LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-09-2009, 09:25 AM   #1
Rick Hunter
LQ Newbie
 
Registered: Mar 2004
Location: Venezuela
Distribution: Mandriva, Debian, Fedora
Posts: 8

Rep: Reputation: 1
Question linux route/proxy redundant internet connection from scratch -- need help


Hi, all.

I am looking for help, in other to, reach a goal for my office and for me. My big problem is about work connections I have two very bad service providers and obvious those affect my job.

TOPOLOGY EXAMPLE:

(SERVICE A in host_a@a_port) in network X
(SERVICE B in host_b@p_ort) in network X
(Internet through GWX) in network X

(Email Service in url_email_pop) in network Y.
(Email Service in url_email_smtp) in network Y.
(Internet through http_proxy:web (only port 80)) in network Y.
(SERVICE C in host_c@c_port) in network Y.

I have to Rj45 connectors one for Network X and other for Network Y.
All work stations we have are in Network Y (best internet service), but when someone need get services from network X we switch (physically cable change) to other network.

1) First I want to connect a linux box with two network card to both networks. Then I get some like: Eth0_networkX and Eth1_networkY.
2) Route to service in network X through Eth0_networkX (come from work stations in network Y through Eth1_networkY).
HERE: I will solve my most urgent problem (cable change).
BUT: I think I can get more of this configuration with some work.
3) Implement a http proxy in linux_box.
4) Poll internet en network X and when X is down route proxy connection to network Y, and when Internet in network X is up get back configuring proxy to get web from proxy in network Y. (This part is the hardest in my humble opinion).

Questions:
1) You think items 1 and 2 are rights? Is that the best way for my situation?
2) You think items 3 and 4 are rights? Is that the best way for my situation?
3) What technology I must begin to study (nat, iptables, squid?, other?).
4) Someone did something like this already that can guide me?


Sorry by my English not my mother tongue.
 
Old 11-09-2009, 11:49 AM   #2
janoszen
Member
 
Registered: Oct 2009
Location: Budapest
Distribution: Mostly Gentoo, sometimes Debian/(K)Ubuntu
Posts: 143

Rep: Reputation: 22
Ospf

First of all, you should connect all your desktop machines to network Z. Then build a firewall / router machine between all 3 networks. Have your boxes in network Z use it as a default gateway. Add a static route to network Y and X. Finally either use OSPF or simple scripts for network failover. Chances are, you won't be able to use OSPF, so just write some scripts to ping a few sites over both links and have them remove the dead routes.
 
Old 11-09-2009, 12:07 PM   #3
Rick Hunter
LQ Newbie
 
Registered: Mar 2004
Location: Venezuela
Distribution: Mandriva, Debian, Fedora
Posts: 8

Original Poster
Rep: Reputation: 1
Question

Quote:
Originally Posted by janoszen View Post
First of all, you should connect all your desktop machines to network Z. Then build a firewall / router machine between all 3 networks. Have your boxes in network Z use it as a default gateway. Add a static route to network Y and X. Finally either use OSPF or simple scripts for network failover. Chances are, you won't be able to use OSPF, so just write some scripts to ping a few sites over both links and have them remove the dead routes.
Thanks, janoszen. That help me a lot, but I keep some question:

1) Is possible that I keep work station in network Y and configure Default GW in workstations to the linux box? This can help me because: a) I don’t need do any work in cable. b) I don’t need a third network interface in linux box. (Perhaps can be a ip aliases) but I prefer skip that complications that I don’t know.
2) I don’t see how what you are proposing is dealing with switch between proxy in network Y and direct connect in network X. Is this a misunderstood? or you are solving that in your schema?
Greetings
 
Old 11-09-2009, 03:14 PM   #4
janoszen
Member
 
Registered: Oct 2009
Location: Budapest
Distribution: Mostly Gentoo, sometimes Debian/(K)Ubuntu
Posts: 143

Rep: Reputation: 22
Clarify

Let's clarify a few details of your current network:

- Network Y is on an IP network and has public IP addresses.
- Network X is on a different IP network and also has public different addresses.
- The two networks have different network providers.

If this is the case, you already have a default gateway for your two networks and it makes absolutely no sense at all to route your internal traffic to a Linux box to have it routed back to your default gateway anyway. Especially, if you want to use your Linux box as a proxy.

Is this some sort of office setup, or are these servers?

Anyway, since your two networks use different IP addresses, you need to route them together. If you want to use your two uplinks redundantly, you need to have someone switch the routes around, that is for simplicity, you need a default gateway for all your computers.

I have created a small sketch of how I see your setup right now.
Attached Images
File Type: png failover.png (35.0 KB, 8 views)

Last edited by janoszen; 11-09-2009 at 03:29 PM.
 
Old 11-09-2009, 08:17 PM   #5
Rick Hunter
LQ Newbie
 
Registered: Mar 2004
Location: Venezuela
Distribution: Mandriva, Debian, Fedora
Posts: 8

Original Poster
Rep: Reputation: 1
Topology in my 4 item propose is like

Janoszen, I really appreciate your interest in help me.

