Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
There is less than 12 hours left to vote in the 2015 LinuxQuestions.org Members Choice Awards. Click here to go to the polls. Vote now and make sure your voice is heard!
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
- DSL allows me to run servers and provides a static IP, but service is slow (1700/500) because I am far from the phone company central office.
- Cable provides much faster service (5000/800), but they will not allow me to run a server and they only provide a dynamic IP address.
So, I am thinking of getting both to have the best of both worlds. Plus, this would provide some redundancy in the event one service goes down.
There is discussion out there about "load sharing", but I cannot seem to find anything that applies to my exact situation. I have 4 boxes on my LAN (2 linux and 2 wintendo). This is my setup (hope this shows up ok):
All the routers are standalone routers (not linux boxes). I could use the linux server box as a router, but I prefer not to so I can do maintenance on it without affecting the rest of the LAN. Router1 is wide open. Router2 is fully firewalled.
Now, how do I add a cable modem into this setup? I wish to continue routing all server traffic from the DSL modem (incoming web and email) to linux box1. However, browsing from linux box2, wintendo1, and wintendo2 should use the cable line. Fine, just run two separate LANs right? No, because I want to be able to access the entire LAN (including linux box1) locally from wintendo2, for example (or from any box behind router2). I want one LAN, not two.
Also, in the event the cable connection goes down, I'd like some automatic (or at least semi-easy) way to switch the entire LAN over to the DSL line temporarily.
First thing, I can't believe that the DSL speed you mentioned is too slow. I'm running my whole setup off a 768/768 DSL and it works fine. In fact, I've got more than enough bandwidth for what I'm doing. I'm running a webhosting deal from my house with about a dozen customers and the speeds I'm running at are just fine.
Also, you mentioned that your cable company doesn't allow you to run a server on their network, so I'd think that running one, even temporarily might be a problem. If they are firewalling ports (in accordance with their no-server policy) then you might have a problem. They may not be doing it today, but you shouldn't assume this will never happen.
I was running my servers on a cable connection for a while, and it really was a pain. First thing, I got a lot of mail rejected from some ISPs because my IP address was un a "dynamic pool". I'm not entirely sure what that means, but from what I understand, they know what range of IP addresses are dynamic and block them accordingly. So I was getting a lot of rejected mail, and even got put on a few blacklists for trying to send mail from a cable connection! Also, it made DNS a real pain, because I was on a dynamic IP address. Granted the IP was being "leased" to me, meaning it was like having a static IP, but with the understanding that it could change at any moment. So this forced me to get a 3rd party (like Zoneedit.com) to handle my DNS, which sucked, because I needed more control. However, since you're thinking of doing this only as a temporary fallback, maybe it's not such a problem.
My feeling is that it would be simpler to keep everything on a single type of internet connection... maybe go with the DSL for the static line. Do you really have that much traffic that you need such high bandwidth? Maybe you want to look at higher speed alternatives. Honestly, I am wondering this myself.... what does one need to do if they want more bandwidth than what DSL is able to provide?
If you still want 2 different ISP's providing both cable and DSL service, I think you can do it like this.... Disconnect the line going from router 1 to router 2. Have your cable connection going to router #2. Connect your DSL to router #1, or maybe just connect it straight to your linux server. When things go down, or you want to use your cable as a backup, you can unplug your server from router #1 and plug it into router #2, but I think this is going to require some port forwarding and may get a little messy. Another way would be to add a hub between your cable modem and router #2, that way you can unplug your server from the DSL modem and instead plug it into the hub.
Oops, forgot something... you wanted to have everything on one network... you could make your server multi-homed. Basically you'd have 2 ethernet cards in the server. eth0 would have the ip address 192.168.x.x and you could run a line from there to your router #2. eth1 would be your enternal interface, so you connect that to your router #1, or maybe straight to your DSL modem.
Hmmm, you know... thinking about it now... I'm not sure how you can run in "fallback" mode, because your cable provider only allows one IP address... so you'd have no way to differentiate your server from router #2. You'd have to run it with port forwarding... I don't think you could use the "hub" idea I mentioned before.
I'm still planning to run my server on the DSL line. I think I would rarely (or never) need to switch incoming server traffic to the cable connection. However, if needed, one thought is to use a mail forwarding service designed to get around ISPs that block port 25 (or otherwise try to stop servers). You set up an MX record (maybe a secondary MX) with their IP address. Then they forward all port 25 traffic arriving for that MX to some obscure port at my cable IP address. The cable company would be unlikely to find the obscure port. Or, even better, block all ip addresses on the cable connection except for the ip of the mail forwarder. I guess I'd need to use a service like zoneedit to update DNS ... or something like that.
