[ale] two connections to internet??
Thompson Freeman
tfreeman at intel.digichem.net
Thu Aug 30 15:43:34 EDT 2001
OK. Blue sky wondering here, but hopefully to get a decent education out
of the deal (Thanks to one and all! 8-))
One firewall box, four ether interfaces: one to the DSL, one to the cable
modem, and two for the internal network. Each of the internal interfaces
points (NAT) to only one external interface, and each internal machine
is assigned to an internal interface for gateway purposes. Rather a brute
hardware approach, but would it work until a proper and dynamic software
solution was developed?
On Thu, 30 Aug 2001, Joseph Andrew Knapka wrote:
> Leonard Thornton wrote:
> >
> > Pack rat? Yep....that's me....I got equipment so old it's mentioned 3
> > times in the Old Testiment.
> >
> > From the initial description Gary provided, I don;t think load
> > balancing / failover is much of a consideration. You are correct,
> > however, in your observation that routing is not easy. Considering that
> > all PC's on the internal lan will point to the firewall as their
> > gateway, the firewall much handle the appropriate routing to seperate
> > the traffic destined for the DSL or cable side.
> >
> > One trick, though I cannot testify to it's workability, would be to
> > assign multiple IP addresses (2) to the adapter attached to the local
> > network. Then, use routed to set each of these addresses to point to
> > either the cable or the DSL for their default gateway. The machine on
> > the internal LAN could then be assigned either IP address as their
> > default gateway depending on the route you wish for them to take.....
> >
> > OR....I could be suffering delusions from the medication I am taking for
> > this flu......you tell me...
>
> No matter what you do, if you're only using a single firewall
> there will be ipchains or iptables magic to be done to make
> things work. With two firewalls it's easy: the workstation machines
> use the cable firewall as their default gateway, and the server
> machines use the DSL firewall as their default gateway. All external
> traffic to the servers goes via DSL and all internal traffic to
> sites outside goes via cable: which is what you want. With
> a single firewall with two Internet connections, things get
> more complicated.
>
> Let's say the firewall uses the cable interface as its default
> route. Then -all- outgoing packets from any machine will go
> via cable, -even- replies to packets originally recieved via
> DSL. That's almost certainly not what you want, since you wouldn't
> be utilizing the DSL's outgoing bandwidth at all. Same problem
> in reverse if the firewall's default route is via the DSL link.
> So that means you need policy routing or something like that
> on the firewall to decide based on source address which external
> link to use: "OK, this packet came from the web server, so
> I need to send it out the DSL interface... But this one came
> from a workstation, so I need to send it via the cable interface."
> That's a pain, because IP is designed to route based on
> destination address only. You'll definitely get familiar with
> the intricacies of the firewalling subsystem :-)
>
> Another potentially interesting, though rather strange, way
> to proceed might be to use the "Mandatory Access Control"
> kernel patches that came out a while back. They let you
> partition your machine into multiple -logical- machines,
> mainly for security purposes, but they might also allow
> you to simulate two firewall machines for routing purposes.
> I saw an announcement about the MAC patches go by on
> linux-kernel some time ago (two years maybe), but probably
> one of the security gurus here on ALE can provide a pointer.
> (Of course there are a bunch of user-level programs you
> need for MAC as well.)
>
> Good luck,
>
>
--
===========================================
The harder I work, the luckier I get.
Lee Iacocca
===========================================
Thompson Freeman tfreeman at intel.digichem.net
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list