Firewall/router with redundant internet connection

I administer the network for a small company, which currently includes a
firewall/router for connecting to the internet via ADSL. At the moment,
it's a fairly simple setup with a dedicated Zywall firewall/router, but we
are looking at adding some redundancy in the form of a second internet line
(I don't know exactly what form this will take - a second DSL line, or
cable, or something, but from my viewpoint, it will be an ethernet
connection). I would be fairly happy about setting up a "normal" linux
firewall/router with two network cards (and perhaps a third for a DMZ), but
having two upstream connections adds extra complications.

Would it make sense to try to balance traffic between the two lines, or
would it be much simpler to consider one as a backup and the other as the
main line? Am I right in thinking that passing web requests down
alternating lines would confuse session-tracking on some web servers, so
that it might be best to split traffic according to services (eg., http down
one line, mail on the other) ? I'm reasonably confident that I could
configure such a split using iptables, but if anyone has pointers to any
useful web sites or on-line tutorials (I've found plenty for "normal"
firewall/router setups), I'd be very grateful.

Thanks,

--
David

"I love deadlines. I love the whooshing noise they make as they go past."
Douglas Adams




David Brown

"David Brown" <(E-Mail Removed)> wrote in message news:<ce2anv$sg1$(E-Mail Removed)>...

> Would it make sense to try to balance traffic between the two lines, or
> would it be much simpler to consider one as a backup and the other as the
> main line? Am I right in thinking that passing web requests down
> alternating lines would confuse session-tracking on some web servers, so
> that it might be best to split traffic according to services (eg., http down
> one line, mail on the other) ? I'm reasonably confident that I could
> configure such a split using iptables, but if anyone has pointers to any
> useful web sites or on-line tutorials (I've found plenty for "normal"
> firewall/router setups), I'd be very grateful.

In my experience it works best to split the traffic by type,
especially if you are running NAT on the Linux box.

I use iptables to mark the packages with the "-t mangle" module, and
then use "ip" to configure different routes for each mark. A snippet
of the configuration is shown below.

$IP rule add fwmark 1 table 100 pref 1000
$IP rule add fwmark 2 table 200 pref 1000

$IP route add table 200 scope global nexthop via x1.x2.x3.x4 dev eth2
$IP route add table 100 scope global nexthop via y1.y2.y3.y4 dev eth3

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 22 -j MARK
--set-mark 1 # ssh
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 443 -j MARK
--set-mark 1 # https
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 110 -j MARK
--set-mark 2 # pop3

This works for outgoing traffic. Incoming traffic is a bit more
trickier. Mail is easy. Just put both the ip in the MX list. Web
traffic and other "user-to-machine" traffic is problematic. If you
define to aliases for a www.example.com and one line is down. The
users will notice it since half the requests will go to the line that
is down.

If you have an external DNS server, you could check the status of your
two connections and change the records in the zone file to match the
status. This would require a short TTL value.

If you want real redundancy you need to use BGP.

Regards
Morten Isaksen
http://www.aub.dk/~misak/

"Morten Isaksen" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> "David Brown" <(E-Mail Removed)> wrote in message
news:<ce2anv$sg1$(E-Mail Removed)>...
>
> > Would it make sense to try to balance traffic between the two lines, or
> > would it be much simpler to consider one as a backup and the other as
the
> > main line? Am I right in thinking that passing web requests down
> > alternating lines would confuse session-tracking on some web servers, so
> > that it might be best to split traffic according to services (eg., http
down
> > one line, mail on the other) ? I'm reasonably confident that I could
> > configure such a split using iptables, but if anyone has pointers to any
> > useful web sites or on-line tutorials (I've found plenty for "normal"
> > firewall/router setups), I'd be very grateful.
>
> In my experience it works best to split the traffic by type,
> especially if you are running NAT on the Linux box.
>
> I use iptables to mark the packages with the "-t mangle" module, and
> then use "ip" to configure different routes for each mark. A snippet
> of the configuration is shown below.
>
> $IP rule add fwmark 1 table 100 pref 1000
> $IP rule add fwmark 2 table 200 pref 1000
>
> $IP route add table 200 scope global nexthop via x1.x2.x3.x4 dev eth2
> $IP route add table 100 scope global nexthop via y1.y2.y3.y4 dev eth3
>
> iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 22 -j MARK
> --set-mark 1 # ssh
> iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 443 -j MARK
> --set-mark 1 # https
> iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 110 -j MARK
> --set-mark 2 # pop3
>
> This works for outgoing traffic. Incoming traffic is a bit more
> trickier. Mail is easy. Just put both the ip in the MX list. Web
> traffic and other "user-to-machine" traffic is problematic. If you
> define to aliases for a www.example.com and one line is down. The
> users will notice it since half the requests will go to the line that
> is down.
>

Splitting outgoing traffic this way sounds good - I hadn't looked at it in
detail yet, but I will remember the trick of "marking" the packets. Also
for mail, I knew about having two MX dns records, so that's ok. Incomming
traffic is not such an issue for us, since our web site is not critical (it
is mainly just information) - the real reliability issue is that we have
Windows Terminal Server clients that must be able to access a server at
another site, and we can't afford to lose that connection for long (the
other company, obviously, must consider reliability of their incomming
connections - but they can afford to pay people to be on call, while I like
to be able to go on holiday without worrying!). For other incomming traffic
(vpn from home, etc.), it will be easy enough to change things manually at
the other end if one of the lines goes done.

> If you have an external DNS server, you could check the status of your
> two connections and change the records in the zone file to match the
> status. This would require a short TTL value.

Another way to do it would be to have an externally hosted website
consisting of a single re-direct, and change the redirect address as
necessary if one of the lines goes down.

Thanks for the tips!

David


>
> If you want real redundancy you need to use BGP.
>
> Regards
> Morten Isaksen
> http://www.aub.dk/~misak/