[LARTC] Advanced routing question.

[LARTC] Advanced routing question.

[Daniel]

<PRE>Before I start with the nightmare setup I'd like to say I've read all the
docs I could get my hands on along with looking at commercial products
(Cisco router, checkpoint firewall, and Vicomsoft Internet Gateway) trying
to get this to work with very limited success.

My setup:

Ethernet Internet Connection 207.152.31.185/24 gw 207.152.31.1 (T1
connection)
DSL Ethernet Connection 216.254.12.42/24 gw 216.254.12.42 (256k SDSL)
LAN Ethernet Connection 192.168.181.254/24 (NAT'd)

Behind the &quot;firewall&quot; machine sits a number of boxes:

192.168.181.252	-	Internal DNS and squid proxy server.
192.168.181.251	-	External DNS server and external webserver
192.168.181.250	-	Internet DNS and external webserver

192.168.181.1-10	-	DHCP windows clients

Now I have some basic port transaltion going on to get the webservers
alias'd to the internet connections and such but nothing overly fancy. Keep
inmind that I can _not_ use any routing protocals via either of these
connections.  Here is what I need to do:

1&gt; 	Setup traffic shaping to allow the windows clients behind the NAT to
browse the internet using both internet connections.  An important part of
this is that incoming traffic _must_ be answered through the NAT via the
same ip address that it came in on.  (NOTE: This is the major problem with
Vicomsoft Internet Gateway software as it will just pick either of the 2
internet connections to reply on, and therefore a number of things - most
importantly games that use UDP packets - stop working correctly or have a
huge amount of packet loss due to packets being answered with a different
source ip than the host connected on).

2&gt;	Setup a fail over method so that if either internet connection were
to fail it would start routing all outbound traffic over that link.

3&gt;	Allow simple port translation so that I can alias 207.152.31.185
port 22 to 192.168.181.251 port 22.


So the question is can Linux using Advanced routing be used to solve these
problems?  If so could you please point me to an example setup?  If not do
you know of _any_ possible solution to get this setup working?  Again, I'm
sorry if I've missed this reading the HOWTO please point me in the right
direction.


-------------------
JayC Daniel
Senior Security Engineer
Security Integration
HCAHealthcare
615-344-6988
<A HREF="mailto:jay.daniel@hcahealthcare.com">jay.daniel@hcahealthcare.com</A>




</PRE>

[LARTC] Advanced routing question.

[Arthur]

<PRE>On Mon, 15 Jan 2001, Daniel Jay wrote:

[snip]

&gt;<i> Ethernet Internet Connection 207.152.31.185/24 gw 207.152.31.1 (T1
</I>&gt;<i> connection)
</I>&gt;<i> DSL Ethernet Connection 216.254.12.42/24 gw 216.254.12.42 (256k SDSL)
</I>&gt;<i> LAN Ethernet Connection 192.168.181.254/24 (NAT'd)
</I>
[snip]

&gt;<i> Now I have some basic port transaltion going on to get the webservers
</I>&gt;<i> alias'd to the internet connections and such but nothing overly fancy. Keep
</I>&gt;<i> inmind that I can _not_ use any routing protocals via either of these
</I>&gt;<i> connections.  Here is what I need to do:
</I>&gt;<i> 
</I>&gt;<i> 1&gt; 	Setup traffic shaping to allow the windows clients behind the NAT to
</I>&gt;<i> browse the internet using both internet connections.  An important part of
</I>&gt;<i> this is that incoming traffic _must_ be answered through the NAT via the
</I>&gt;<i> same ip address that it came in on.  (NOTE: This is the major problem with
</I>&gt;<i> Vicomsoft Internet Gateway software as it will just pick either of the 2
</I>&gt;<i> internet connections to reply on, and therefore a number of things - most
</I>&gt;<i> importantly games that use UDP packets - stop working correctly or have a
</I>&gt;<i> huge amount of packet loss due to packets being answered with a different
</I>&gt;<i> source ip than the host connected on).
</I>&gt;<i> 
</I>&gt;<i> 2&gt;	Setup a fail over method so that if either internet connection were
</I>&gt;<i> to fail it would start routing all outbound traffic over that link.
</I>&gt;<i> 
</I>&gt;<i> 3&gt;	Allow simple port translation so that I can alias 207.152.31.185
</I>&gt;<i> port 22 to 192.168.181.251 port 22.
</I>&gt;<i> 
</I>&gt;<i> So the question is can Linux using Advanced routing be used to solve these
</I>&gt;<i> problems?  If so could you please point me to an example setup?  If not do
</I>&gt;<i> you know of _any_ possible solution to get this setup working?  Again, I'm
</I>&gt;<i> sorry if I've missed this reading the HOWTO please point me in the right
</I>&gt;<i> direction.
</I>
Yes. Linux using Advanced Routing can be used to solve these problems, but
for problem 2: at the IP level there is no way to figure out wether or not a
link is down. Ofcourse, you can approximate problem 2, but you have no
guarantees that the problem lies with the link and not with the servers you
test your connectivity against, or the infrastructure to those servers
beyond your direct link.

There have been some postings on the mailing list on exactly the kind of
setup you want. Look into the threads 'Can't use two links on a linux box'
and 'Can't use two links on a linux box - correction/addition' in the 
archives at <A HREF="http://mailman.ds9a.nl/pipermail/lartc/2000q4/thread.html">http://mailman.ds9a.nl/pipermail/lartc/2000q4/thread.html</A>

Doei, Arthur. (Maybe I should 'steal' some of my boss' time to write this
               stuff up for the HOWTO...)

