I've been trying over and over to figure this one out, but I'm just hitting the end of my wits. We have a remote office that can only get 768Kbps DSL, which they've not totally maxed out. So management's solution now is to buy a second DSL line, but they won't let me buy a dual WAN router (in case they add a 3rd DSL line). I've found some great articles on how to get the interfaces working with 2 default gateways (I used this: http://www.linuxquestions.org/linux/answers/Networking/Spanning_Multiple_DSL s) and that is all running fine. It alternates every few minutes which WAN port is used when I traceroute yahoo.com (which is fine) and everything is connecting fine from the router. However, I can't figure out how to get NAT running on the server for the 2 WAN ports for clients inside the LAN. I can NAT to 1 DSL, but that is useless. What I am looking for is a tutorial in how to do this or a pointer to someone who can help. Anyone know of a resource for this? Joe Johnson joe@sendjoeanemail.com
Joe Johnson wrote:
I've been trying over and over to figure this one out, but I'm just hitting the end of my wits. We have a remote office that can only get 768Kbps DSL, which they've not totally maxed out. So management's solution now is to buy a second DSL line, but they won't let me buy a dual WAN router (in case they add a 3rd DSL line).
I've found some great articles on how to get the interfaces working with 2 default gateways (I used this: http://www.linuxquestions.org/linux/answers/Networking/Spanning_Multiple_DSL s) and that is all running fine. It alternates every few minutes which WAN port is used when I traceroute yahoo.com (which is fine) and everything is connecting fine from the router. However, I can't figure out how to get NAT running on the server for the 2 WAN ports for clients inside the LAN. I can NAT to 1 DSL, but that is useless.
What I am looking for is a tutorial in how to do this or a pointer to someone who can help. Anyone know of a resource for this?
Joe Johnson joe@sendjoeanemail.com
I dont see how the router can NAT to more than one ip-address. So you need one NAT-router per DSL-line. Now use your linux, without NAT, to distribute the traffic. Make a guess where most of your goes. Get some vague ip-address ranges and divide them. E.g. send all traffic to microsoft via router-1 and all traffic to cnn via router-2. Both your clients and your linux router dont know about the NAT. The routers, up to 500 of them :) dont know nothing except NAT. If your clients are in 192.168.xxx.xxx then it might be a good idea to put the NAT-routers in 10.xxx.xxx.1 No need for the routers to talk to eachother. Your linux router needs a virtual interface on say 10.xxx.xxx.2 to talk to each router. It would be good to have a real interface for each router to the linux and to have a separate one for your clients. But the linux is intelligent enough and those 1 MBit dsl lines are slowly enough that you can put everything together on one switch. No need to bother which line is which... 10 MBit is fast enough to the outside. Another aproach: Can you split your costumers into separate networks that dont talk to eachother? Then give each group its own NAT-router and give your servers two or more interfaces to make them part of both networks. You must put the routers in different networks of course, say 192.168.1.xxx and 192.168.2.xxx Use an http://www-03.ibm.com/servers/eserver/bladecenter/ Then you run one linux for each dsl-line. Those linuxes know how to route internally too. Now you simply distribute the clients between the linuxes. Dont ask the price. Your management will be delighted :) This solution will allow you some 8 dsl-lines. If you need more buy another bladecenter and connect them. Cheers Peter and Karin Dambier -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.serveftp.com http://iason.site.voila.fr
[ This is not a plug for a vendor, just operational experience ] On Thu, 2005-12-15 at 10:49:51 +0100, Peter Dambier proclaimed...
I dont see how the router can NAT to more than one ip-address. So you need one NAT-router per DSL-line.
I have some experience with the Xincom Twin WAN router. Basically, all it does is NAT RFC1918 address space (by default) and load balance stateless TCP traffic (ie. web traffic) over two outbound links. Established TCP sessions will not fail over, unfortunately, but the device is fairly reliable and does NAT-T fairly easy. Sure, there's cheaper ways to do this solution without paying for a blackbox, but there's no moving parts in the device and thus is good for small offices that have no clue built-in. - Eric
On Thu, Dec 15, 2005 at 08:33:55AM -0600, eric wrote:
[ This is not a plug for a vendor, just operational experience ]
On Thu, 2005-12-15 at 10:49:51 +0100, Peter Dambier proclaimed...
