Discussion:
How to use two WAN connections at once?
(too old to reply)
Andy Ball
2012-11-14 15:29:12 UTC
Permalink
I'm going to Cc both lists because I'm not sure where this thread belongs.

Hello Frank,

FW> I have two WAN connections (e.g. ADSL), which I both
want to use transparently from my LAN. A kind of load-
balancing would be nice, because the first WAN port is
slower than the second, but more stable.
I've been thinking about a scenario something like this
for a while. If a branch office had a wired connection (T1,
cable or DSL) and a second connection via satellite, it
would seem logical to send latency-sensitive datagrams
(VoIP, videoconferencing, RDP) down the wire and balance
other traffic between the wired and satellite connections
depending on available bandwidth. Obviously if one
connection went down we would want to fail over to the
other. I'm told this is an example of "traffic shaping"
but I have yet to look at how this is done in practice on
a router that runs NetBSD.

-Andy Ball

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
John Jaser
2012-11-15 18:03:42 UTC
Permalink
"link balancing" sometimes referred as "poor man's BGP4" for outbound internet is in principle simple: you NAT your private IP#s into two or more public IPs, and either policy route or weight the routes. It gets trickier when you add in the other ingredients: health-checking the ISP links and connection stickiness; for example a home-banking web app that suddenly sees your source IP change. It would be a cool appliance/app to have handy though.

----- Original Message -----
From: "Frank Wille" <***@phoenix.owl.de>
To: "Andy Ball" <***@grex.org>
Cc: netbsd-***@NetBSD.org, tech-***@NetBSD.org
Sent: Thursday, November 15, 2012 3:51:43 AM
Subject: Re: How to use two WAN connections at once?

On Wed, 14 Nov 2012 10:29:12 -0500 (EST)
Post by Andy Ball
FW> I have two WAN connections (e.g. ADSL), which I both
want to use transparently from my LAN. A kind of load-
balancing would be nice, because the first WAN port is
slower than the second, but more stable.
I've been thinking about a scenario something like this
for a while. If a branch office had a wired connection (T1,
cable or DSL) and a second connection via satellite, it
would seem logical to send latency-sensitive datagrams
(VoIP, videoconferencing, RDP) down the wire and balance
other traffic between the wired and satellite connections
depending on available bandwidth. Obviously if one
connection went down we would want to fail over to the
other.
Yes, that's exactly what I want to achieve! My second conncetion is
via LTE (4G), which is not so reliable as DSL (maybe it disconnects on a
misty winter day?), and has a limited monthly volume, but is much faster.
Post by Andy Ball
I'm told this is an example of "traffic shaping"
but I have yet to look at how this is done in practice on
a router that runs NetBSD.
But where to look?
Any help is welcome.
--
Frank Wille

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Frank Wille
2012-11-16 09:49:24 UTC
Permalink
On Thu, 15 Nov 2012 13:03:42 -0500 (EST)
Post by John Jaser
"link balancing" sometimes referred as "poor man's BGP4" for outbound
internet is in principle simple: you NAT your private IP#s into two
or more public IPs, and either policy route or weight the routes.
I know how to use ipnat with simple round-robin load balancing, but it
would already help me a lot if I knew how I can weight the two routes.
Post by John Jaser
It gets trickier when you add in the other ingredients: health-checking
the ISP links and connection stickiness;
Health-checking would be very useful too, as the next step.
Post by John Jaser
for example a home-banking
web app that suddenly sees your source IP change.
When there is no easy solution for it, I would solve this problem by
routing all accesses to a home-banking IP over the same WAN port.
--
Frank Wille

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Lloyd Parkes
2012-11-15 20:05:24 UTC
Permalink
Hi,
I have two WAN connections (e.g. ADSL), which I both want to use transparently
from my LAN. A kind of load-balancing would be nice, because the first WAN
port is slower than the second, but more stable.
Is that possible with ipfilter or pf? How would I do that?
I don't recall seeing that feature in ipfilter, but ipfilter is feature rich, so it might. I doubt it though.

