linux route/proxy redundant internet connection from scratch -- need help
 

Hi, all.

I am looking for help, in other to, reach a goal for my office and for me. My big problem is about work connections I have two very bad service providers and obvious those affect my job.

TOPOLOGY EXAMPLE:

(SERVICE A in host_a@a_port) in network X
(SERVICE B in host_b@p_ort) in network X
(Internet through GWX) in network X

(Email Service in url_email_pop) in network Y.
(Email Service in url_email_smtp) in network Y.
(Internet through http_proxy:web (only port 80)) in network Y.
(SERVICE C in host_c@c_port) in network Y.

I have to Rj45 connectors one for Network X and other for Network Y.
All work stations we have are in Network Y (best internet service), but when someone need get services from network X we switch (physically cable change) to other network.

1) First I want to connect a linux box with two network card to both networks. Then I get some like: Eth0_networkX and Eth1_networkY.
2) Route to service in network X through Eth0_networkX (come from work stations in network Y through Eth1_networkY).
HERE: I will solve my most urgent problem (cable change).
BUT: I think I can get more of this configuration with some work.
3) Implement a http proxy in linux_box.
4) Poll internet en network X and when X is down route proxy connection to network Y, and when Internet in network X is up get back configuring proxy to get web from proxy in network Y. (This part is the hardest in my humble opinion).

Questions:
1) You think items 1 and 2 are rights? Is that the best way for my situation?
2) You think items 3 and 4 are rights? Is that the best way for my situation?
3) What technology I must begin to study (nat, iptables, squid?, other?).
4) Someone did something like this already that can guide me?


Sorry by my English not my mother tongue.

Ospf
 

First of all, you should connect all your desktop machines to network Z. Then build a firewall / router machine between all 3 networks. Have your boxes in network Z use it as a default gateway. Add a static route to network Y and X. Finally either use OSPF or simple scripts for network failover. Chances are, you won't be able to use OSPF, so just write some scripts to ping a few sites over both links and have them remove the dead routes.

Thanks, janoszen. That help me a lot, but I keep some question:

1) Is possible that I keep work station in network Y and configure Default GW in workstations to the linux box? This can help me because: a) I don’t need do any work in cable. b) I don’t need a third network interface in linux box. (Perhaps can be a ip aliases) but I prefer skip that complications that I don’t know.
2) I don’t see how what you are proposing is dealing with switch between proxy in network Y and direct connect in network X. Is this a misunderstood? or you are solving that in your schema?
Greetings

Clarify
 

Let's clarify a few details of your current network:

- Network Y is on an IP network and has public IP addresses.
- Network X is on a different IP network and also has public different addresses.
- The two networks have different network providers.

If this is the case, you already have a default gateway for your two networks and it makes absolutely no sense at all to route your internal traffic to a Linux box to have it routed back to your default gateway anyway. Especially, if you want to use your Linux box as a proxy.

Is this some sort of office setup, or are these servers?

Anyway, since your two networks use different IP addresses, you need to route them together. If you want to use your two uplinks redundantly, you need to have someone switch the routes around, that is for simplicity, you need a default gateway for all your computers.

I have created a small sketch of how I see your setup right now.

Topology in my 4 item propose is like
 

Janoszen, I really appreciate your interest in help me.

I attach a picture with I tried to describe above, in common way (that is actually) cable “to network X” is free. When we need some service from “SERVICE A” or “SERVICE B” we connect physically that cable.

“Internet X1” and “Internet X2” is just for show.

When a workstation connect in “to network X” cable, it connect to internet directly (NAT) and access to “SERVICE A” and “SERVICE B”.

When a workstation connect in “to network Y” cable, it connect to internet through proxy http and access to “SERVICE EMAIL”.

I already tried that both (organization internal service provider) talk and bring me a solution, without a successful fact. My try is tu put “linux box” in “picture way” configured, for example, squid proxy to use “proxy from network Y and Route Y Default GW” or “Route A default gw“ for internet connection” according to the situation. Additional Route workstation to “SERVICE A”, “SERVICE B” or “SERVICE EMAIL”.

Dhcp
 

The problem is, you most likely have configured router Y as your default gateway. If you can change that and network layer security does not matter (like someone setting a different gw) you're in business.

There are two setups possible.

1. Push routes via DHCP. You can push static routes to clients. However, only single IPs, not networks. Given an adequately small lease time, you can even implement failover. You must also allow forwarded connections from Y to X on your Linux box.

2. Setting the default gateway. Set your default GW to your Linux box, which then forwards all connections to their intended destinations.

As mentioned, in both setups someone with control over their computers can bypass your box.

You also need to ensure, that Y and X networks are on different subnets. If that is not possible, you need to make sure, that there no colliding IP's or you'll be in a world of hurt.

I miss that, you are totally right. You change my picture. Let’s say I can change that part of network and I create Network Z as you propose. And I must to implement a third network card in linux box.

What about items 3) and 4) can I configure a proxy that use another proxy, later configure by script proxy to use Rotuer x1 as default gw? What tips I can get about this?

Yes
 

There are a ton of possibilities once you have a secure gateway. I have *some* experience with squid.

Since you lack the cooperation of your ISP's, you need to write the connection checking script yourself. I recommend running two squid proxies on a dummy address and implement a DNAT rule on your network Z IP addresses proxy port depending on the target network. You should also add a firewall rule to allow bypassing the proxy for your network Y and X native hosts.

This is not an optimal setup, bypassing network Y's proxy would be desirable but does not seem to be an option. Also, load balancing connections is not an option this way. However, my squid knowledge is limited so you might be able to work out a better (load balanced) setup. Take a look at this option.

You may also be interrested in web proxy autodiscovery protocol. I also recommend switching off IPv6 support on your box for now. There are quite a lot of unresolved security issues, which pose a threat to a gateway like yours.

A little bit of extra security: if you are worried someone may plug a laptop into your network and your switch is something more advanced, implement 802.1X. I recently installed the new Kubuntu and noted it has a GUI to use it with.

I will try to get to item 2 later i will back.

Thanks.

Welcome
 

You are most welcome, it was an interresting topic.