Discussion:
Two ISPs, two static IPs and two servers
Tony Paterson
2004-08-30 19:47:38 UTC
Permalink
Hi,

My heads been running round in circles on this and just wanted to make sure that I was looking at it the right way.

We already have a full rate JetStream connection and have just added Wired Country in order to get a second static IP and some redundancy.


Current config:

SonicWall FireWall/VPN
- WAN, LAN and DMZ connections

JetStream (Full rate)
- Static IP
- Nokia M1122
- WAN side of SonicWall
- HTTP/SSH etc point to Linux box

WiredCountry
- Static IP
- DLink router
- WAN side of SonicWall

Linux Server
- Using IPTables for routing
- CVS, Apache etc
- WAN side of SonicWall

Windows Server
- HTTPS
- LAN side of SonicWall


Problem:
The default gateway for the linux box is the JetStream connection, and the default gateway for the SonicWall is also the JetStream connection. This scenario has been working fine.

If I put a web server on the WAN side of the SonicWall and set it's default gateway to the DLink/WiredCountry connection and set it up as a "Virtual Server"/NAT it works fine and is accessible from the Internet. If I create another "Virtual Server" on the WiredCountry/DLink connection, which points to the linux box, it's not accessible from the Internet, and the same is true if I create a "Virtual Server" which points to a port on the SonicWall.

My thinking is that this is all related to Default Gateways and I may need to setup another linux box to do NAT/masquerading etc.

Basically I want to be able to point "Virtual Servers"/NAT from both JetStream and WiredCountry to the linux box - am I looking at this all-wrong.

Any suggestions/ideas appreciated.

Yours Tony P
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to ***@lists.unixathome.org
with "unsubscribe adsl" in the body of the message
Tony Paterson
2004-08-31 06:33:53 UTC
Permalink
That is exactly how I see the problem, I have an idea on how to get around it in this situation, but all my other ideas have not panned out so any suggestions welcome.

Thanks

-----Original Message-----
From: Jeff McLuckie [mailto:***@paradise.net.nz]
Sent: Tuesday, 31 August 2004 6:25 p.m.
To: Tony Paterson
Subject: RE: Two ISPs, two static IPs and two servers


As dar as I know you cant have a box going out through a different gateway
than the request came in, or the client receives an ack from an ip it never
sent a syn to, hence no connection.

The connection has to go in and out through the same gateway

-----Original Message-----
From: owner-***@unixathome.org [mailto:owner-***@unixathome.org] On Behalf
Of Tony Paterson
Sent: Tuesday, 31 August 2004 7:48 a.m.
To: Mailing List ADSL (E-mail)
Subject: Two ISPs, two static IPs and two servers

Hi,

My heads been running round in circles on this and just wanted to make sure
that I was looking at it the right way.

We already have a full rate JetStream connection and have just added Wired
Country in order to get a second static IP and some redundancy.


Current config:

SonicWall FireWall/VPN
- WAN, LAN and DMZ connections

JetStream (Full rate)
- Static IP
- Nokia M1122
- WAN side of SonicWall
- HTTP/SSH etc point to Linux box

WiredCountry
- Static IP
- DLink router
- WAN side of SonicWall

Linux Server
- Using IPTables for routing
- CVS, Apache etc
- WAN side of SonicWall

Windows Server
- HTTPS
- LAN side of SonicWall


Problem:
The default gateway for the linux box is the JetStream connection, and the
default gateway for the SonicWall is also the JetStream connection. This
scenario has been working fine.

If I put a web server on the WAN side of the SonicWall and set it's default
gateway to the DLink/WiredCountry connection and set it up as a "Virtual
Server"/NAT it works fine and is accessible from the Internet. If I create
another "Virtual Server" on the WiredCountry/DLink connection, which points
to the linux box, it's not accessible from the Internet, and the same is
true if I create a "Virtual Server" which points to a port on the SonicWall.

My thinking is that this is all related to Default Gateways and I may need
to setup another linux box to do NAT/masquerading etc.

Basically I want to be able to point "Virtual Servers"/NAT from both
JetStream and WiredCountry to the linux box - am I looking at this
all-wrong.

Any suggestions/ideas appreciated.

Yours Tony P
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to ***@lists.unixathome.org
with "unsubscribe adsl" in the body of the message
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to ***@lists.unixathome.org
with "unsubscribe adsl" in the body of the message
Jeff McLuckie
2004-08-31 07:13:22 UTC
Permalink
Sorry for not replying to the list (slaps head), been in Ctrl R, Type, Send
Mode all day.

I don't know that there is a way around it. We have a similar setup at work
(Wired Country and ihug). Same situation except we're publishing mail/https.
You do need to route the outgoing connection through the ip/connection it
came in on.