I dont see how the router can NAT to more than one ip-address. So you need one NAT-router per DSL-line.
I have some experience with the Xincom Twin WAN router. Basically, all it does is NAT RFC1918 address space (by default) and load balance stateless TCP traffic (ie. web traffic) over two outbound links. Established TCP sessions will not fail over, unfortunately, but the device is fairly reliable and does NAT-T fairly easy.
Interesting in that I was talking with a customer about something similar to that today. How can you do nat and failover but keep the existing TCP sessions alive. Given the two upstreams were doing uRPF we couldn't come up with a solution. Rodney
Sure, there's cheaper ways to do this solution without paying for a blackbox, but there's no moving parts in the device and thus is good for small offices that have no clue built-in.
- Eric
Rodney Dunn wrote:
On Thu, Dec 15, 2005 at 08:33:55AM -0600, eric wrote:
[ This is not a plug for a vendor, just operational experience ]
On Thu, 2005-12-15 at 10:49:51 +0100, Peter Dambier proclaimed...
I dont see how the router can NAT to more than one ip-address. So you need one NAT-router per DSL-line.
I have some experience with the Xincom Twin WAN router. Basically, all it does is NAT RFC1918 address space (by default) and load balance stateless TCP traffic (ie. web traffic) over two outbound links. Established TCP sessions will not fail over, unfortunately, but the device is fairly reliable and does NAT-T fairly easy.
Interesting in that I was talking with a customer about something similar to that today. How can you do nat and failover but keep the existing TCP sessions alive. Given the two upstreams were doing uRPF we couldn't come up with a solution.
<troll> Shim6 will fix all of this. </troll> <duck, run> -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387
On 12/14/05, Joe Johnson <nanog@sendjoeanemail.com> wrote:
I've been trying over and over to figure this one out, but I'm just hitting the end of my wits. We have a remote office that can only get 768Kbps DSL, which they've not totally maxed out. So management's solution now is to buy a second DSL line, but they won't let me buy a dual WAN router (in case they add a 3rd DSL line).
This works flawlessly with a cheap hardware running openbsd+pf. I've done this in several instances when load balancing "users" over two connections was required. I've attached a pf.conf that does just this. The other solution(if you want to call it that) was a Symantec dual-wan router/vpn appliance which was horribly broken and met a timely death once the openbsd box replaced it. -Brian
Assuming your providers give you a new modem which is already NAT'ing the LAN side of the modem and you are plugging that into multiple NIC's on your linux router like; -modem-pub -> modem-priv -> linux-eth0 -modem-pub -> modem-priv -> linux-eth1 -linux-eth3 -> LAN switch 1) Configure VRRP (http://sourceforge.net/projects/vrrpd/) on eth0 and eth1 WAN side on the linux router. You should be able to configure the weighting on each interface equally so that they 'load share' (I've done this in FreeBSD). 2) Set the default gateway on the linux router to the VRRP interface (IP that is shared between eth0 and eth1). This would be a very scalable and reliable solution for this type of network. I've never tried it, but let me know if it works! On 12/14/05, Joe Johnson <nanog@sendjoeanemail.com> wrote:
I've been trying over and over to figure this one out, but I'm just hitting the end of my wits. We have a remote office that can only get 768Kbps DSL, which they've not totally maxed out. So management's solution now is to buy a second DSL line, but they won't let me buy a dual WAN router (in case they add a 3rd DSL line).
I've found some great articles on how to get the interfaces working with 2 default gateways (I used this:
http://www.linuxquestions.org/linux/answers/Networking/Spanning_Multiple_DSL s) and that is all running fine. It alternates every few minutes which WAN port is used when I traceroute yahoo.com (which is fine) and everything is connecting fine from the router. However, I can't figure out how to get NAT running on the server for the 2 WAN ports for clients inside the LAN. I can NAT to 1 DSL, but that is useless.
What I am looking for is a tutorial in how to do this or a pointer to someone who can help. Anyone know of a resource for this?
Joe Johnson joe@sendjoeanemail.com
participants (7)
-
Brian Kerr -
Crist Clark -
eric -
Joe Johnson -
My Name -
Peter Dambier -
Rodney Dunn