* [LARTC] Dual T1's and firewalls/Nat, Help?
@ 2003-07-18 17:13 Jerry Amundson
2003-07-18 18:44 ` William L. Thomson Jr.
2003-07-19 20:30 ` Stef Coene
0 siblings, 2 replies; 3+ messages in thread
From: Jerry Amundson @ 2003-07-18 17:13 UTC (permalink / raw)
To: lartc
Hi.
I'm new to these tools, but well versed in Linux and networking, and I
just haven't found out some general stuff by going through the HOWTO's!
We have two (2) Internet T1's (different providers), each connected to
individual routers (one a Cisco, the other an Adtran, if it matters),
which are kept apart from the internal networks by two (2) Cisco PIX
firewall devices. The latter do NAT/PAT, in addition to normal network
protection. One (1) firewall/T1 is currently "primary" as it is the
Default Gateway for everything inside.
My *goal* is to put a Linux router in place as the Default Gateway to
be redundant and load balance across the T1's.
Q1: I'm in the right place, right? :-)
Q2: Assuming I am in the right place, the part I don't understand is
how to fit the Linux router in with the existing firewalls.
In a picture, we have:
----------------------
- DMZ1
ISP1 - R1 -ONet1-Firewall1-|
- INet1 <-> [internal NIC, Default Gateway]
ISP2 - R2 -ONet2-Firewall2-- DMZ2
And what we would like:
-----------------------
- DMZ1
ISP1 - R1 -ONet1-Firewall1-|
- INet1 -| |
| Linux Router | <-> [new Gateway]
ISP2 - R2 -ONet2-Firewall2-- DMZ2 ---| |
I can revisit the HOWTO's, and many fine sites referenced in this list,
but I wanted to make sure I was on the right track...
Please be gentle - I don't even know what the abbreviations tc, htb, or
imq mean, yet!!
Thanks,
jerry
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [LARTC] Dual T1's and firewalls/Nat, Help?
2003-07-18 17:13 [LARTC] Dual T1's and firewalls/Nat, Help? Jerry Amundson
@ 2003-07-18 18:44 ` William L. Thomson Jr.
2003-07-19 20:30 ` Stef Coene
1 sibling, 0 replies; 3+ messages in thread
From: William L. Thomson Jr. @ 2003-07-18 18:44 UTC (permalink / raw)
To: lartc
On Fri, 2003-07-18 at 13:13, Jerry Amundson wrote:
> Hi.
> I'm new to these tools, but well versed in Linux and networking, and I
> just haven't found out some general stuff by going through the HOWTO's!
You have the links to Julians patches and the nano-how to right?
If not I would check out the FAQ @ http://www.docum.org/.
There are links there as well as some command examples from dual SDSL
config I had out in CA.
> We have two (2) Internet T1's (different providers), each connected to
> individual routers (one a Cisco, the other an Adtran, if it matters),
> which are kept apart from the internal networks by two (2) Cisco PIX
> firewall devices. The latter do NAT/PAT, in addition to normal network
> protection. One (1) firewall/T1 is currently "primary" as it is the
> Default Gateway for everything inside.
>
> My *goal* is to put a Linux router in place as the Default Gateway to
> be redundant and load balance across the T1's.
>
> Q1: I'm in the right place, right? :-)
Yes, however there has been some discussion of using BGP instead of
using a load balancing Linux router. Not sure if you looked into that
first or not.
> Q2: Assuming I am in the right place, the part I don't understand is
> how to fit the Linux router in with the existing firewalls.
You can put it before or after the firewalls. I think your second
diagram will be the way to go. However you will need to do NAT on the
Linux router in order to get the load balancing to work correctly.
So the question then is do you want to do nat before or after your
firewalls? More than likely you will be doing more than one round of
NAT/PAT.
> In a picture, we have:
> ----------------------
> - DMZ1
> ISP1 - R1 -ONet1-Firewall1-|
> - INet1 <-> [internal NIC, Default Gateway]
>
>
> ISP2 - R2 -ONet2-Firewall2-- DMZ2
>
> And what we would like:
> -----------------------
> - DMZ1
> ISP1 - R1 -ONet1-Firewall1-|
> - INet1 -| |
> | Linux Router | <-> [new Gateway]
> ISP2 - R2 -ONet2-Firewall2-- DMZ2 ---| |
>
> I can revisit the HOWTO's, and many fine sites referenced in this list,
> but I wanted to make sure I was on the right track...
Yep, just keep in mind packets originating on the LAN destined for the
Internet will use the multipath gateway.
To achieve load balancing from the Internet in to the LAN, you will need
to configure your DNS servers to load balance the IP's with the
corresponding domain name.
This is quick and fairly painless when using BIND.
> Please be gentle - I don't even know what the abbreviations tc, htb, or
> imq mean, yet!!
Those are all for traffic shaping. Which you may or may not want to do.
However it really does not have anything to do with the load
balanced/redundant access.
Just as a thought. Depending on what you are doing with the PIX's, if
you can replicate the functionality solely on the Linux router then do
so. Then you can turn around and sell or get rid of your PIX's. It may
help to simplify things a bit.
--
Sincerely,
William L. Thomson Jr.
Support Group
Obsidian-Studios, Inc.
3548 Jamestown Ln.
Jacksonville, FL 32223
Phone/Fax 904.260.2445
http://www.obsidian-studios.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LARTC] Dual T1's and firewalls/Nat, Help?
2003-07-18 17:13 [LARTC] Dual T1's and firewalls/Nat, Help? Jerry Amundson
2003-07-18 18:44 ` William L. Thomson Jr.
@ 2003-07-19 20:30 ` Stef Coene
1 sibling, 0 replies; 3+ messages in thread
From: Stef Coene @ 2003-07-19 20:30 UTC (permalink / raw)
To: lartc
On Friday 18 July 2003 20:44, William L. Thomson Jr. wrote:
> On Fri, 2003-07-18 at 13:13, Jerry Amundson wrote:
> > Hi.
> > I'm new to these tools, but well versed in Linux and networking, and I
> > just haven't found out some general stuff by going through the HOWTO's!
>
> You have the links to Julians patches and the nano-how to right?
> If not I would check out the FAQ @ http://www.docum.org/.
This is the link you need :
http://www.docum.org/stef.coene/qos/faq/cache/57.html
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-07-19 20:30 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-18 17:13 [LARTC] Dual T1's and firewalls/Nat, Help? Jerry Amundson
2003-07-18 18:44 ` William L. Thomson Jr.
2003-07-19 20:30 ` Stef Coene
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.