My situation:
I have a cable modem (COMCAST 6Mbit d/l) and am about to also have DSL (Verizon 3 Mbit d/l). I was thinking of using CentOS (4.4, 4.5, or 5??) as a router/dhcp server/firewall for my home network consisting of 3 to 6 computers at any given time. I seek the wisdom of the members of this list on the following issues:
-- Is CENTOS a good direction to go? I do not mind manually configuring things or installing lots of packages, and am doing this as both a learning experience for myself and proof of concept for a customer.
-- Is it possible/hard/easy/trivial to share the load between the two connections? Have either link fail and things still work correctly?
-- I plan to build a box for this job - looking for general recommendations of how much horsepower (mem/disk space, etc) is required
-- What are the implications of two pipes for incoming connections such as DynDNS based remote desktop or VNC, or web server, FTP, etc
The basic hardware layout I see is 3 nics, 1 GB RAM, 60 GB disk space. 1 NIC for each WAN port, 1 NIC for my local net, some recent CPU.
I have been browsing through the "Linux Advanced Routing & Traffic Control HOWTO," but am still not on top of how to get done what I'm looking for. I understand that there are probably products that I could buy to do this, but my preference is to do it myself.
Sorry if my questions are too basic. Please feel free to tell me off if so. Thanks.
rsubasic
Consider an extra NIC or two for a server DMZ and other stuff as well too
Raymond M. Subasic wrote:
My situation:
I have a cable modem (COMCAST 6Mbit d/l) and am about to also have DSL (Verizon 3 Mbit d/l). I was thinking of using CentOS (4.4, 4.5, or 5??) as a router/dhcp server/firewall for my home network consisting of 3 to 6 computers at any given time. I seek the wisdom of the members of this list on the following issues:
-- Is CENTOS a good direction to go? I do not mind manually configuring things or installing lots of packages, and am doing this as both a learning experience for myself and proof of concept for a customer.
Its reasonable. not optimized particularlly as a firewall/routing system, its more of a general purpose server but its certainly capable of doing firewalling
-- Is it possible/hard/easy/trivial to share the load between the two connections? Have either link fail and things still work correctly?
possible? yes. hard, definately. easy/trivial, nope. reliably detecting a 'failed' link is also tricky as most failures will be upstream from you. routing outbound traffic and load balancing two seperate ISPs is also tricky.
-- I plan to build a box for this job – looking for general recommendations of how much horsepower (mem/disk space, etc) is required
a router/firewall can run off a 512MB flashcard, and a 450MHz CPU with 256MB ram is way more than adequate.
-- What are the implications of two pipes for incoming connections such as DynDNS based remote desktop or VNC, or web server, FTP, etc
the two connections have two differnet IPs on different networks. you'll need to run two DynDNS clients and sort all that out, you'll have two seperate possible hostnames to connect to from outside.
webserver, ftp server, etc would typically serve the content to either IP.
The basic hardware layout I see is 3 nics, 1 GB RAM, 60 GB disk space. 1 NIC for each WAN port, 1 NIC for my local net, some recent CPU.
I have been browsing through the “Linux Advanced Routing & Traffic Control HOWTO,” but am still not on top of how to get done what I’m looking for. I understand that there are probably products that I could buy to do this, but my preference is to do it myself.
thats the document you need to understand, along with the rest of the stuff on http://netfilter.org
-- Is it possible/hard/easy/trivial to share the load between the two connections? Have either link fail and things still work correctly?
http://en.wikipedia.org/wiki/Autonomous_system_(Internet)
Two connections from two different ISPs? You need a ASN. (not for load sharing...this is primarily to handle link failures)
-- What are the implications of two pipes for incoming connections such as DynDNS based remote desktop or VNC, or web server, FTP, etc
Incoming connections will hit either IP and use that IP for the duration of the connection provided that you have a DNS entry that round robins...
The basic hardware layout I see is 3 nics, 1 GB RAM, 60 GB disk space. 1 NIC for each WAN port, 1 NIC for my local net, some recent CPU.
I have been browsing through the “Linux Advanced Routing & Traffic Control HOWTO,” but am still not on top of how to get done what I’m looking for. I understand that there are probably products that I could buy to do this, but my preference is to do it myself.
I do have a box that has two connections from two different ips. I basically forget about load sharing. I setup multiple routing tables, some ip rules and basically assigned one link for vpn and server activity while the other link is used for office Internet connectivity and a few small things are shared like DNS. Nothing fancy...
