[NCLUG] QoS Question
Scott Kleihege
scottkly at frii.com
Tue Jan 16 15:41:03 MST 2007
DJ Eshelman wrote:
> I'm going to be installing a CentOS 4.3 (though if I could get this to work
> well on a DSL (Debian) system I'd be pretty happy too...) system that will
> be doing spam filtering for a client, but we also want to have this machine
> be the checkpoint for all incoming and outgoing traffic... this gets
> better... on two T-1 lines (one is going to be FRII, the other a cBeyond
> BB2 line which actually has the capability of having more than 1.5Mbit/s,
> but since it shares with voice, this would only happen at night). It's also
> quite possible I will be using this machine as a proxy, which hopefully will
> help with the routing and cut down on redundant downloads everytime someone
> launches Internet Exploder.
>
> I think, thru hours of searching and even some discussions here, that it
> should be possible to configure the system for redundant internet
> connections - the problem is we also want to implement Quality of Service so
> that critical apps (primarily thru Citrix, thank God) can have priority, and
> things like web browsing can be lowest possible priority, blah blah blah...
> fortunately we don't have voice to contend with (yet) and the Citrix will
> drop the VPN traffic significantly.
>
> So my question is this: given everything above- how would I best configure
> the box to be a load-balanced, QoS driven, redundant monster router from
> hell?
I haven't used one of these personally, but I would give this a try:
http://www.dlink.com/products/?pid=452&sec=0
$103.33 from Amazon. Load balancing outgoing connections while
maintaining state information about individual connections is a hard
problem. Undoubtedly your time and sanity is worth more than a router
or two. Then you can just setup the (squid) proxy and spam filtering on
the linux server and be done.
Alternately, hang the DMZ off of one T1 and outgoing traffic from the
LAN off the other. Setup a daemon to monitor the outgoing traffic for
the LAN and change the masquerade rule or route for that block if it
goes down. Then you probably won't even have to worry about QoS.
KISS is a great way to avoid costly screw-ups.
You're not going to be able to load-balance incoming connections to the
DMZ unless you get an AS number for your block and talk BGP with your
neighbors. I would recommend having a block no smaller than a class C
if you're going that route. If it's worth enough trouble to setup BGP,
then you should look at eliminating any single points of failure with a
high-availability configuration, since problems with the router are
probably going to be as frequent as service outages on a single T1.
-Scott
More information about the NCLUG
mailing list