Re: [LARTC] Dual T1's and firewalls/Nat, Help?

From: "William L. Thomson Jr." <support@obsidian-studios.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Dual T1's and firewalls/Nat, Help?
Date: Fri, 18 Jul 2003 18:44:48 +0000	[thread overview]
Message-ID: <marc-lartc-105855398601899@msgid-missing> (raw)
In-Reply-To: <marc-lartc-105854851828052@msgid-missing>

On Fri, 2003-07-18 at 13:13, Jerry Amundson wrote:
> Hi.
> I'm new to these tools, but well versed in Linux and networking, and I
> just haven't found out some general stuff by going through the HOWTO's!

You have the links to Julians patches and the nano-how to right?
If not I would check out the FAQ @ http://www.docum.org/.
There are links there as well as some command examples from dual SDSL
config I had out in CA.

> We have two (2) Internet T1's (different providers), each connected to
> individual routers (one a Cisco, the other an Adtran, if it matters),
> which are kept apart from the internal networks by two (2) Cisco PIX 
> firewall devices. The latter do NAT/PAT, in addition to normal network
> protection. One (1) firewall/T1 is currently "primary" as it is the 
> Default Gateway for everything inside.
> 
> My *goal* is to put a Linux router in place as the Default Gateway to
> be redundant and load balance across the T1's.
> 
> Q1: I'm in the right place, right? :-)

Yes, however there has been some discussion of using BGP instead of
using a load balancing Linux router. Not sure if you looked into that
first or not.

> Q2: Assuming I am in the right place, the part I don't understand is
> how to fit the Linux router in with the existing firewalls.

You can put it before or after the firewalls. I think your second
diagram will be the way to go. However you will need to do NAT on the
Linux router in order to get the load balancing to work correctly.

So the question then is do you want to do nat before or after your
firewalls? More than likely you will be doing more than one round of
NAT/PAT.

> In a picture, we have:
> ----------------------
>                             - DMZ1
> ISP1 - R1 -ONet1-Firewall1-|
>                             - INet1 <-> [internal NIC, Default Gateway]
> 
> 
> ISP2 - R2 -ONet2-Firewall2-- DMZ2
> 
> And what we would like:
> -----------------------
>                             - DMZ1
> ISP1 - R1 -ONet1-Firewall1-|
>                             - INet1 -|              |
>                                      | Linux Router | <-> [new Gateway]
> ISP2 - R2 -ONet2-Firewall2-- DMZ2 ---|              |
> 
> I can revisit the HOWTO's, and many fine sites referenced in this list,
> but I wanted to make sure I was on the right track...

Yep, just keep in mind packets originating on the LAN destined for the
Internet will use the multipath gateway.

To achieve load balancing from the Internet in to the LAN, you will need
to configure your DNS servers to load balance the IP's with the
corresponding domain name.

This is quick and fairly painless when using BIND.

> Please be gentle - I don't even know what the abbreviations tc, htb, or
> imq mean, yet!!

Those are all for traffic shaping. Which you may or may not want to do.
However it really does not have anything to do with the load
balanced/redundant access.

Just as a thought. Depending on what you are doing with the PIX's, if
you can replicate the functionality solely on the Linux router then do
so. Then you can turn around and sell or get rid of your PIX's. It may
help to simplify things a bit.

-- 
Sincerely,
William L. Thomson Jr.
Support Group
Obsidian-Studios, Inc.
3548 Jamestown Ln.
Jacksonville, FL 32223
Phone/Fax  904.260.2445
http://www.obsidian-studios.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/