I attach a picture with I tried to describe above, in common way (that is actually) cable “to network X” is free. When we need some service from “SERVICE A” or “SERVICE B” we connect physically that cable.

“Internet X1” and “Internet X2” is just for show.

When a workstation connect in “to network X” cable, it connect to internet directly (NAT) and access to “SERVICE A” and “SERVICE B”.

When a workstation connect in “to network Y” cable, it connect to internet through proxy http and access to “SERVICE EMAIL”.

I already tried that both (organization internal service provider) talk and bring me a solution, without a successful fact. My try is tu put “linux box” in “picture way” configured, for example, squid proxy to use “proxy from network Y and Route Y Default GW” or “Route A default gw“ for internet connection” according to the situation. Additional Route workstation to “SERVICE A”, “SERVICE B” or “SERVICE EMAIL”.
Attached Images
File Type: png failover_.png (136.8 KB, 11 views)
 
Old 11-09-2009, 11:26 PM   #6
janoszen
Member
 
Registered: Oct 2009
Location: Budapest
Distribution: Mostly Gentoo, sometimes Debian/(K)Ubuntu
Posts: 143

Rep: Reputation: 22
Dhcp

The problem is, you most likely have configured router Y as your default gateway. If you can change that and network layer security does not matter (like someone setting a different gw) you're in business.

There are two setups possible.

1. Push routes via DHCP. You can push static routes to clients. However, only single IPs, not networks. Given an adequately small lease time, you can even implement failover. You must also allow forwarded connections from Y to X on your Linux box.

2. Setting the default gateway. Set your default GW to your Linux box, which then forwards all connections to their intended destinations.

As mentioned, in both setups someone with control over their computers can bypass your box.

You also need to ensure, that Y and X networks are on different subnets. If that is not possible, you need to make sure, that there no colliding IP's or you'll be in a world of hurt.
 
Old 11-10-2009, 10:04 AM   #7
Rick Hunter
LQ Newbie
 
Registered: Mar 2004
Location: Venezuela
Distribution: Mandriva, Debian, Fedora
Posts: 8

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by janoszen View Post
The problem is, you most likely have configured router Y as your default gateway. If you can change that and network layer security does not matter (like someone setting a different gw) you're in business.
I miss that, you are totally right. You change my picture. Let’s say I can change that part of network and I create Network Z as you propose. And I must to implement a third network card in linux box.

What about items 3) and 4) can I configure a proxy that use another proxy, later configure by script proxy to use Rotuer x1 as default gw? What tips I can get about this?
Attached Images
File Type: png failover_.png (140.6 KB, 8 views)
 
Old 11-10-2009, 02:55 PM   #8
janoszen
Member
 
Registered: Oct 2009
Location: Budapest
Distribution: Mostly Gentoo, sometimes Debian/(K)Ubuntu
Posts: 143

Rep: Reputation: 22
Yes

There are a ton of possibilities once you have a secure gateway. I have *some* experience with squid.

Since you lack the cooperation of your ISP's, you need to write the connection checking script yourself. I recommend running two squid proxies on a dummy address and implement a DNAT rule on your network Z IP addresses proxy port depending on the target network. You should also add a firewall rule to allow bypassing the proxy for your network Y and X native hosts.

This is not an optimal setup, bypassing network Y's proxy would be desirable but does not seem to be an option. Also, load balancing connections is not an option this way. However, my squid knowledge is limited so you might be able to work out a better (load balanced) setup. Take a look at this option.

You may also be interrested in web proxy autodiscovery protocol. I also recommend switching off IPv6 support on your box for now. There are quite a lot of unresolved security issues, which pose a threat to a gateway like yours.

A little bit of extra security: if you are worried someone may plug a laptop into your network and your switch is something more advanced, implement 802.1X. I recently installed the new Kubuntu and noted it has a GUI to use it with.

Last edited by janoszen; 11-10-2009 at 03:05 PM.
 
Old 11-10-2009, 08:00 PM   #9
Rick Hunter
LQ Newbie
 
Registered: Mar 2004
Location: Venezuela
Distribution: Mandriva, Debian, Fedora
Posts: 8

Original Poster
Rep: Reputation: 1
Wink

I will try to get to item 2 later i will back.

Thanks.
 
Old 11-10-2009, 10:43 PM   #10
janoszen
Member
 
Registered: Oct 2009
Location: Budapest
Distribution: Mostly Gentoo, sometimes Debian/(K)Ubuntu
Posts: 143

Rep: Reputation: 22
Welcome

You are most welcome, it was an interresting topic.
 
  


Reply

Tags
internet, linux, proxy, redundant, route


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can I use proxy-arp and NAT to route an "alien" computer to the Internet? mson77 Linux - Networking 14 10-19-2009 10:01 PM
Route a proxy from a VPN into the Internet an0r0c Linux - Networking 0 04-04-2009 11:47 AM
redundant internet connection with failover shashi_lq Linux - Networking 1 02-13-2004 11:39 AM
Redundant Proxy Servers or Clusters alasdair247 Linux - Newbie 0 10-01-2002 05:30 AM
internet connection thru MS Proxy deepakchopra Linux - Networking 0 08-01-2001 08:01 AM


All times are GMT -5. The time now is 09:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration