Two ISPs, a bridge and iptables

Two ISPs, a bridge and iptables

[Lukasz Hejnak]

Hi
I've been thinking about connecting two ISP's to a linux box and
then firewalling/masqrading that to a local net.
The solution I'm thinking of is:
- connect the ISP's to two different interfaces (say eth0/1)
- connect the local net via a third interface (eth3)
- bridge the two network interfaces into one (eth2)
- doing the rest of the iptables stuff using 
    eth2 as the internet and eth3 as the local net
some ascii art:

   ISP#1      ISP#2
     |          |
===============================
     |          |
   eth0       eth1
     |          |
     ---bridge---
         eth2
	  |   
       iptables   (linux box)
         masq
          |
	 eth3
	  |
===============================
	  |
     local network
    
Now since I still have no playground for this to test, I've got these questions:
Would this solve the problem? 
(local net have access at ISP1+ISP2 bandwidth to the internet)
Would the total load of connections outside be balanced
by iptables/bridge mechanism between the ISP's?
Is this the best/worst/fastest/slowest way to do this?
How will the things change when one of the ISP's fail?

-- 
with regards
Lukasz Hejnak
szift@wp.pl

Re: Two ISPs, a bridge and iptables

[Jason Opperisano]

On Mon, 2004-12-13 at 12:11, Lukasz Hejnak wrote:
> Hi
> I've been thinking about connecting two ISP's to a linux box and
> then firewalling/masqrading that to a local net.
> The solution I'm thinking of is:
> - connect the ISP's to two different interfaces (say eth0/1)
> - connect the local net via a third interface (eth3)
> - bridge the two network interfaces into one (eth2)

no.  first--the bridge interface would be "br0" not "eth2"
second--do not bridge your two internet connections together.  bridging
two interfaces together says, "any packet received on one bridge member
interface is sent out all other bridge member interfaces."  and that is
certainly not what you appear to be after...

> - doing the rest of the iptables stuff using 
>     eth2 as the internet and eth3 as the local net

again, no--for bridging you could filter at the ebtables level (layer 2)
or use the "physdev" match to filter on specific bridge ports (the eth+
devices)

> some ascii art:
> 
>    ISP#1      ISP#2
>      |          |
> ===============================
>      |          |
>    eth0       eth1
>      |          |
>      ---bridge---
>          eth2
> 	  |   
>        iptables   (linux box)
>          masq
>           |
> 	 eth3
> 	  |
> ===============================
> 	  |
>      local network
>     
> Now since I still have no playground for this to test, I've got these questions:
> Would this solve the problem? 

no.

> (local net have access at ISP1+ISP2 bandwidth to the internet)
> Would the total load of connections outside be balanced
> by iptables/bridge mechanism between the ISP's?

to accomplish these two goals--read:

  http://lartc.org/howto/lartc.rpdb.multiple-links.html

and also take a look at the nth patch from POM (the help file describes
load-balancing outbound connections over multiple ISP links).

> Is this the best/worst/fastest/slowest way to do this?

bridging has virtually nothing to do with solving your problem.

> How will the things change when one of the ISP's fail?

you'll write a script that pings over each upstream link and take
actions in that script when one of the links fail.

-j

--
"I saw weird stuff in that place last night. Weird, strange, sick,
 twisted, eerie, godless, evil stuff. And I want in."
	--The Simpsons