Multi-WAN loadbalancing & RRAS.

I recently joined as sysadmin. Existing setup is as follows:

We have 3 ISP connections and all of them connected directly to the network
switch. all clients have 2 gateway IPs in the network config.
I read in a magazine that this setup is a unsecured & "not recommended"
setup .

I am not a expert guy. I need help for the following:
1) why is this a unsecured & "not recommended" setup ? ( I need to convince
my seniors, as this setup has been working well for past 5 years.)
2) How can I load balance multiple ISPs ?
Can I setup a RRAS with VPN server and install additional 3 NICs and connect
all the ISP to the server and on the client side create a dial-up connection
to the VPN Server? will this acheive my goal ?

Thanks in advance.

Hello raj-blr,

If you have multiple ISP connections use multiport router, that way you have
one default gateway for the client machines internally. How did you configure
the clients with multiple DG's on one NIC?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I recently joined as sysadmin. Existing setup is as follows:
>
> We have 3 ISP connections and all of them connected directly to the
> network
> switch. all clients have 2 gateway IPs in the network config.
> I read in a magazine that this setup is a unsecured & "not
> recommended"
> setup .
> I am not a expert guy. I need help for the following:
> 1) why is this a unsecured & "not recommended" setup ? ( I need to
> convince
> my seniors, as this setup has been working well for past 5 years.)
> 2) How can I load balance multiple ISPs ?
> Can I setup a RRAS with VPN server and install additional 3 NICs and
> connect
> all the ISP to the server and on the client side create a dial-up
> connection
> to the VPN Server? will this acheive my goal ?
> Thanks in advance.
>

It was configured by the previous sys admin.

In the Advanced properties of TCP/IP , there were 2 enteries for the default
gateway.

Would appreciate if you could help me with my other (refer below) queries
too.

"Meinolf Weber [MVP-DS]" wrote:

> Hello raj-blr,
>
> If you have multiple ISP connections use multiport router, that way you have
> one default gateway for the client machines internally. How did you configure
> the clients with multiple DG's on one NIC?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > I recently joined as sysadmin. Existing setup is as follows:
> >
> > We have 3 ISP connections and all of them connected directly to the
> > network
> > switch. all clients have 2 gateway IPs in the network config.
> > I read in a magazine that this setup is a unsecured & "not
> > recommended"
> > setup .
> > I am not a expert guy. I need help for the following:
> > 1) why is this a unsecured & "not recommended" setup ? ( I need to
> > convince
> > my seniors, as this setup has been working well for past 5 years.)
> > 2) How can I load balance multiple ISPs ?
> > Can I setup a RRAS with VPN server and install additional 3 NICs and
> > connect
> > all the ISP to the server and on the client side create a dial-up
> > connection
> > to the VPN Server? will this acheive my goal ?
> > Thanks in advance.
> >
>
>
>

"raj-blr" <raj-(E-Mail Removed)> wrote in message news:BC1FB115-4188-452A-AB7E-(E-Mail Removed)...
>I recently joined as sysadmin. Existing setup is as follows:
>
> We have 3 ISP connections and all of them connected directly to the network
> switch. all clients have 2 gateway IPs in the network config.
> I read in a magazine that this setup is a unsecured & "not recommended"
> setup .
>
> I am not a expert guy. I need help for the following:
> 1) why is this a unsecured & "not recommended" setup ? ( I need to convince
> my seniors, as this setup has been working well for past 5 years.)
> 2) How can I load balance multiple ISPs ?
> Can I setup a RRAS with VPN server and install additional 3 NICs and connect
> all the ISP to the server and on the client side create a dial-up connection
> to the VPN Server? will this acheive my goal ?
>
> Thanks in advance.



The only way I know of using multiple ISPs, and usually I hear of having two, not three ISPs, is having a router that supports multiple WAN links. On top of that, it won't 'load balance' rather it is for fault tolerance so when one goes down, the other one picks up the connection. It's for backup.

What is the purpose of load balancing? Increased speeds? I would think it be cheaper to go with one and increase your bandwidth with the connection, if that is the case.

As for security, if it is truly load balancing, meaning you never know which line is actually routing any specific internal traffic, then how do you keep track of who's knocking on the door trying to come in? You would have three doors in such a scenario. I've found there's enough to juggle with one door concerning traffic control, packet filtering for inbound/outbound traffic, VPN connectivity, etc.

By rights, all and any machine should have one 'default' gateway, literally the doorway out of the building, so to speak. You can have multiple gateways or doorways in a building, and a person, so to speak, can choose which door to exit by, and by the same token you can enter multiple static gateways to other subnets and such with higher metrics on a machine, but there is always only one default gateway to get out of the network.

Now for inbound traffic, such as for web servers, etc, there are devices such as BigIP that will allow you to put a farm of webservers behind it, and the outside connections would connect to the outside interface of the BigIP appliance. But for traffic load balancing with multiple ISPs, I have not heard of that.

You said in a reply to Meinolf that it was configured by a previous admin. Was it working?

Also, what magazine article did you read? Is there a link to it on the web?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(E-Mail Removed)

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker
http://twitter.com/acefekay

Thanks for your reply.

Below are the answers for your queries:

> > We have 3 ISP connections
>
> Why? What purposes are these assumed to be serving?

I am just 15 days old in this company. The previous sysadmin had suggested
the management as a fail-over solution.

> What physical types of connections are these? DSL, cable, T1, what?

All three connections are DSL.

> > and all of them connected directly to the network switch.
>
> Without a router?

The ISP DSL router is directly connected to the LAN Switch.


> > all clients have 2 gateway IPs in the network config.
> For any number of reasons. More details about your current setup and the
> reasons it's done that way are needed before making suggestions.

