[LARTC] Setting up dual WAN firewalling bridge

[LARTC] Setting up dual WAN firewalling bridge

[Daniel Larsson]

I currently have a 6mbit DSL line with a /28 block of static IP numbers. 
My DSL modem is in bridge mode, so I do not have a router. Because I 
dont want to put all my machines directly on the internet without some 
kind of firewall, I put a Linux machine between my DSL modem and my LAN, 
like this,

DSL Modem --> eth0 Linux bridge/firewall/shaper eth1 --> LAN

I need more bandwidth though (uplink), since I'm connected around 10 
hours per day from work to home (long story short, cant install any 
software of my own, can't read my own e-mail etc, so I'm connecting 
through remote desktop home, to be able to do that), while I'm also 
hosting a webserver and a few other things at home which sometimes bogs 
down the connection so much that remote desktop is unusable. So I've 
ordered a second DSL line, this one with only a dynamic IP number, but 
other than that, the same speed etc (although it will be PPPoE with the 
associated overhead).

Now, what I would like to do is connect the second DSL line to the Linux 
bridge/firewall, and automatically load balance a couple of things over  
line 2. First of all, I'd like to somehow double my uplink. Not knowing 
if this is entirely possible, but I figure that in theory it works, I 
could just send 50% of the outgoing packets on line 1, 50% on the other, 
and all incoming packets would be coming in on line 1 (since the replies 
would be coming to the source address, the public IP that is on line 1). 
If my ISP is filtering packets with an incorrect source address or 
something I'm in trouble, but if they don't, it should work right? If I 
can't get this to work, I'm happy with just connecting to the dynamic IP 
whenever I need to RDP/VNC into my machine at home, so it's not 
critical, but nice, to get the double uplink speed.

The second thing I'd like to do is load balance HTTP connections 
(outgoing) over both links (and possibly other things like BitTorrent 
etc), so I'd get around 10mbit for downloads. I figure this can be done 
by NATing line 2 with my public IP numbers on the inside, and somehow 
just select a different gateway for connections (packets?) on a 
roundrobin basis or something like that (or even better, by putting the 
new connections on the line with the least traffic at the moment). It is 
important that I can do this for only HTTP (and select other 
applications). I figure a workaround for this, if it isn't easily 
implementable, would be to do transparent WWW proxying with Squid or 
something similar, and somehow send half the connections on one 
interface and half on the other... in case the kernel can't do it. I 
realize, of course, that to get 10mbit downloads, I'll need to have 
multiple connections open to the server I download from (unless I'm 
missing something).

I'm new at this, and don't really know where to start. What complicates 
it even more for me is the fact that my box will be BOTH a bridge and 
router in this scenario.

Any pointers etc will be very much appreciated.

/dml









_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/