--0OAP2g/MAC+5xKAE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Feb 16, 2005 at 10:30:40AM -0800, John Klos wrote:
> The next question is the one that I'm most curious about - I've had=20
> machines on two connections at a time, and switching the default route wa=
s=20
> simple. However, now I'll have a machine on two connections, both on the=
=20
> same subnet, and both with the same default route. How do I tell the=20
> system to use one ethernet interface / IP address for communicating with=
=20
> the default route as opposed to the other?

bridge(4) the two interfaces.  Perhaps you can convince the provider
to speak STP with you, in which case failover can be ~automatic,
otherwise you'll need to script something with brconfig to toggle
discovery, address learning, and flushing mac of tables to trigger
failover.

bridge(4) is great for nic and switch failover, with a pair of
switches speaking stp and connected by a crossover.  windows calls
this 'nic teaming'

> Finally, and somewhat separately, does anyone have any recommendations fo=
r=20
> sharing bandwidth between the two lines and traffic shaping on both? When=
=20
> I'm doing NAT through the primary machine which will be physically=20
> connected to both lines, I think it'd be pretty simple, but unless I=20
> create my own bridge between the lines and my other machines which are=20
> supposed to get the public IPs, I can see that this might be difficult...=
=20
> Any suggestions are welcome.

load balancing outbound is under your control, and could be done a few
ways.  load balancing inbound depends how the head end router works:
does it select the link to use by MAC address or IP address?

(this also has important implications for whether different customers
can conduct arp poisining attacks against eachother, as well as
against other instances of themselves :)

If by IP address, using a NAT address pool for source address will be
enough to distribute replies.  If it uses mac address, you'll also
need to arrange for IP addresses for each link to appear in the
router's arp table with MAC addresses that the bridge will direct
accordingly, by transmitting from the appropriate nic.

Either way, ipf fastroute is probably the best way to direct traffic
outbound, but the answer will have important implications for
interaction with failover.=20

--
Dan.


--0OAP2g/MAC+5xKAE
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (NetBSD)

iD8DBQFCE65fEAVxvV4N66cRAgx0AKCQxgaNz7Ackg3uQeYZqv3pecOWuACgnB1X
0R0JiEsKPlo/GVRZha2GYYQ=
=nbtW
-----END PGP SIGNATURE-----

--0OAP2g/MAC+5xKAE--