Unless you had some form of router/proxy behind both connections and then
that goes to your lan. Though that would be getting a little beyond my
depth, so I'll leave it to the rest of the capable minds on this list.

Cheers,
-Jeff

-----Original Message-----
From: owner-***@unixathome.org [mailto:owner-***@unixathome.org] On Behalf
Of Tony Paterson
Sent: Tuesday, 31 August 2004 6:34 p.m.
To: Mailing List ADSL (E-mail)
Subject: RE: Two ISPs, two static IPs and two servers



That is exactly how I see the problem, I have an idea on how to get around
it in this situation, but all my other ideas have not panned out so any
suggestions welcome.

Thanks

-----Original Message-----
From: Jeff McLuckie [mailto:***@paradise.net.nz]
Sent: Tuesday, 31 August 2004 6:25 p.m.
To: Tony Paterson
Subject: RE: Two ISPs, two static IPs and two servers


As dar as I know you cant have a box going out through a different gateway
than the request came in, or the client receives an ack from an ip it never
sent a syn to, hence no connection.

The connection has to go in and out through the same gateway

-----Original Message-----
From: owner-***@unixathome.org [mailto:owner-***@unixathome.org] On Behalf
Of Tony Paterson
Sent: Tuesday, 31 August 2004 7:48 a.m.
To: Mailing List ADSL (E-mail)
Subject: Two ISPs, two static IPs and two servers

Hi,

My heads been running round in circles on this and just wanted to make sure
that I was looking at it the right way.

We already have a full rate JetStream connection and have just added Wired
Country in order to get a second static IP and some redundancy.


Current config:

SonicWall FireWall/VPN
- WAN, LAN and DMZ connections

JetStream (Full rate)
- Static IP
- Nokia M1122
- WAN side of SonicWall
- HTTP/SSH etc point to Linux box

WiredCountry
- Static IP
- DLink router
- WAN side of SonicWall

Linux Server
- Using IPTables for routing
- CVS, Apache etc
- WAN side of SonicWall

Windows Server
- HTTPS
- LAN side of SonicWall


Problem:
The default gateway for the linux box is the JetStream connection, and the
default gateway for the SonicWall is also the JetStream connection. This
scenario has been working fine.

If I put a web server on the WAN side of the SonicWall and set it's default
gateway to the DLink/WiredCountry connection and set it up as a "Virtual
Server"/NAT it works fine and is accessible from the Internet. If I create
another "Virtual Server" on the WiredCountry/DLink connection, which points
to the linux box, it's not accessible from the Internet, and the same is
true if I create a "Virtual Server" which points to a port on the SonicWall.

My thinking is that this is all related to Default Gateways and I may need
to setup another linux box to do NAT/masquerading etc.

Basically I want to be able to point "Virtual Servers"/NAT from both
JetStream and WiredCountry to the linux box - am I looking at this
all-wrong.

Any suggestions/ideas appreciated.

Yours Tony P
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to ***@lists.unixathome.org
with "unsubscribe adsl" in the body of the message
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to ***@lists.unixathome.org
with "unsubscribe adsl" in the body of the message
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to ***@lists.unixathome.org
with "unsubscribe adsl" in the body of the message
Robert McDonald
2004-09-02 06:30:35 UTC
Permalink
Reverse Proxy or Source Natting.

Everything on either of the connections gets Pinholed as normal, but
instead of going direct to the servers, It goes to a new linux box.

That linux box does source Natting, and forwards to the applicable server.

The down side to this, is that every request sent to the servers will
appear as tho it is comming from the IP address of the LinuxSourceNat box.

I have done this before, but the box that has it on has just been pulled
out and about to be couriered back to Auckland so i cant steal the
iptables script. I wont embaras myself by trying to write it again, it
would probably be wrong.

