Thanks for the info and I have learned a bit from it, but not quite what
I'm after. I'm looking for how to direct traffic to a couple internal web
servers based on what IP alias of the external interface the traffic
connects to. For example:
Traffic connecting to xxx.xxx.xxx.178:80 goes to 192.168.0.75:80
Traffic connecting to xxx.xxx.xxx.180:80 goes to 192.168.0.85:80
Where 178 and 180 are aliases on the same external interface. I'm curious
what my rules would need to be to make that happen.
Message
From: owner-misc (AT) openbsd (DOT) org [mailto:owner-misc (AT) openbsd (DOT) org] Behalf
Daniel
Sent: Sunday, December 18, 2005 12:16 AM
To: Logical
Cc: misc (AT) openbsd (DOT) org
Subject: Re: Pf question
Daniel wrote:
Logical wrote:
>Can someone give me
>some idea of what RDR and PASS IN/UT rules I'd need for just a
>portion of this (say the web servers) and I can figure out the rest
>on my own?
Read here:
http://www.bgnett.no/~peter/pf/en/pf-firewall.pdf in PDF or
http://www.bgnett.no/~peter/pf/en/ in html.
Page 16 of th PDF for example for web server.
Sorry, page 33!
I was reading something else and was on page 16. Confuse the two
Anyway, read it all, it's good learning anyway.
Daniel

Logical wrote:
Thanks for the info and I have learned a bit from it, but not quite what
I'm after. I'm looking for how to direct traffic to a couple internal web
servers based on what IP alias of the external interface the traffic
connects to. For example:

Traffic connecting to xxx.xxx.xxx.178:80 goes to 192.168.0.75:80
Traffic connecting to xxx.xxx.xxx.180:80 goes to 192.168.0.85:80
Where 178 and 180 are aliases on the same external interface. I'm curious
what my rules would need to be to make that happen.

Still need to go back and read more.

Example are pretty clear there:

#reflect

The FaQ for PF is very well done and spending time reading it is worth
the time invested in it really.

Hope this help, but if you test test the example, you will see it work.

Daniel

Hi All,

Is merging two ADSL connections (from two different ISPs) into one BSD
router to serve local LAN a possible thing to do?

Is pf load balancing the answer?

Is this what we call load sharing or load balancing? I am still not clear
if load sharing or load balancing is the correct term for what I am trying
to do.

Thanks heaps for any advice.

Mon, Dec 19, 2005 at 11:29:25AM +0200, Huzeyfe wrote:
Hi,
2 ADSL connection is same ISP but I use ADSL modem for them

|(ADSL1)
Users>BSD |
|(ADSL2)

My solution isn't really Load balancing ,only it separates Manager's
and employer's internet connection It doesn't provide HA.

Unfortunately, 2 ADSLs/SDSL cannot provide high availability due to the same infrastructure being used.

If you need redundancy, try a DSL and a cable TV broadband or leased line.

That way if the exchange has problems (and they do), you are using different media for the other line.

Craig.

19 December 2005 at 15:39:44, in message
<20051219153944.GA13735 (AT) kingswood (DOT) kepax.co.uk>, Craig Skinner
<craig.skinner (AT) kepax (DOT) co.ukwrote:
Unfortunately, 2 ADSLs/SDSL cannot provide high availability due to
the same
infrastructure being used.

If you need redundancy, try a DSL and a cable TV broadband or leased
line.

Ensuring that the leased line goes through different exchanges to the
ADSL circuit

That way if the exchange has problems (and they do), you are using
different
media for the other line.

Been there. Got stuffed.

GTG

<craig.skinner (AT) kepax (DOT) co.ukwrote:
Unfortunately, 2 ADSLs/SDSL cannot provide high availability due to
the same
infrastructure being used.

If you need redundancy, try a DSL and a cable TV broadband or leased
line.

