Load-balancing / dual-WAN / multi-WAN routers or other solutions
Now THIS should get a discussion going. What's the latest on load-balancing / dual-WAN / multi-WAN routers? I only see two kinds - some very old D-Link (DI-LB604) and Cisco (RV042, RV082, RV016) models, and quite a few current models from completely unheard of Oriental companies. My actual purpose would be failover redundancy (between my two Internets, namely MTS and Shaw) at least as much as, or more so, than load balancing, but there might as well be load balancing too, since both Internets are up almost all the time. I'm also somewhat interested in hearing about other related solutions (like a separate computer with multiple NIC's for multi-WAN, and special Linux, acting as a router) if no suitable router exists (or if such a router costs too much). Hmmm, Raspberry Pi just has one network port, right? Hartmut Sager
On 13-03-29 05:41 AM, Hartmut W Sager wrote: <cut>
I'm also somewhat interested in hearing about other related solutions (like a separate computer with multiple NIC's for multi-WAN, and special Linux, acting as a router)if no suitable router exists (or if such a router costs too much). Hmmm, Raspberry Pi just has one network port, right?
Hartmut Sager
I haven't investigated it but I think IPCop might be a good solution here. This would be more the reverse of what was the intended purpose but it should work. An older computer should suffice in terms of hardware. Although if you pick up one at Syrotech, the RER store in Selkirk, or anywhere else (I only know of the two places selling them) there may be an issue with bad capacitors. At the Lab we have seen about a 25% replacement rate because of them. Mostly in the Dell 270 and 280 lines. OTOH, when the machines do work they work really well. Later Mike
You may want to look at a simple OpenBSD machine rather than a Linux box. Namely for pf, and optionally carp if you want physical ha for the machine. Equal cost multipath routing is fairly easy in linux, although doing automatic failover requires a fairly simple external script.. On Mar 29, 2013 7:11 AM, "Mike Pfaiffer" <high.res.mike@gmail.com> wrote:
On 13-03-29 05:41 AM, Hartmut W Sager wrote: <cut>
I'm also somewhat interested in hearing about other related solutions (like a separate computer with multiple NIC's for multi-WAN, and special Linux, acting as a router)if no suitable router exists (or if such a router costs too much). Hmmm, Raspberry Pi just has one network port, right?
Hartmut Sager
I haven't investigated it but I think IPCop might be a good solution here. This would be more the reverse of what was the intended purpose but it should work. An older computer should suffice in terms of hardware. Although if you pick up one at Syrotech, the RER store in Selkirk, or anywhere else (I only know of the two places selling them) there may be an issue with bad capacitors. At the Lab we have seen about a 25% replacement rate because of them. Mostly in the Dell 270 and 280 lines. OTOH, when the machines do work they work really well.
Later Mike
______________________________**_________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/**listinfo/roundtable<http://www.muug.mb.ca/mailman/listinfo/roundtable>
On 2013-03-29 Hartmut W Sager wrote:
Now THIS should get a discussion going. What's the latest on load-balancing / dual-WAN / multi-WAN routers? I only see two kinds - some very old D-Link (DI-LB604) and Cisco (RV042, RV082, RV016) models, and quite a few current models from completely unheard of Oriental companies.
I've done multi-homed Linux routers. To do weird stuff without buying major expensive gear (read: Cisco enterprise, Juniper, etc) your best bet is to just do it in Linux (or BSD if you prefer, though I have no experience there). You can select what traffic should go out what modem (by nearly any criteria since it is iptables based). I usually select it based on port (put VNC, ssh over low-latency pipes) or intranet IP (give certain machines fast / slow internet). Return packets come in the same modem as the outgoing. I haven't yet done automatic failover but it should be fairly easy to write a script to detect pipe failure and tweak iptables to direct all traffic out just one pipe. Your friends here are: ip rule ... table ip route ... table iptables echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter iptables -t mangle tc (and maybe more I'm forgetting, this is from memory at the moment!) and you can do QoS fairly easily at the same time.
Wow, that is a winning reply! Thanks, Trevor. Hartmut Sager On 31 March 2013 02:47, Trevor Cordes <trevor@tecnopolis.ca> wrote:
On 2013-03-29 Hartmut W Sager wrote:
Now THIS should get a discussion going. What's the latest on load-balancing / dual-WAN / multi-WAN routers? I only see two kinds - some very old D-Link (DI-LB604) and Cisco (RV042, RV082, RV016) models, and quite a few current models from completely unheard of Oriental companies.
I've done multi-homed Linux routers. To do weird stuff without buying major expensive gear (read: Cisco enterprise, Juniper, etc) your best bet is to just do it in Linux (or BSD if you prefer, though I have no experience there).
