Firewall/router with redundant internet connection

Discussion in 'Linux Networking' started by David Brown, Jul 26, 2004.

  1. David Brown

    David Brown Guest

    I administer the network for a small company, which currently includes a
    firewall/router for connecting to the internet via ADSL. At the moment,
    it's a fairly simple setup with a dedicated Zywall firewall/router, but we
    are looking at adding some redundancy in the form of a second internet line
    (I don't know exactly what form this will take - a second DSL line, or
    cable, or something, but from my viewpoint, it will be an ethernet
    connection). I would be fairly happy about setting up a "normal" linux
    firewall/router with two network cards (and perhaps a third for a DMZ), but
    having two upstream connections adds extra complications.

    Would it make sense to try to balance traffic between the two lines, or
    would it be much simpler to consider one as a backup and the other as the
    main line? Am I right in thinking that passing web requests down
    alternating lines would confuse session-tracking on some web servers, so
    that it might be best to split traffic according to services (eg., http down
    one line, mail on the other) ? I'm reasonably confident that I could
    configure such a split using iptables, but if anyone has pointers to any
    useful web sites or on-line tutorials (I've found plenty for "normal"
    firewall/router setups), I'd be very grateful.

    David Brown, Jul 26, 2004
    1. Advertisements

  2. In my experience it works best to split the traffic by type,
    especially if you are running NAT on the Linux box.

    I use iptables to mark the packages with the "-t mangle" module, and
    then use "ip" to configure different routes for each mark. A snippet
    of the configuration is shown below.

    $IP rule add fwmark 1 table 100 pref 1000
    $IP rule add fwmark 2 table 200 pref 1000

    $IP route add table 200 scope global nexthop via x1.x2.x3.x4 dev eth2
    $IP route add table 100 scope global nexthop via y1.y2.y3.y4 dev eth3

    iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 22 -j MARK
    --set-mark 1 # ssh
    iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 443 -j MARK
    --set-mark 1 # https
    iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 110 -j MARK
    --set-mark 2 # pop3

    This works for outgoing traffic. Incoming traffic is a bit more
    trickier. Mail is easy. Just put both the ip in the MX list. Web
    traffic and other "user-to-machine" traffic is problematic. If you
    define to aliases for a and one line is down. The
    users will notice it since half the requests will go to the line that
    is down.

    If you have an external DNS server, you could check the status of your
    two connections and change the records in the zone file to match the
    status. This would require a short TTL value.

    If you want real redundancy you need to use BGP.

    Morten Isaksen
    Morten Isaksen, Jul 30, 2004
    1. Advertisements

  3. David Brown

    David Brown Guest

    Splitting outgoing traffic this way sounds good - I hadn't looked at it in
    detail yet, but I will remember the trick of "marking" the packets. Also
    for mail, I knew about having two MX dns records, so that's ok. Incomming
    traffic is not such an issue for us, since our web site is not critical (it
    is mainly just information) - the real reliability issue is that we have
    Windows Terminal Server clients that must be able to access a server at
    another site, and we can't afford to lose that connection for long (the
    other company, obviously, must consider reliability of their incomming
    connections - but they can afford to pay people to be on call, while I like
    to be able to go on holiday without worrying!). For other incomming traffic
    (vpn from home, etc.), it will be easy enough to change things manually at
    the other end if one of the lines goes done.
    Another way to do it would be to have an externally hosted website
    consisting of a single re-direct, and change the redirect address as
    necessary if one of the lines goes down.

    Thanks for the tips!

    David Brown, Aug 2, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.