Hi.
I've got here the following configuration:
(turn on fixed pitch font to be able to see the scheme in a more
accurately way)
Client machines <-----> ADSL Router 1 <-----> INTERNET
(192.168.0.0/24) (192.168.0.229) NAT
Client machines <-----> ADSL Router 1 <-----> INTERNET
(192.168.1.0/24) (192.168.1.229) NAT
[if doesn't really matter if it's NAT or PAT]
Currently each group of client machines belong to different
departments.
This is not efficient at all because you can have a satured ADSL
connection and a load free ADSL connection at the same time, i.e,
there isn't any kind of load sharing. In addition filtering and
management issues are limited to ADSL router's capacity. These kind of
routers don't use to have too much functionality. If I want to do some
kind of filtering (firewall) I should repeat the work on both routers
(enter same rules twice, in a per-router basis).
I want to switch to the following scheme:
Client machines <-> Linux IP Load-Balancer <-> ADSL Router X <-> INET
(192.168.0.0/24) (192.168.*.229) NAT
Client machines <-> Linux IP Load-Balancer <-> ADSL Router X <-> INET
(192.168.1.0/24) (192.168.*.229) NAT
In this new scheme we have a machine which will act as an IP
load-balancer. Advantages:
- load sharing. Optimize our internet connections use.
- I can set up the firewall at this machine instead of using the ADSL
routers -> Easier management.
- More powerful management. I can make internet traffic stats, etc. In
summary, I can run any network analyzer tool which runs on Linux (I'm
not limited to ADSL router's tools).
- Easier scalability: I can add as many new ADSL routers as I want.
Please note that with this new scheme we get load balancing in *BOTH*
directions (outgoing and incoming) due to the NAT performing! I mean:
- outgoing balancing is assured by our Linux Ip Load Balancer
- incoming packets would return via the same router they were sent
across (this wouldn't be in that way if our clients machine had real
IP numbers [no NAT performed]).
I also want to set up a transparent proxy (squid) over the Linux
IP-Load Balance, mainly for www-traffic. In this way, if any user
performs a http query, it will be conducted by squid, which is more
efficient (it has got cache, eg) and "loggeable/verbose" (I could have
www access stats: which user accesses some web pages, etc). And this
is trasparent to our end-users (client machines).
If the requested service (icq, eg) is not handled by squid it should
be performed by direct routing.
I'm currently using 2.2.18 kernel (although if would be no problem to
switch to 2.4 if proved as necessary!!)
Main issue to solve:
- "session handling": *ALL* packets belonging to a same "session"
should be conducted by *ONE and only one* ADSL router. Different
sessions could go across different ADSL routers but a particular
session should use the *same router for all of its packets*. This way
we can assure that our outgoing packets don't arrive out of order to
the dst host (different ADSL connections can have different delays,
etc). One "session" could be *at least*:
1) TCP connection (from SYN to RST packets. All included)
2) UDP packets belonging to a same "transaction" (for those apps which
use udp based protocols).
I have set up a test machine to act as the "Linux IP Load balancer"
and activated the "CONFIG_IP_ROUTE_MULTIPATH". Then I've set up two
default routes with "ip route" and "equalize"-"nexthop" options. But
it isn't working correctly. I think this method distribute packets in
a round robin fashion but doesn't have the "session handling" problem
into account, I fear.
How could I achieve what I want??? Can I set up a "balanced routing"
in a per-session basis? Please, any ideas are welcome. Comments from
people running the described (or similar) configuration are also
welcome.
Thanks in advance!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
** RoMaN SoFt / LLFB **
roman@xxxxxxxxxx
http://pagina.de/romansoft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