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Feizhou Sent: Thursday, July 19, 2007 3:13 AM To: CentOS mailing list Subject: Re: [CentOS] Multiple WAN link -- CentOS Suitability
-- Is it possible/hard/easy/trivial to share the load
between the two
connections? Have either link fail and things still work correctly?
http://en.wikipedia.org/wiki/Autonomous_system_(Internet)
Two connections from two different ISPs? You need a ASN. (not for load sharing...this is primarily to handle link failures)
Well you don't really need to go as far as ASNs and BGP routing to make it work, but it is tricky. ASNs and BGP routing really plays into incoming connections during a link failure, but there are ways to work around that via DNS tricks. Think about running 2 instances of bind on the host, one for internal DNS/caching, the other for external DNS queries to your host.
The tricky part is to make a host entry appear and disappear when a link goes up/down, which will need to be verified somehow.
-- What are the implications of two pipes for incoming
connections such
as DynDNS based remote desktop or VNC, or web server, FTP, etc
Incoming connections will hit either IP and use that IP for the duration of the connection provided that you have a DNS entry that round robins...
Yes, here lies the tricks, you will need round-robin DNS for just about every site you publish via DNS. For records that take a weight (MX, SRV, etc) publish 2 entries with equal weights.
Like Feizhou said these will be per-connection load-balanced and not per-packet, which would be impossible in this scenario and load-balanced will not mean that the load will be evenly distributed either as DNS lookups are cached everywhere.
The basic hardware layout I see is 3 nics, 1 GB RAM, 60 GB
disk space.
1 NIC for each WAN port, 1 NIC for my local net, some recent CPU.
I have been browsing through the "Linux Advanced Routing & Traffic Control HOWTO," but am still not on top of how to get done what I'm looking for. I understand that there are probably products
that I could
buy to do this, but my preference is to do it myself.
I do have a box that has two connections from two different ips. I basically forget about load sharing. I setup multiple routing tables, some ip rules and basically assigned one link for vpn and server activity while the other link is used for office Internet connectivity and a few small things are shared like DNS. Nothing fancy...
I believe there may be a way with later kernels to put entries for 2 default routes of equal weight to each interface that will round-robin, but I haven't tried that, as when I have that kind of scenario I usually go to Cisco. I don't know what magic would be required though in ip tables to get this to work...
If not you will have to look into Squid and it's bag of tricks to help balance outbound web/ftp traffic and pick a primary/backup route for all non-proxied traffic.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
If you are open to not using CentOS (which is wonderful), I would suggest something like pfsense. http://www.pfsense.com/
Based on M0n0wall and I think it will do what you are looking for. This would mean you would need a seperate set of hardware however. As for hardware, if you have an old machine around, it would probably work. We use WRAP boards from PC Engines and they do a great job. http://www.pcengines.ch/wrap.htm
The WRAP board is being discontinued, but the new versions will be out shortly. You can still get them at Wisp-Router (http://www.wisp-router.com/itemdesc.asp?ic=WRAP%2E1E23%2F1)
Hope that helps!
Andrew
________________________________
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Raymond M. Subasic Sent: Thursday, July 19, 2007 1:03 AM To: 'CentOS mailing list' Subject: [CentOS] Multiple WAN link -- CentOS Suitability -->
My situation:
I have a cable modem (COMCAST 6Mbit d/l) and am about to also have DSL (Verizon 3 Mbit d/l). I was thinking of using CentOS (4.4, 4.5, or 5??) as a router/dhcp server/firewall for my home network consisting of 3 to 6 computers at any given time. I seek the wisdom of the members of this list on the following issues:
-- Is CENTOS a good direction to go? I do not mind manually configuring things or installing lots of packages, and am doing this as both a learning experience for myself and proof of concept for a customer.
-- Is it possible/hard/easy/trivial to share the load between the two connections? Have either link fail and things still work correctly?
-- I plan to build a box for this job - looking for general recommendations of how much horsepower (mem/disk space, etc) is required
-- What are the implications of two pipes for incoming connections such as DynDNS based remote desktop or VNC, or web server, FTP, etc
The basic hardware layout I see is 3 nics, 1 GB RAM, 60 GB disk space. 1 NIC for each WAN port, 1 NIC for my local net, some recent CPU.
I have been browsing through the "Linux Advanced Routing & Traffic Control HOWTO," but am still not on top of how to get done what I'm looking for. I understand that there are probably products that I could buy to do this, but my preference is to do it myself.
Sorry if my questions are too basic. Please feel free to tell me off if so. Thanks.
rsubasic
-
Andrew Cotter -
Feizhou -
John R Pierce -
Raymond M. Subasic -
Robert - eLists -
Ross S. W. Walker