[NCLUG] QoS Question

Stephen Warren swarren at wwwdotorg.org
Tue Jan 16 17:33:23 MST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Kleihege wrote:
> DJ Eshelman wrote:
>> So my question is this:  given everything above- how would I best
>> configure
>> the box to be a load-balanced, QoS driven, redundant monster router from
>> hell?
> 
> I haven't used one of these personally, but I would give this a try:
> 
>     http://www.dlink.com/products/?pid=452&sec=0
> 
> $103.33 from Amazon.  Load balancing outgoing connections while
> maintaining state information about individual connections is a hard
> problem.  Undoubtedly your time and sanity is worth more than a router
> or two.

We were in a similar situation when setting up our office. We could only
get 1.5M DSL, but wanted greater bandwidth, both ways.

My boss originally suggested a box similar to the above (except that I
*think* it cost $400 at the time and was from Linksys). However, I read
all the reviews, and it seemed like a piece of junk; very flakey!

> You're not going to be able to load-balance incoming connections to the
> DMZ unless you get an AS number for your block and talk BGP with your
> neighbors.

Well, that's not quite true, assuming the possibility of some off-site
hardware.

You can simply get a box at a co-location facility with a lot of good
bandwidth, and publish that box's IP as your externally visible IP
address (naturally, the box can host more than one IP; e.g. one per
site). Then, have that box NAT all inbound connections over a VPN back
to somewhere inside your site network (e.g. terminate your VPN on the
Linux box that is your site router). The router would need provider
connection tracking to know whether outbound packets need to get sent
back over the VPN or over the "real" 'net connection.

I do that part to hide the servers on my home Comcast connection, since
all the in/out-bound SMTP runs over a VPN. The remote VPN server also
happens to be a backup MX for if/when Comcast goes down.

Then, you can get more bandwidth and/or reliability by running your VPN
connection over a bonded pair (or set) of physical connections (same or
different providers even).

Once that all works, you could even route your outbound traffic over the
VPN (with the external box at the colo doing SNAT/masquerading in
addition to DNAT).

I imagine that with Linux, you can add QoS to all this too, quite easily
(maybe it just happens for free it it's enabled?)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFrW7Thk3bo0lNTrURAqlSAJ4ptLfj9t1s98OLI3Anf9NvmbRFJQCgvd+F
FXhd59VI2GYoEb13nrywpK8=
=rZi6
-----END PGP SIGNATURE-----



More information about the NCLUG mailing list