[ale] two connections to internet??
Joseph Andrew Knapka
jknapka at earthlink.net
Thu Aug 30 08:32:32 EDT 2001
Leonard Thornton wrote:
>
> Pack rat? Yep....that's me....I got equipment so old it's mentioned 3
> times in the Old Testiment.
>
> From the initial description Gary provided, I don;t think load
> balancing / failover is much of a consideration. You are correct,
> however, in your observation that routing is not easy. Considering that
> all PC's on the internal lan will point to the firewall as their
> gateway, the firewall much handle the appropriate routing to seperate
> the traffic destined for the DSL or cable side.
>
> One trick, though I cannot testify to it's workability, would be to
> assign multiple IP addresses (2) to the adapter attached to the local
> network. Then, use routed to set each of these addresses to point to
> either the cable or the DSL for their default gateway. The machine on
> the internal LAN could then be assigned either IP address as their
> default gateway depending on the route you wish for them to take.....
>
> OR....I could be suffering delusions from the medication I am taking for
> this flu......you tell me...
No matter what you do, if you're only using a single firewall
there will be ipchains or iptables magic to be done to make
things work. With two firewalls it's easy: the workstation machines
use the cable firewall as their default gateway, and the server
machines use the DSL firewall as their default gateway. All external
traffic to the servers goes via DSL and all internal traffic to
sites outside goes via cable: which is what you want. With
a single firewall with two Internet connections, things get
more complicated.
Let's say the firewall uses the cable interface as its default
route. Then -all- outgoing packets from any machine will go
via cable, -even- replies to packets originally recieved via
DSL. That's almost certainly not what you want, since you wouldn't
be utilizing the DSL's outgoing bandwidth at all. Same problem
in reverse if the firewall's default route is via the DSL link.
So that means you need policy routing or something like that
on the firewall to decide based on source address which external
link to use: "OK, this packet came from the web server, so
I need to send it out the DSL interface... But this one came
from a workstation, so I need to send it via the cable interface."
That's a pain, because IP is designed to route based on
destination address only. You'll definitely get familiar with
the intricacies of the firewalling subsystem :-)
Another potentially interesting, though rather strange, way
to proceed might be to use the "Mandatory Access Control"
kernel patches that came out a while back. They let you
partition your machine into multiple -logical- machines,
mainly for security purposes, but they might also allow
you to simulate two firewall machines for routing purposes.
I saw an announcement about the MAC patches go by on
linux-kernel some time ago (two years maybe), but probably
one of the security gurus here on ALE can provide a pointer.
(Of course there are a bunch of user-level programs you
need for MAC as well.)
Good luck,
--
# Joe Knapka
# "You know how many remote castles there are along the
# gorges? You can't MOVE for remote castles!" - Lu Tze re. Uberwald
# Linux MM docs:
http://home.earthlink.net/~jknapka/linux-mm/vmoutline.html
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list