The previous sysadmin is no more reachable.
As for the input I received, All clients have 2 gateway IPs because if one
gateway (ISP) fails the traffic will be routed to other gateway (ISP)



"Bill Kearney" wrote:

> > We have 3 ISP connections
>
> Why? What purposes are these assumed to be serving?
>
> What physical types of connections are these? DSL, cable, T1, what?
>
> > and all of them connected directly to the network switch.
>
> Without a router?
>
> > all clients have 2 gateway IPs in the network config.
> > I read in a magazine that this setup is a unsecured & "not recommended"
> > setup .
>
> For any number of reasons. More details about your current setup and the
> reasons it's done that way are needed before making suggestions.
>
> > 2) How can I load balance multiple ISPs ?
>
> Not without hardware dedicated to the purpose. Even then you may not get
> what you want. Which is, what, exactly?
>
> > Can I setup a RRAS with VPN server and install additional 3 NICs and
> > connect
> > all the ISP to the server and on the client side create a dial-up
> > connection
> > to the VPN Server? will this acheive my goal ?
>
> Where does a VPN suddenly enter into the 'goals'?
>
> A lot more detail is necessary before anyone could hope suggest effective
> solutions.
>
> -Bill Kearney
>
>

Thanks for your reply.

I have Question,

Are there any security risks in connecting the ISP DSL router directly to
the LAN switch ? If yes, what are they ?

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "raj-blr" <raj-(E-Mail Removed)> wrote in message news:BC1FB115-4188-452A-AB7E-(E-Mail Removed)...
> >I recently joined as sysadmin. Existing setup is as follows:
> >
> > We have 3 ISP connections and all of them connected directly to the network
> > switch. all clients have 2 gateway IPs in the network config.
> > I read in a magazine that this setup is a unsecured & "not recommended"
> > setup .
> >
> > I am not a expert guy. I need help for the following:
> > 1) why is this a unsecured & "not recommended" setup ? ( I need to convince
> > my seniors, as this setup has been working well for past 5 years.)
> > 2) How can I load balance multiple ISPs ?
> > Can I setup a RRAS with VPN server and install additional 3 NICs and connect
> > all the ISP to the server and on the client side create a dial-up connection
> > to the VPN Server? will this acheive my goal ?
> >
> > Thanks in advance.
>
>
>
> The only way I know of using multiple ISPs, and usually I hear of having two, not three ISPs, is having a router that supports multiple WAN links. On top of that, it won't 'load balance' rather it is for fault tolerance so when one goes down, the other one picks up the connection. It's for backup.
>
> What is the purpose of load balancing? Increased speeds? I would think it be cheaper to go with one and increase your bandwidth with the connection, if that is the case.
>
> As for security, if it is truly load balancing, meaning you never know which line is actually routing any specific internal traffic, then how do you keep track of who's knocking on the door trying to come in? You would have three doors in such a scenario. I've found there's enough to juggle with one door concerning traffic control, packet filtering for inbound/outbound traffic, VPN connectivity, etc.
>
> By rights, all and any machine should have one 'default' gateway, literally the doorway out of the building, so to speak. You can have multiple gateways or doorways in a building, and a person, so to speak, can choose which door to exit by, and by the same token you can enter multiple static gateways to other subnets and such with higher metrics on a machine, but there is always only one default gateway to get out of the network.
>
> Now for inbound traffic, such as for web servers, etc, there are devices such as BigIP that will allow you to put a farm of webservers behind it, and the outside connections would connect to the outside interface of the BigIP appliance. But for traffic load balancing with multiple ISPs, I have not heard of that.
>
> You said in a reply to Meinolf that it was configured by a previous admin. Was it working?
>
> Also, what magazine article did you read? Is there a link to it on the web?
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> (E-Mail Removed)
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> "Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker
> http://twitter.com/acefekay
>
>

"raj-blr" <(E-Mail Removed)> wrote in message news:F881651E-2BE5-40CB-B89B-(E-Mail Removed)...
> Thanks for your reply.
>
> I have Question,
>
> Are there any security risks in connecting the ISP DSL router directly to
> the LAN switch ? If yes, what are they ?
>

Well, I wouldn't do it because of decreased security, but you can until you get a good firewall/router, such as Cisco ASA5505. There are other competitive products that will work, as well.

Ace

Thanks for your support.

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "raj-blr" <(E-Mail Removed)> wrote in message news:F881651E-2BE5-40CB-B89B-(E-Mail Removed)...
> > Thanks for your reply.
> >
> > I have Question,
> >
> > Are there any security risks in connecting the ISP DSL router directly to
> > the LAN switch ? If yes, what are they ?
> >
>
> Well, I wouldn't do it because of decreased security, but you can until you get a good firewall/router, such as Cisco ASA5505. There are other competitive products that will work, as well.
>
> Ace
>
>
>
>

Try LinkSYS RV-042 or PEPLink products


"raj-blr" wrote:

> I recently joined as sysadmin. Existing setup is as follows:
>
> We have 3 ISP connections and all of them connected directly to the network
> switch. all clients have 2 gateway IPs in the network config.
> I read in a magazine that this setup is a unsecured & "not recommended"
> setup .
>
> I am not a expert guy. I need help for the following:
> 1) why is this a unsecured & "not recommended" setup ? ( I need to convince
> my seniors, as this setup has been working well for past 5 years.)
> 2) How can I load balance multiple ISPs ?
> Can I setup a RRAS with VPN server and install additional 3 NICs and connect
> all the ISP to the server and on the client side create a dial-up connection
> to the VPN Server? will this acheive my goal ?
>
> Thanks in advance.

"raj-blr" <(E-Mail Removed)> wrote in message
news:F6E3CC36-B407-4DFE-82B3-(E-Mail Removed)...
> Thanks for your support.

You are welcome!

Ace