Speaking of Zoneedit ... In the past I've used zoneedit for DNS with a dynamic IP address on the DSL line. Email worked fine that way for me (i use an obscure DSL ISP so likely their dynamic IP ranges are not widely known), but it always bugged me that my domain would be offline for up to an hour before a cron job on my server updated the DNS with zoneedit. My ISP offered static IP addresses for a one-time $50 fee. So, I went that route and I'm happy.
The Need for Speed: 1700/500 is more than fast enough for my server. It's just that 5M service is becoming standard in Canada (cost $45 cdn = $30 US/month ... nice) and it bugs me knowing it's there, it's dirt cheap, but I don't have it. Not sure if this is true, but I heard in Sweden 10M service is standard. That's nuts! ... but I like it. So, it comes down to wanting 5M service -- not needing it, and the cable company is the only source of 5M in my neighbourhood on the fringes of suburbia where 5M DSL is not available (yet).
I will be taking a close look at your suggestions. I always seem to find solutions for this kind of stuff even if I have to bang my head against the wall for a month. If you have any further ideas, post em. I will post my solution when it works.
Oh wait, how's my math? $45 CDN = ~$33 US -- still pretty flippin inexpensive for 5M, I'd say.
Now you got the gears in my brain spinning. I think the answer lies with 2 network cards in the server. However, I don't want to plug the server in behind router 2 because then it has access to the part of my LAN that is supposed to be shielded from potential hackers.
That 5M sounds wonderful, but as I understand it, that is only for your personal browsing experience. Since you're using your connection so serve pages, you need more upload speed, since that is what your clients will "feel" when they connect to your box.
I think what you're saying is... connecting your server to router #2 would expose it to the internet through that way? I think you could use tcpwrappers or iptables to deny from anything but the local net.
That's how I'm running now. I've got a DSL line coming from the wall that feeds a hub. The hub connects to 2 servers and also to a router. The router feeds the other windows boxes on my network, but I also have the servers setup as multihomed machines, so I've got cat5 cable going from each of the servers to my router. This way, I am on one of the windows boxes and I can access my servers using non-routable IPs. So technically, the servers are connected to the router just like the other windows machines, so yeah, I guess they are vulnerable from that direction, but I have iptables set to drop anything coming through that direction that is not from my specific machine.
Your setup is similar to mine. Essentially, my router1 is a hub. Actually, I have it partially firewalled, but it's open on port 25, 80, 443, and another obscure port for SSH when I am at an external site. I am missing your CAT5 cables to router2. When I need to access the server from the windows boxes (or anywhere behind router2) I access it locally by ssh or VNC. This gives me access to the server from behind router2, but router2 firewall blocks access to the windows boxes from the server. Since the server is partially exposed, I guess I am overly paranoid that someone will get into the server as root. In that crazy scenario, router2 prevents them then from accessing the rest of the LAN. In your case, presumably, once in as root, they could mess with iptables on the server. Or, I guess if they're in as root they'd be local anyways, so iptables would be moot. Not sure if I've understood your setup perfectly. And don't get me wrong, I am not criticizing your setup at all. In fact, you are giving me lots of ideas on how to solve my problem.
Here's an idea that may alleviate your concerns about SSH. I'm using RSA to authenticate. For my shell on Windows, I'm using PuTTY to access my servers via SSH. I generated RSA keys so basically the only way you're going to access my servers *AT ALL* is if you're on my computer. Period. Other people who try to access my machines via SSH will not even get a login prompt, since RSA is the only type of authentication I'm allowing. So RSA is the only thing allowed, and you must also have my private key, so I'm not terribly worried about people getting in anymore. Just for added security, I don't even have an external port open for SSH, but when I go on the road, I just open port 22 and take my laptop that has the RSA keys and close port 22 when I get back home.
Gotcha. I use Putty externally also. I actually leave an obscure port open for SSH, but anyone will get the prompt if they find the port and figure out what it's for. So... I'd say your setup may be more secure (but less convenient) than mine.
I think I have a configuration that will work. It's quite similar to your previous suggestion (I think). I'd appreciate input if you spot problems, but I think this will work:
The only thing I am unclear about is how to specify eth0 or eth1 gets used by the linux server to access the internet. Looks like either one would work. I am guessing that is dead simple to configure either way.