Cheers

Rob
Post by Jeff McLuckie
Sorry for not replying to the list (slaps head), been in Ctrl R, Type, Send
Mode all day.
I don't know that there is a way around it. We have a similar setup at work
(Wired Country and ihug). Same situation except we're publishing mail/https.
You do need to route the outgoing connection through the ip/connection it
came in on.
Unless you had some form of router/proxy behind both connections and then
that goes to your lan. Though that would be getting a little beyond my
depth, so I'll leave it to the rest of the capable minds on this list.
Cheers,
-Jeff
-----Original Message-----
Of Tony Paterson
Sent: Tuesday, 31 August 2004 6:34 p.m.
To: Mailing List ADSL (E-mail)
Subject: RE: Two ISPs, two static IPs and two servers
That is exactly how I see the problem, I have an idea on how to get around
it in this situation, but all my other ideas have not panned out so any
suggestions welcome.
Thanks
-----Original Message-----
Sent: Tuesday, 31 August 2004 6:25 p.m.
To: Tony Paterson
Subject: RE: Two ISPs, two static IPs and two servers
As dar as I know you cant have a box going out through a different gateway
than the request came in, or the client receives an ack from an ip it never
sent a syn to, hence no connection.
The connection has to go in and out through the same gateway
-----Original Message-----
Of Tony Paterson
Sent: Tuesday, 31 August 2004 7:48 a.m.
To: Mailing List ADSL (E-mail)
Subject: Two ISPs, two static IPs and two servers
Hi,
My heads been running round in circles on this and just wanted to make sure
that I was looking at it the right way.
We already have a full rate JetStream connection and have just added Wired
Country in order to get a second static IP and some redundancy.
SonicWall FireWall/VPN
- WAN, LAN and DMZ connections
JetStream (Full rate)
- Static IP
- Nokia M1122
- WAN side of SonicWall
- HTTP/SSH etc point to Linux box
WiredCountry
- Static IP
- DLink router
- WAN side of SonicWall
Linux Server
- Using IPTables for routing
- CVS, Apache etc
- WAN side of SonicWall
Windows Server
- HTTPS
- LAN side of SonicWall
The default gateway for the linux box is the JetStream connection, and the
default gateway for the SonicWall is also the JetStream connection. This
scenario has been working fine.
If I put a web server on the WAN side of the SonicWall and set it's default
gateway to the DLink/WiredCountry connection and set it up as a "Virtual
Server"/NAT it works fine and is accessible from the Internet. If I create
another "Virtual Server" on the WiredCountry/DLink connection, which points
to the linux box, it's not accessible from the Internet, and the same is
true if I create a "Virtual Server" which points to a port on the SonicWall.
My thinking is that this is all related to Default Gateways and I may need
to setup another linux box to do NAT/masquerading etc.
Basically I want to be able to point "Virtual Servers"/NAT from both
JetStream and WiredCountry to the linux box - am I looking at this
all-wrong.
Any suggestions/ideas appreciated.
Yours Tony P
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
with "unsubscribe adsl" in the body of the message
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
with "unsubscribe adsl" in the body of the message
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
with "unsubscribe adsl" in the body of the message
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to ***@lists.unixathome.org
with "unsubscribe adsl" in the body of the message
Jp Wise
2004-08-31 07:19:06 UTC
Permalink
For what your describing, yes, that's exactly the problem. It needs to
go in and out via the same gateway. If asyncronous routing was
supported (used to be on dsl, not anymore), then it wouldn't be a problem.

You're best bet would be to read up on advanced routing with multiple
uplinks - http://lartc.org/howto/lartc.rpdb.multiple-links.html

Not sure if you'd be able to tie it all in directly, depends on whether
the linux box has direct access to the dsl and the wired county as
gateways. If it does you can configure a separate interface (eth0:1 or
another nic), then configure the iptables packet marking to send out via
the appropriate gateway depending on what interface it arrived
through. ie: forward dsl to one interface, wireless to the other.

PS: Probably a better question for the NZLUG list. www.linux.net.nz

Jp.
Post by Tony Paterson
That is exactly how I see the problem, I have an idea on how to get around it in this situation, but all my other ideas have not panned out so any suggestions welcome.
Thanks
-----Original Message-----
Sent: Tuesday, 31 August 2004 6:25 p.m.
To: Tony Paterson
Subject: RE: Two ISPs, two static IPs and two servers
As dar as I know you cant have a box going out through a different gateway
than the request came in, or the client receives an ack from an ip it never
sent a syn to, hence no connection.
The connection has to go in and out through the same gateway
-----Original Message-----
Of Tony Paterson
Sent: Tuesday, 31 August 2004 7:48 a.m.
To: Mailing List ADSL (E-mail)
Subject: Two ISPs, two static IPs and two servers
Hi,
My heads been running round in circles on this and just wanted to make sure
that I was looking at it the right way.
We already have a full rate JetStream connection and have just added Wired
Country in order to get a second static IP and some redundancy.
SonicWall FireWall/VPN
- WAN, LAN and DMZ connections
JetStream (Full rate)
- Static IP
- Nokia M1122
- WAN side of SonicWall
- HTTP/SSH etc point to Linux box
WiredCountry
- Static IP
- DLink router
- WAN side of SonicWall
Linux Server
- Using IPTables for routing
- CVS, Apache etc
- WAN side of SonicWall
Windows Server
- HTTPS
- LAN side of SonicWall
The default gateway for the linux box is the JetStream connection, and the
default gateway for the SonicWall is also the JetStream connection. This
scenario has been working fine.
If I put a web server on the WAN side of the SonicWall and set it's default
gateway to the DLink/WiredCountry connection and set it up as a "Virtual
Server"/NAT it works fine and is accessible from the Internet. If I create
another "Virtual Server" on the WiredCountry/DLink connection, which points
to the linux box, it's not accessible from the Internet, and the same is
true if I create a "Virtual Server" which points to a port on the SonicWall.
My thinking is that this is all related to Default Gateways and I may need
to setup another linux box to do NAT/masquerading etc.
Basically I want to be able to point "Virtual Servers"/NAT from both
JetStream and WiredCountry to the linux box - am I looking at this
all-wrong.
Any suggestions/ideas appreciated.
Yours Tony P
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to ***@lists.unixathome.org
with "unsubscribe adsl" in the body of the message
Jason Chuang
2004-08-31 12:42:14 UTC
Permalink
Tony,