Ensuring that the leased line goes through different exchanges to the
ADSL circuit

and that they don't all cross the country on the same fibre route.
(though, you probably won't be able to determine this in the case of
these consumer-grade connections).

Multiple ADSL, even on copper from just one telco, can easily have:

1. different kit terminating PPP sessions
2. different modem/router at your end
3. different interconnect point with the telco
4. in areas with unbundled connections, different dslams.

In the case of the UK using BT, putting them on different contention
ratios is meant to help too (aaisp mention this, istr). These measures
don't always help (e.g. in the case of a telco using radius proxies
which are malfunctioning) but probably are worthwhile for some users.

The problems I personally have seen the most of are 1 and 2, which
are solved quite nicely by natting a connection with a source address
of whichever of two providers is functional (or tunnelling to a 3rd
point on a highly-reliable network if you want to use real addresses).

Mon, Dec 19, 2005 at 03:57:08PM +0000, Gordon Ross wrote:
If you need redundancy, try a DSL and a cable TV broadband or leased
line.

Ensuring that the leased line goes through different exchanges to the
ADSL circuit

Since we are both in the UK, did you consider Telewest Leased Lines?

All the lines that we provision with them, they use their own PPs to connect to dark fibre, and never go to BT's network, and hence an exchange.

We also provision BT and Thus/Scottish Telecom Leased Lines, which do use BT exchanges, so no help in that regard.

Colo is still the best option for HA.

That way if the exchange has problems (and they do), you are using
different
media for the other line.

Been there. Got stuffed.

Bugger.

GTG

Mon, Dec 19, 2005 at 05:57:58PM +0000, Stuart Henderson wrote:
If you need redundancy, try a DSL and a cable TV broadband or leased
line.

Ensuring that the leased line goes through different exchanges to the
ADSL circuit

and that they don't all cross the country on the same fibre route.
(though, you probably won't be able to determine this in the case of
these consumer-grade connections).

Which is why multi DSL is not a HA solution. BT do not offer a SLA on
any ADSL service, and all UK ADSL is operated by them, with the minor
exception of LLU. At work, we do LLU SDSL, not ADSL, but most of our
DSLAMS reside in BT exchanges, and hook into backhauls from varoius
providers. BT still operates the copper from the exchange to the EU
building with LLU. Small ISPs don't have the ability to lay cables
though central business districts.

Multiple ADSL, even on copper from just one telco, can easily have:

1. different kit terminating PPP sessions
2. different modem/router at your end
3. different interconnect point with the telco

No, copper from one address always runs to the same exchange.

4. in areas with unbundled connections, different dslams.

AFAIK there is only one UK operator unbundling for ADSL, in some southern
exchanges (eg London & there abouts). Many ISPs unbundle for SDSL in areas
that they operate in, but no-one does it nationally. But the ADSL and SDSL
will still run down the same copper bundle under the street to the same
exchange, so there is no physical redundancy.

I've seen it often enough where a firm has both ADSL and SDSL into their
HQ, and a JCB has dug though the footpath and taken the lot out. I've
had rats chew though leased lines on the Forth Road Bridge and organised
the cops to stop traffic so that Telewest can patch the cable.

We run leased lines from 1meg up to 100meg, and some firms think that
one line is enough, until it goes down.

Look to different media alltogether for HA.

In the case of the UK using BT, putting them on different contention
ratios is meant to help too (aaisp mention this, istr). These measures
don't always help (e.g. in the case of a telco using radius proxies
which are malfunctioning) but probably are worthwhile for some users.

The problems I personally have seen the most of are 1 and 2, which
are solved quite nicely by natting a connection with a source address
of whichever of two providers is functional (or tunnelling to a 3rd
point on a highly-reliable network if you want to use real addresses).

This is all fine for messing about at home or in a small style, no SLA
business. You need multiple routes for HA, and Telewest don't do static
IPs on consumer cable "blueyonder". If you contact TW for a business
connection, and you can't afford a LL, they will resell BT's ADSL with
a static IP. Different ISPs, but same media, so no good.

