distracted... what was I just > doing? > Seriously they look interesting and I should find out more. > > > > > > without employing some sort of source routing, which would then > > > require either separate IP addresses and routing tables on the > internal > > > server, or dual NICs on the server. > > So the fw is just a linux box acting as a hub/router? > > And has two NICS not one 2-port NIC? Correct? > > Is it capable of port-bonding, does it need that? > > > It can but unless we do BGP (not realistic or feasible for a small > network) bonding would effectively make both connections not work at > all. > > > > Then connections to the server from > > > ISP1 could be forwarded to NIC1 on the server, and connections via > ISP2 > > > would be forwarded to NIC2. > > So, what you wanted to do was possible under Linux using two NICS, > though > > I don't understand why you couldn't have done that w/IP aliasing; not > that you'd want to. > > > 3 NICs. And unless I put a switch in front of the router (thereby > losing the physical separation of the 2 incoming connections) it's > again > messier than I like. And you would still have the issue of tracking > which IP address traffic came from and then sending it back out stamped > with the correct source IP. > > > > However, that's messy and inelegant, and flies in the face of how I > like > > > to do things :) > > > > > > Enter my OCD, and a couple days worth of Googling, and I stumbled > across > > > fwmark and --ctorigdst in the iptables stack [1] > > > > > > > > > An afternoon of pfutzing with iproute2 and iptables, and voila!!! > It > > > Works! > > Care to share your source code, scripts, params, etc..? > > > > I would be happy to once I get it into a sanitized form :) > > Rubin > > -- > Rubin Bennett > rbTechnologies, LLC > 80 Carleton Boulevard > East Montpelier, VT 05651 > > (802)223-4448 > http://thatitguy.com > > "Think for yourselves and let others enjoy the privilege to do so too." > Voltaire, Essay on Tolerance > French author, humanist, rationalist, & satirist (1694 - 1778) This communication, including any attachments, is solely for the confidential use of the person(s) named above. If you have received this communication in error, please notify the sender immediately and delete/destroy the original. Any reader other than the intended recipient is hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited.
