Re: Firewall configuration with two ISP
On Wed, Mar 28, 2001 at 12:50:08PM +0530, Bala wrote:
> In Debian GNU/Linux, I have configured three network cards. I'm having
> leased line connection from two ISP's with two different series of IP
> addersses. With first card I, have configrued ISP1 and with second card, I
> have configured with ISP2. With the third card, I have configured my LAN.
> Now I'm able to ping both the ISP's gateway from my machine. But, I'm NOT
> able to access my machine with one of the Internet IP from Internet. What
> could be the problem??
This really isn't a problem with Debian -- you are having a problem with
your default route.
Let's call your ISP's ISP #1 and ISP #2 for this discussion.
If your default [outbound from the Linux box] route points at ISP #1,
your system will always send traffic for any networks that are not
considered "local" to that ISP. Including traffic destined to go back
to a connection that came in from ISP #2.
In theory, your connections from ISP #2 would get answered properly over
ISP #1's link via the Internet unless ISP #1's link is down. Then
nothing will work. Nothing. And ALL of your outbound traffic would
always take ISP #1's link.
You *could* mess around with static routes and weighting, but you'll
never see a "load-balanced" connection no matter what you do with this.
The "proper" way to be multihomed in this case is to get an Autonomous
System (AS) Number assigned for BGP and then run that protocol with
agreements at both ISP's that they'll route traffic for ONE range of
IP's -- not two. Having two IP ranges for the two links is a waste,
and not good IP utilization etiquette.
Of course, this isn't going to truly be load-balanced either. BGP will
pick the ISP that has the least number of AS hops (unless you prepend AS
numbers or do other things to tweak BGP) advertised to get to a
particular location. If the ISP's have similar backbone connectivity,
they'll be pretty load-balanced, but if one ISP is actually buying
bandwidth from the other and selling it to you (happens all the time)...
their routes will always be the same AS numbers, with an additional AS
number prepended, so all the traffic will prefer the "bigger" ISP.
But at least it'll all go the other way when the bigger ISP's link
drops, which is what BGP was designed to deal with. Redundancy.
There are some GPL'ed routing deamons like Zebra which can do the BGP
peering on a Linux system, but it probably makes more sense to go buy a
solid-state (no hard disk) router designed for the purpose and to learn
about how BGP works before attempting any of this...
Nate Duehr <firstname.lastname@example.org>
GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.