Forgot to mention, for the cisco pix, you need to allow 500/udp also for
IPSec traffic.

If anyone knows of anyone looking for a firewall/security consultant, let me
know.  :)

-----Original Message-----
From: Austad, Jay [mailto:austad at marketwatch.com] 
Sent: Wednesday, August 08, 2001 12:13 AM
To: 'tclug-list at mn-linux.org'
Subject: RE: [TCLUG] internet-connection load-balancing

IP masq doesn't break VPN or IPSec, really.  You just need to add some extra
stuff to your config if you need those.  It all depends on what you're using
as a NAT box though.  You can do it through a linux firewall with the pptp
module and the ipsec module.  Cisco pix let's you do it as long as you have
a static defined for each host (no PAT for the hosts that need it) and a
conduit which permits GRE to them, or for IPSec you need conduits to permit
ESP and AH.  The Cisco 675 lets you do it with a GRE masquerading command,
but you can only do it to one host on the inside.

-----Original Message-----
From: Mike Hicks [mailto:hick0088 at tc.umn.edu] 
Sent: Tuesday, August 07, 2001 7:13 PM
To: tclug-list at mn-linux.org
Subject: Re: [TCLUG] internet-connection load-balancing

"Marc Ohmann" <mohmann at qwest.net> wrote:
> 
> I am not really trying to gain speed as much as redundancy.  However, 
> along with the redundancy I should be able to serve more requests at a 
> given moment.  Why pay for another line to just sit there for redundancy
> sake... I might as well use it too.  
> 
> It is also meant as a lesson in load balancing for myself -- if I can do
> it with dsl I should be able to apply what I've learned to any link, dsl
> just happens to be the cheapest digital link at the moment.

Well, I'm not exactly sure what can be done here.  Let me try to put
together an idea or two, and let the people who know more about routing,
etc., say whether this'll work or not.

My understanding is that the `metric' flag in the routing table is
supposed to denote preference when two different routes to the same place
exist (in this case, we're worried about the default route -- the whole
Internet).  It may be possible to set up each host with two IP addresses
per interface (actually, one IP on eth0, then another on eth0:0, or
whatever), thereby creating two virtual networks on one physical network.

I'm not even sure if the Linux kernel bothers to look at the metric
anymore, though.  You might be able to set two default routes with a
metric of 1 (I know you can't have two with a metric of 0, or it can't be
set with the regular tools).

This might work better or worse with an IP masquerading gateway in front
of the whole mess.

Of course, IP masquerading is evil because it breaks nice things like VPN
and IPSec.

Get your IPv6 addresses while they're hot!  (and it'll eventually help
with routing in this exact sort of situation, if I understand correctly).

-- 
 _  _  _  _ _  ___    _ _  _  ___ _ _  __   I give advice worth the 
/ \/ \(_)| ' // ._\  / - \(_)/ ./| ' /(__   price -- free! 
\_||_/|_||_|_\\___/  \_-_/|_|\__\|_|_\ __)                             
[ Mike Hicks | http://umn.edu/~hick0088/ | mailto:hick0088 at tc.umn.edu ]
_______________________________________________
tclug-list mailing list
tclug-list at mn-linux.org
https://mailman.mn-linux.org/mailman/listinfo/tclug-list