Not sure what the capabilities are of the SonicWall, but basically you need
to put in a something like a network load balancing switch (generally these
are expensive - I am not sure if you can do this in software on a Linux
box). This would become your default gateway and would sit between the
Sonicwall and the 2 "WAN" connections. Most NLB Switches (or Layer 4-7
switches) are smart enough to maintain session information and route traffic
appropriatly.

Have a look at http://www.xincom.com/papers/inbound_loadBalancing.html or
http://www.foundrynetworks.com/products/webswitches/serveriron/index.html

Another possiblilty is to try the following (assuming the Sonicwall supports
this)

Configure multiple VLAN "External" interfaces on the Sonicwall External
interface - one for each WAN connection (so they will have different
IPs/subnets) - I am quite certain I can do this on my Netscreen 50 (but
havn't tried it). Also matching VLAN "Internal Interfaces"
Flow that down through to the Web servers by having multiple NIC's (physical
or virtual) with a default gateways that point back to the appropriate FW
interfaces and configure your FW policies appropriately.
For redundancy you could set up secondary routes and DNS entries with a
higher cost.

Can be quite messy to manage and requires the Sonicwall to be able to handle
some advanced networking features but is a cheep solution if it does.

Hope this helps

Cheers

Jason




----- Original Message -----
From: "Tony Paterson" <***@salestech.co.nz>
To: "Mailing List ADSL (E-mail)" <***@lists.unixathome.org>
Sent: Tuesday, August 31, 2004 6:33 PM
Subject: RE: Two ISPs, two static IPs and two servers
Post by Tony Paterson
That is exactly how I see the problem, I have an idea on how to get around
it in this situation, but all my other ideas have not panned out so any
suggestions welcome.
Post by Tony Paterson
Thanks
-----Original Message-----
Sent: Tuesday, 31 August 2004 6:25 p.m.
To: Tony Paterson
Subject: RE: Two ISPs, two static IPs and two servers
As dar as I know you cant have a box going out through a different gateway
than the request came in, or the client receives an ack from an ip it never
sent a syn to, hence no connection.
The connection has to go in and out through the same gateway
-----Original Message-----
Of Tony Paterson
Sent: Tuesday, 31 August 2004 7:48 a.m.
To: Mailing List ADSL (E-mail)
Subject: Two ISPs, two static IPs and two servers
Hi,
My heads been running round in circles on this and just wanted to make sure
that I was looking at it the right way.
We already have a full rate JetStream connection and have just added Wired
Country in order to get a second static IP and some redundancy.
SonicWall FireWall/VPN
- WAN, LAN and DMZ connections
JetStream (Full rate)
- Static IP
- Nokia M1122
- WAN side of SonicWall
- HTTP/SSH etc point to Linux box
WiredCountry
- Static IP
- DLink router
- WAN side of SonicWall
Linux Server
- Using IPTables for routing
- CVS, Apache etc
- WAN side of SonicWall
Windows Server
- HTTPS
- LAN side of SonicWall
The default gateway for the linux box is the JetStream connection, and the
default gateway for the SonicWall is also the JetStream connection. This
scenario has been working fine.
If I put a web server on the WAN side of the SonicWall and set it's default
gateway to the DLink/WiredCountry connection and set it up as a "Virtual
Server"/NAT it works fine and is accessible from the Internet. If I create
another "Virtual Server" on the WiredCountry/DLink connection, which points
to the linux box, it's not accessible from the Internet, and the same is
true if I create a "Virtual Server" which points to a port on the SonicWall.
My thinking is that this is all related to Default Gateways and I may need
to setup another linux box to do NAT/masquerading etc.
Basically I want to be able to point "Virtual Servers"/NAT from both
JetStream and WiredCountry to the linux box - am I looking at this
all-wrong.
Any suggestions/ideas appreciated.
Yours Tony P
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
with "unsubscribe adsl" in the body of the message
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
with "unsubscribe adsl" in the body of the message
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to ***@lists.unixathome.org
with "unsubscribe adsl" in the body of the message
Loading...