[ previous ] [ next ] [ threads ]
 
 From:  "Mitch \(WebCob\)" <mitch at webcob dot com>
 To:  "William Marcelo Piovezan" <william at uli dot com dot br>, josh at bluehornet dot com, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Souce based policy routing,
 Date:  Sun, 24 Oct 2004 13:15:04 -0700
That can be done with FreeBSD... not sure yet how to do it with mono...

I've relied on ipfw to do this sort of thing... in the past, I ran two
natd's. two divert sockets...

I have a default route, and two smaller routes which I'd add to override my
default:

0/0 -> default
192.168.1.128/25 -> opt1
192.168.1.0/25 -> wan

and in ipfw, I added something like:

from WANIP/32 to any forward WAN_GW
from OPT1IP/32 to any forward OPT1_GW
another couple rules were used for the divert sockets to natd...


Admittedly, this is going from sketchy memory, and I honestly haven't had
much time to work on it... well ok - no time...

We should be able to do this, but I can't remember where in the chain ipfw,
ipf, ipnat etc. all fit... at some point, I think we'll need the ipfw to
handle the forward cause I don't think this function is in ipf anywhere I
can read... I've seen a few people saying it has to be done with ipfw.

At it's simplest, this let's you split the network and use both feeds. With
ipfw, which was capable of probability rules, you could effect some sort of
load balance, and load failover was simple - allow the default to take over
all traffic, and set it to wan or opt1 as needed... testing for this was
primitive - ping the next gateway on either side.

Load balancing could be as complex as the criteria you select... including
decisions based on utilization of traffic on both connections or even
response time to the target host for the connection... the firewall rules
just have to be set up to "quick" the packets that are part of established
connections, and only make new decisions for new connections.

Before anyone complains "it's not BGP" - cause someone always does - I
repeat my mantra - "it ain't BGP, but BGP doesn't come as cheap as $50 per
month for a second internet connection ;-)"

m/
  -----Original Message-----
  From: William Marcelo Piovezan [mailto:william at uli dot com dot br]
  Sent: Sunday, October 24, 2004 8:25 AM
  To: Mitch (WebCob); josh at bluehornet dot com; m0n0wall at lists dot m0n0 dot ch
  Subject: RE: [m0n0wall] Souce based policy routing,


  I was thinking (and needing) in a solution like that:

                    +-------------+
  BACKBONE1----WAN--|   m0n0wall  |-OPT1------BACKBONE2
                    +-------------+
                           | LAN (192.168.1.0/24)
                           |
                           | IP's 192.168.1.1 ~ 192.168.1.127 with WAN
gateway
                           | IP's 192.168.1.128 ~ 192.168.1.254 with OPT1
gateway


  Suppose that I split LAN network IP's in two groups so IP ranging from
192.168.1.1 ~ 192.168.1.127 would be routed by WAN (with NAT). The IP's
192.168.1.128 ~ 192.168.1.254 would be routed by OPT1 interface (with NAT).

  There is no need of failover or redundancy feature but only this static
configuration.

  Best Regards,

  William.


  At 15:07 22/10/2004, Mitch \(WebCob\) wrote:



inbound on both links if they are up) as well as attempts at using both by







    m/


----------------------------------------------------------------------------

    From: William Marcelo Piovezan [mailto:william at uli dot com dot br]
    Sent: October 21, 2004 17:34
    To: Mitch (WebCob); m0n0wall at lists dot m0n0 dot ch
    Subject: RE: [m0n0wall] Souce based policy routing,

    I am using now a custom Linux solution with iproute2 and this routing
policy is pretty simple to implement there. But m0n0wall is very compact and
could be an interesting replacement. Could you tell me if have you defined
your ipfw rules in a m0n0wall system or in a native FreeBSD machine?

    Best Regards,

    William.


    At 01:55 21/10/2004, Mitch \(WebCob\) wrote:

    There's a bunch of people looking for answers like this - don't think
any
    are complete yet... I have stuff that works for my on ipfw, but I'm
still
    wrapping my head around ipf ;-)

    m/






--------------------------------------------------
Esta mensagem foi verificada por Ultralink-Scanner
e nenhum virus foi encontrado.

Web Server Ultralink:
http://www.ultralink.com.br
--------------------------------------------------


--------------------------------------------------
Esta mensagem foi verificada por Ultralink-Scanner
e nenhum virus foi encontrado.

Web Server Ultralink: http://www.ultralink.com.br
--------------------------------------------------