You can select what traffic should go out what modem (by nearly any criteria since it is iptables based). I usually select it based on port (put VNC, ssh over low-latency pipes) or intranet IP (give certain machines fast / slow internet). Return packets come in the same modem as the outgoing.
I haven't yet done automatic failover but it should be fairly easy to write a script to detect pipe failure and tweak iptables to direct all traffic out just one pipe.
Your friends here are:
ip rule ... table ip route ... table iptables echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter iptables -t mangle tc (and maybe more I'm forgetting, this is from memory at the moment!)
and you can do QoS fairly easily at the same time. _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
Keep in mind that turning off rp filter means that packets which match an IP for any interface will be accepted on all. That is why I suggested OBSD. Not so bad if you're on MTS as they'll block before the tunnel, But ive ran into issues with someone on shaw with a misconfigured router. Ofcourse if you use iptables properly the likelyhood of someone getting source and dest is pretty low.. Rob On Mar 31, 2013 5:29 AM, "Hartmut W Sager" <hwsager@marityme.net> wrote:
Wow, that is a winning reply! Thanks, Trevor.
Hartmut Sager
On 31 March 2013 02:47, Trevor Cordes <trevor@tecnopolis.ca> wrote:
On 2013-03-29 Hartmut W Sager wrote:
Now THIS should get a discussion going. What's the latest on load-balancing / dual-WAN / multi-WAN routers? I only see two kinds - some very old D-Link (DI-LB604) and Cisco (RV042, RV082, RV016) models, and quite a few current models from completely unheard of Oriental companies.
I've done multi-homed Linux routers. To do weird stuff without buying major expensive gear (read: Cisco enterprise, Juniper, etc) your best bet is to just do it in Linux (or BSD if you prefer, though I have no experience there).
You can select what traffic should go out what modem (by nearly any criteria since it is iptables based). I usually select it based on port (put VNC, ssh over low-latency pipes) or intranet IP (give certain machines fast / slow internet). Return packets come in the same modem as the outgoing.
I haven't yet done automatic failover but it should be fairly easy to write a script to detect pipe failure and tweak iptables to direct all traffic out just one pipe.
Your friends here are:
ip rule ... table ip route ... table iptables echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter iptables -t mangle tc (and maybe more I'm forgetting, this is from memory at the moment!)
and you can do QoS fairly easily at the same time. _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
_______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
On 2013-03-31 Robert Keizer wrote:
Keep in mind that turning off rp filter means that packets which match an IP for any interface will be accepted on all.
Is that what it does? I just remember multihome just would not work at all until I set rp to 0. Also, I've found in my tests that the packets always come back to the correct modem. I've never seen any randomness; packets coming back into the wrong modem. I have no idea how iptables/netfilter and/or the kernel even would react to such packets if they did exist. Either way, if it's not a security issue and if it all works as-is, I'm not too concerned :-)
On 2013-04-02 01:50, Trevor Cordes wrote:
On 2013-03-31 Robert Keizer wrote:
Keep in mind that turning off rp filter means that packets which match an IP for any interface will be accepted on all.
Is that what it does? I just remember multihome just would not work at all until I set rp to 0.
"RP" stands for "Reverse Path". The RP Filter filters out any traffic that could/should not reasonably have arrived on that interface, based on the routing tables. So if you receive a packet from, say, 8.8.8.8, it will be dropped UNLESS there's an active route pointing to 8.8.8.8 out that interface.
Also, I've found in my tests that the packets always come back to the correct modem. I've never seen any randomness; packets coming back into the wrong modem.
That would be essentially impossible in your case. It can and does happen with multihomed addresses that are portable, i.e. the same IP address(es) are reachable through more than one path (or ISP).
I have no idea how iptables/netfilter and/or the kernel even would react to such packets if they did exist.
With rp_filter=0, they would be accepted. With rp_filter=1, they might be accepted, depending on your routing table.
Either way, if it's not a security issue and if it all works as-is, I'm not too concerned :-)
Well, a spoofing risk does exist but in a multi-homed scenario is almost irrelevant by design. If you're simultaneously connected to Shaw and MTS, you could in theory filter Shaw's netblock on the MTS link (and vice-versa) on the assumption that the "best" route from any internal Shaw IP to you would be via the Shaw cable modem and never the MTS DSL modem. It's a pretty small risk, IMHO. The design of both networks makes it very difficult to do that kind of spoofing. -Adam
participants (5)
-
Adam Thompson -
Hartmut W Sager -
Mike Pfaiffer -
Robert Keizer -
Trevor Cordes