If the cable goes down, it looks to me like you just change the WAN gateway on router2 to the local ip address of eth1 and you've switched to browsing on the DSL connection (from windows boxes) instead of cable … or maybe it's not quite that simple because you're going through the server. I'm not sure. There might be configuration required to make the server act as a router -- probably simple enough. Alternately, unplug router2 from router3 and plug router2 into router1 instead. That works for sure -- in fact that sets it back to the original configuration I have right now.
Ok, what does this accomplish?
- Two different connections to the internet (cable for normal internet access from windoze boxes and DSL access for the server)
- Allows the windows boxes to access the server box locally.
- Redundancy in the event one connection goes down.
Less convenient? Not sure why you say that. In my case with the RSA auth happening, I don't even need to type anything! I just launch putty and it logs me in automatically without entering any username or password. Doesn't get anymore convenient than that! Actually this is one of the main reasons I wanted to do this. I was sick of always having to login when I launch a new SSH window.
As far as the eth1 and eth0 thing... I've got some minor horror stories about this. When I first decided I wanted to setup my box with dual ethernet cards, I only had one installed and so I added a second card. Man, I played hell trying to get the card working. For some damn reason, the machine just would NOT accept the new card.
You can read about my trials and tribulations for this here...
I even had the legendary Jim Levine (author of the new Oriely book for qmail) helping me with this problem and we just couldn't figure it out. I eventually gave up and reloaded the machine from scratch. When I did that, both cards were detected automagically and without a single hitch! For some reason, I just couldn't get it installed otherwise.
Overall your setup sounds pretty good, but like I said before... if it were me, I wouldn't mess with all that. I don't have that much downtime with my current connection to warrant setting up another ISP just to cover that... plus the expense of 2 internet connections? Geez! Just too much money for me. I'm paying a pretty penny as it is right now for the DSL line I'm using. But by the same token, I realize you want to take advantage of that 5M connection, and I can't blame you there.
LIke I was saying in my last post... I'm just wondering what you can upgrade to beyond that. I mean, what are the "real" ISP's using??? I've heard you can get a "rea" T1 line for like 1000 USD a month, but that seems outrageous, considering it's just 1500/1500. If anyone knows better, please correct me!
Yeah, I may have bumped into something similar with 2 ethernet cards on my server box already. The mobo has an onboard card. Originally, I dropped an extra card in it before installing RH8. I was going to use it as a router. Neither card would work. Even when I pulled the PCI card the onboard card would still not work. Finally I gave up and fresh RH8 install was the only thing that could get the onboard card working. I don't want to go through all that again.
I am still mulling over the expense. My business will pay, but it's still money leaving the business. The cable company would give me a business 5M connection for $80/month. This DSL/Cable combo setup will cost me $75. I may decide just to stay with DSL alone, but momentum is shifting me to the combo thing right now.
Man, I looked into T1 one time too. I could not believe it. Exactly as you say ... 1500/1500 was around $1000/month. Obviously, you want the UL speed to be as high as possible for running servers, but the cost seems just way out of wack when I currently have 1700/500 (~) for $30/month.
Anyways, thanks again for all your input. Much appreciated. I'll post back here if/when I get this working.
I didn't mention this before, but I have a 2-month free promotion on cable. It's not the 5M service (yet), but it at least allows me to test this entire setup before committing to 5M.
One minor glitch: I can ping eth1 from the windoze boxes, but not eth0 (or router1). From the server itself I can ping eth0, eth1, router1, router2 and router3. This must be some very simple configuration thing. I am guessing the server box thinks my windoze box ip addresses are not local or something like that. I have no firewall on the server.
I bet somebody tell me what to change so give me access through the server to the cable line (if I need/want it). Why can't I ping eth0 and beyond?
First thing... If you check out that post I had on Expert's Exchange, John Levine suggested having eth1 as the "external" interface and eth0 as the "internal". The reason is... if you bring up the system in rescue mode you cannot bring up eth1, but you CAN bring up eth0. This allows you to have access from your windows machines when you need it.
I think in order to use your DSL connection for your windows machines, you have to setup your server to act as a router. That's my only nugget of knowledge in this area, so maybe someone else can suggest something more specific.
I would not try to build 2 DSLs into a single AUTONOMOUS tree .ie .tie them together. Your ISPs will get mad and send some peoples over to hit you in the skull with some power bars.
Better to run 2 servers side by side each with their own routers/network etc.
THEN add a extra network card in each router PC, and provide your own redundant internet access at the Ethernet level. You do it at the IP level..and well you know about the AUTONOMOUS single tree problem, power bar beat down.
Best of all, neither ISP provider will have any idea of your deviousness!
Not sure if it will be automatic failover, single you will have 2 gateways...