On Fri, 2003-07-18 at 13:13, Jerry Amundson wrote: > Hi. > I'm new to these tools, but well versed in Linux and networking, and I > just haven't found out some general stuff by going through the HOWTO's! You have the links to Julians patches and the nano-how to right? If not I would check out the FAQ @ http://www.docum.org/. There are links there as well as some command examples from dual SDSL config I had out in CA. > We have two (2) Internet T1's (different providers), each connected to > individual routers (one a Cisco, the other an Adtran, if it matters), > which are kept apart from the internal networks by two (2) Cisco PIX > firewall devices. The latter do NAT/PAT, in addition to normal network > protection. One (1) firewall/T1 is currently "primary" as it is the > Default Gateway for everything inside. > > My *goal* is to put a Linux router in place as the Default Gateway to > be redundant and load balance across the T1's. > > Q1: I'm in the right place, right? :-) Yes, however there has been some discussion of using BGP instead of using a load balancing Linux router. Not sure if you looked into that first or not. > Q2: Assuming I am in the right place, the part I don't understand is > how to fit the Linux router in with the existing firewalls. You can put it before or after the firewalls. I think your second diagram will be the way to go. However you will need to do NAT on the Linux router in order to get the load balancing to work correctly. So the question then is do you want to do nat before or after your firewalls? More than likely you will be doing more than one round of NAT/PAT. > In a picture, we have: > ---------------------- > - DMZ1 > ISP1 - R1 -ONet1-Firewall1-| > - INet1 <-> [internal NIC, Default Gateway] > > > ISP2 - R2 -ONet2-Firewall2-- DMZ2 > > And what we would like: > ----------------------- > - DMZ1 > ISP1 - R1 -ONet1-Firewall1-| > - INet1 -| | > | Linux Router | <-> [new Gateway] > ISP2 - R2 -ONet2-Firewall2-- DMZ2 ---| | > > I can revisit the HOWTO's, and many fine sites referenced in this list, > but I wanted to make sure I was on the right track... Yep, just keep in mind packets originating on the LAN destined for the Internet will use the multipath gateway. To achieve load balancing from the Internet in to the LAN, you will need to configure your DNS servers to load balance the IP's with the corresponding domain name. This is quick and fairly painless when using BIND. > Please be gentle - I don't even know what the abbreviations tc, htb, or > imq mean, yet!! Those are all for traffic shaping. Which you may or may not want to do. However it really does not have anything to do with the load balanced/redundant access. Just as a thought. Depending on what you are doing with the PIX's, if you can replicate the functionality solely on the Linux router then do so. Then you can turn around and sell or get rid of your PIX's. It may help to simplify things a bit. -- Sincerely, William L. Thomson Jr. Support Group Obsidian-Studios, Inc. 3548 Jamestown Ln. Jacksonville, FL 32223 Phone/Fax 904.260.2445 http://www.obsidian-studios.com