ADSL and blueyonder is a good cheap SH outbound solution (dynamic
IPs). Each is cheap enough so that it doesn't matter if one or the other
is down for a week. And the chances of both going down at the same time
is good enough for SH situations.

When an ADSL is faulted to BT via eCo once a fault has been detected
though Woosh, the GPMS case will sit in the diagnostics queue for 48
hours before it is even looked at. Then resolution will typically
take another 3-5 days.

SDSL is a bit quicker, with turn arounds in about 2 days.

If you want to offer your customers an SLA, go colo and manage your
boxes via ADSL, ISDN, cable, whatever. In London, you can get a U
for #500 PA, while one SDSL will cost #200 per month, and be less
reliable.

Just my 2p after supporting ASDL, SDSL, Leased Lines, colo space, etc.

Craig.

all UK ADSL is operated by them, with the minor exception of LLU.

What?

AFAIK there is only one UK operator unbundling for ADSL, in some southern
exchanges (eg London & there abouts).

What?

I've seen it often enough where [] a JCB has dug though the footpath and
taken the lot out

There are cheap enough alternatives.

Look to different media alltogether for HA.

Don't exclude the cheap, predictable thing right under your nose.

This is all fine for messing about at home or in a small style, no SLA
business.

It's better than you think.

When an ADSL is faulted to BT via eCo once a fault has been detected
though Woosh, the GPMS case will sit in the diagnostics queue for 48
hours before it is even looked at. Then resolution will typically
take another 3-5 days.

BS. Shame on you.

If you want to offer your customers an SLA

We know.

Tue, Dec 20, 2005 at 02:40:28AM +0000, pedro la peu wrote:
all UK ADSL is operated by them, with the minor exception of LLU.

What?

AFAIK there is only one UK operator unbundling for ADSL, in some southern
exchanges (eg London & there abouts).

What?

I can see from whois that you have some connection with the UK, as do some of
the other posters on this thread.

Therefore, if you don't know what LLU and unbundling are, I can only
assume that you are a dialup windows user who is posting on the wrong
mailing list.

I've seen it often enough where [] a JCB has dug though the footpath and
taken the lot out

There are cheap enough alternatives.

Look to different media alltogether for HA.

Don't exclude the cheap, predictable thing right under your nose.

This is all fine for messing about at home or in a small style, no SLA
business.

It's better than you think.

Ignorance is bliss, until the **** hits the fan.

When an ADSL is faulted to BT via eCo once a fault has been detected
though Woosh, the GPMS case will sit in the diagnostics queue for 48
hours before it is even looked at. Then resolution will typically
take another 3-5 days.

BS. Shame on you.

I work for an ISP, you obviously are just a user.

20 December 2005 14:32 +0000, Craig Skinner wrote:

Tue, Dec 20, 2005 at 02:40:28AM +0000, pedro la peu wrote:
>all UK ADSL is operated by them, with the minor exception of LLU.
>>
>What?
>>
>AFAIK there is only one UK operator unbundling for ADSL, in some
>southern exchanges (eg London & there abouts).
>>
>What?
>
I can see from whois that you have some connection with the UK, as do
some of the other posters on this thread.

Therefore, if you don't know what LLU and unbundling are, I can only
assume that you are a dialup windows user who is posting on the wrong
mailing list.

Have you looked at the lists of LLU exchanges recently? It's not so
minor any more.

Tue, Dec 20, 2005 at 04:05:31PM +0000, Stuart Henderson wrote:
Have you looked at the lists of LLU exchanges recently? It's not so
minor any more.
I think are pushing though the anti-competitive legislation
against the BT monoply.

I work for an ISP
It shows. Disagree off-list please.

Thu, Dec 22, 2005 at 03:11:57AM +0000, pedro la peu wrote:
I work for an ISP
It shows. Disagree off-list please.
If you insult someone on list, expect the same back, on list, you coward.