[NCLUG] QoS Question

Scott Kleihege scottkly at frii.com
Tue Jan 16 15:41:03 MST 2007


DJ Eshelman wrote:
> I'm going to be installing a CentOS 4.3 (though if I could get this to work
> well on a DSL (Debian) system I'd be pretty happy too...) system that will
> be doing spam filtering for a client, but we also want to have this machine
> be the checkpoint for all incoming and outgoing traffic... this gets
> better... on two T-1 lines (one is going to be FRII, the other a cBeyond
> BB2 line which actually has the capability of having more than 1.5Mbit/s,
> but since it shares with voice, this would only happen at night).  It's also
> quite possible I will be using this machine as a proxy, which hopefully will
> help with the routing and cut down on redundant downloads everytime someone
> launches Internet Exploder.
> 
> I think, thru hours of searching and even some discussions here, that it
> should be possible to configure the system for redundant internet
> connections - the problem is we also want to implement Quality of Service so
> that critical apps (primarily thru Citrix, thank God) can have priority, and
> things like web browsing can be lowest possible priority, blah blah blah...
> fortunately we don't have voice to contend with (yet) and the Citrix will
> drop the VPN traffic significantly.
> 
> So my question is this:  given everything above- how would I best configure
> the box to be a load-balanced, QoS driven, redundant monster router from
> hell?

I haven't used one of these personally, but I would give this a try:

	http://www.dlink.com/products/?pid=452&sec=0

$103.33 from Amazon.  Load balancing outgoing connections while 
maintaining state information about individual connections is a hard 
problem.  Undoubtedly your time and sanity is worth more than a router 
or two.  Then you can just setup the (squid) proxy and spam filtering on 
the linux server and be done.

Alternately, hang the DMZ off of one T1 and outgoing traffic from the 
LAN off the other.  Setup a daemon to monitor the outgoing traffic for 
the LAN and change the masquerade rule or route for that block if it 
goes down.  Then you probably won't even have to worry about QoS.

KISS is a great way to avoid costly screw-ups.

You're not going to be able to load-balance incoming connections to the 
DMZ unless you get an AS number for your block and talk BGP with your 
neighbors.  I would recommend having a block no smaller than a class C 
if you're going that route.  If it's worth enough trouble to setup BGP, 
then you should look at eliminating any single points of failure with a 
high-availability configuration, since problems with the router are 
probably going to be as frequent as service outages on a single T1.

-Scott



More information about the NCLUG mailing list