-- 
  /\    / |      <A HREF="mailto:arthurvl@sci.kun.nl">arthurvl@sci.kun.nl</A>      | Work like you don't need the money
 /__\  /  | A friend is someone with whom | Love like you have never been hurt
/    \/__ | you can dare to be yourself   | Dance like there's nobody watching



</PRE>

[LARTC] Advanced routing question.

[Paul]

<PRE>On Tue, 16 Jan 2001, Arthur van Leeuwen wrote:

&gt;<i> &gt; 2&gt;	Setup a fail over method so that if either internet connection were
</I>&gt;<i> &gt; to fail it would start routing all outbound traffic over that link.
</I>
&gt;<i> Yes. Linux using Advanced Routing can be used to solve these problems, but
</I>&gt;<i> for problem 2: at the IP level there is no way to figure out wether or not a
</I>&gt;<i> link is down. Ofcourse, you can approximate problem 2, but you have no
</I>&gt;<i> guarantees that the problem lies with the link and not with the servers you
</I>&gt;<i> test your connectivity against, or the infrastructure to those servers
</I>&gt;<i> beyond your direct link.
</I>
What happens if you use the bonding driver and one of the two parts of the
link goes down? Is that transparent?
(Ofcourse this is not a solution you want if your fallback is some expensive
slow line, but if the lines are equal in costs (or it doesn' cost more at all
to have the fallback 'online' all the time) this might be a solution.

Paul



</PRE>

[LARTC] Advanced routing question.

[Arthur]

<PRE>On Tue, 16 Jan 2001, Paul Wouters wrote:

&gt;<i> On Tue, 16 Jan 2001, Arthur van Leeuwen wrote:
</I>&gt;<i> 
</I>&gt;<i> &gt; &gt; 2&gt;	Setup a fail over method so that if either internet connection were
</I>&gt;<i> &gt; &gt; to fail it would start routing all outbound traffic over that link.
</I>&gt;<i> 
</I>&gt;<i> &gt; Yes. Linux using Advanced Routing can be used to solve these problems, but
</I>&gt;<i> &gt; for problem 2: at the IP level there is no way to figure out wether or not a
</I>&gt;<i> &gt; link is down. Ofcourse, you can approximate problem 2, but you have no
</I>&gt;<i> &gt; guarantees that the problem lies with the link and not with the servers you
</I>&gt;<i> &gt; test your connectivity against, or the infrastructure to those servers
</I>&gt;<i> &gt; beyond your direct link.
</I>&gt;<i> 
</I>&gt;<i> What happens if you use the bonding driver and one of the two parts of the
</I>&gt;<i> link goes down? Is that transparent?
</I>
What bonding driver? And no, a link failing is *not* transparent. It will
lead to intermittent connectivity problems, as the multipath routing code
will randomly keep selecting the failed link as well as the one still working.
You will have to do active monitoring. Yes, polling. Unfortunately. Let's
all hope for IPv6 and true NUD...

Doei, Arthur.

-- 
  /\    / |      <A HREF="mailto:arthurvl@sci.kun.nl">arthurvl@sci.kun.nl</A>      | Work like you don't need the money
 /__\  /  | A friend is someone with whom | Love like you have never been hurt
/    \/__ | you can dare to be yourself   | Dance like there's nobody watching



</PRE>

[LARTC] Advanced routing question.

[Daniel]

<PRE>I saw the example from 'Can't use two links on a linux box -
correction/addition' but there were a couple of differences in his setup tha
concerned me, first was he was only running NAT on 1 of his 2 connections.

My second and more important concern with using NAT and Linux is how do you
make sure that if X computer starts a UDP connection with the outside world
that all traffic on that connection comes from the same outside IP address
(be it the dsl line or the T1 line)?

-----Original Message-----
From: Arthur van Leeuwen [mailto:<A HREF="mailto:arthurvl@sci.kun.nl">arthurvl@sci.kun.nl</A>]
Sent: Tuesday, January 16, 2001 3:39 AM
To: Daniel Jay
Cc: '<A HREF="mailto:lartc@mailman.ds9a.nl">lartc@mailman.ds9a.nl</A>'
Subject: Re: [LARTC] Advanced routing question.


On Mon, 15 Jan 2001, Daniel Jay wrote:

[snip]


Yes. Linux using Advanced Routing can be used to solve these problems, but
for problem 2: at the IP level there is no way to figure out wether or not a
link is down. Ofcourse, you can approximate problem 2, but you have no
guarantees that the problem lies with the link and not with the servers you
test your connectivity against, or the infrastructure to those servers
beyond your direct link.

There have been some postings on the mailing list on exactly the kind of
setup you want. Look into the threads 'Can't use two links on a linux box'
and 'Can't use two links on a linux box - correction/addition' in the 
archives at <A HREF="http://mailman.ds9a.nl/pipermail/lartc/2000q4/thread.html">http://mailman.ds9a.nl/pipermail/lartc/2000q4/thread.html</A>

Doei, Arthur. (Maybe I should 'steal' some of my boss' time to write this
               stuff up for the HOWTO...)

-- 
  /\    / |      <A HREF="mailto:arthurvl@sci.kun.nl">arthurvl@sci.kun.nl</A>      | Work like you don't need the
money
 /__\  /  | A friend is someone with whom | Love like you have never been
hurt
/    \/__ | you can dare to be yourself   | Dance like there's nobody
watching


</PRE>