The best you are likely to get is to be able to switch to your slow WAN connection when your fast one goes down. You need to run some sort of routing protocol for that and routed will probably be able to deliver what you need just fine. If you are running NAT on each WAN interface, then you will lose every TCP connection when you fail over.

Cheers,
Lloyd


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
David Young
2012-11-18 17:47:58 UTC
Permalink
Hi,
I have two WAN connections (e.g. ADSL), which I both want to use transparently
from my LAN. A kind of load-balancing would be nice, because the first WAN
port is slower than the second, but more stable.
Is that possible with ipfilter or pf? How would I do that?
Yes, it is possible. I have done just what you want.

The trick is to use PF to pin each flow to a particular WAN connection.
In that way, if WAN 1 is disrupted *temporarily*, flows on that
connection may stall for a while, but they have the possibility to
recover, which is important. Meanwhile, you establish all new flows on
WAN 2 while the WAN 1 disruption persists. When WAN 1 recovers, you may
establish new flows on either connection, again, and the WAN 1 flows

I have not tried load-balancing, myself, but I don't see any reason that
it should not be possible.

What is most tricky, after producing the right PF rules, is to come
up with the proper metric for WAN connection "badness" and to set the
criteria for stop establishing flows on a connection.

Dave
--
David Young
***@pobox.com Urbana, IL (217) 721-9981

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Frank Wille
2012-11-19 14:50:28 UTC
Permalink
Post by David Young
Is that possible with ipfilter or pf? How would I do that?
Yes, it is possible. I have done just what you want.
Great! :)
Post by David Young
The trick is to use PF to pin each flow to a particular WAN connection.
In that way, if WAN 1 is disrupted *temporarily*, flows on that
connection may stall for a while, but they have the possibility to
recover, which is important. Meanwhile, you establish all new flows on
WAN 2 while the WAN 1 disruption persists. When WAN 1 recovers, you may
establish new flows on either connection, again, and the WAN 1 flows
That would be very good. I guess it will also work, when the machine
running PF is not directly connected to the WAN interface (ifwatchd is
useless for me), but will just route the packets to the next host (which
is e.g. a DSL-router/modem)?

I have no experience with PF yet (was always using ipfilter). Could you
share such an example pf.conf with us? This would be a good starting point
for me.
Post by David Young
I have not tried load-balancing, myself, but I don't see any reason that
it should not be possible.
Ok. The health-checks are more important.
Post by David Young
What is most tricky, after producing the right PF rules, is to come
up with the proper metric for WAN connection "badness" and to set the
criteria for stop establishing flows on a connection.
What did you do? Is PF capable to detect timeouts on an interface?
It should not stop a connection, when it is not used over a period, but
it should monitor connection timeouts.
--
Frank Wille

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
David Young
2012-11-19 16:39:20 UTC
Permalink
Post by Frank Wille
Post by David Young
Is that possible with ipfilter or pf? How would I do that?
Yes, it is possible. I have done just what you want.
Great! :)
Post by David Young
The trick is to use PF to pin each flow to a particular WAN connection.
In that way, if WAN 1 is disrupted *temporarily*, flows on that
connection may stall for a while, but they have the possibility to
recover, which is important. Meanwhile, you establish all new flows on
WAN 2 while the WAN 1 disruption persists. When WAN 1 recovers, you may
establish new flows on either connection, again, and the WAN 1 flows
That would be very good. I guess it will also work, when the machine
running PF is not directly connected to the WAN interface (ifwatchd is
useless for me), but will just route the packets to the next host (which
is e.g. a DSL-router/modem)?
Are there two DSL routers/modems, or just one? If two, are they
connected to your NetBSD router on two independent LAN segments?

Dave
--
David Young
***@pobox.com Urbana, IL (217) 721-9981

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...