Subject: Re: Dual wan router
To: James Webster <james3838@tsi-net.com>
From: Greg A. Woods <woods@weird.com>
List: port-i386
Date: 02/13/2003 17:31:23 
[[ follow-ups redirected to netbsd-users! ]] 

[ On Wednesday, February 12, 2003 at 10:59:52 (-0800), James Webster wrote: ]
> Subject: Dual wan router
>
> Is there any way to configure NetBSD to act as a dual wan router?  I'd like to load balance outbound data as well as using round robin DNS for incoming.  I've found a couple affordable commercial products, but none seem to bind to more then 8 WAN IP's.

Why would a dual-WAN router need more than 8 WAN-side IP#s?

In any case, if I understand you correctly, with IP Filter you can set
up policy-based routing rules which will ensure that you can fully
multi-home a _server_ to any number of upstream providers and make sure
most applications work properly without any asymmetric routing
happening.

You basically just have to ensure that packets go back out the right
interface depending on what local source IP they're coming from.  You
essentially set your default route to pointing to one upstream provider
and then next-hop any packets that should go out a different interface
to the next hop past that other interface.

	route default isp#1.router.name [-interface IF0]

	pass out quick on IF0 to IF1:isp#2.router.name from isp#2.local.host.addr to any

Note what I'm talking about would be a true multi-homing of a server (or
multiple servers), not for a router and a whole network (unless maybe
you only NAT to a private network).  You need N interfaces and N IP
addresses on every such server for N upstream providers, and if you have
multiple servers then you also need N separate border routers.


> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

NOTE:

Please DO NOT EVER send HTML, rich text, or otherwise stylized e-mail,
especially not to me or to any public mailing list.  Not all mail
readers will recognize such formats, and their added volume is generally
a total waste of bandwidth, storage, and processing power for everyone.
HTML in particular is a potential security threat and many firewalls and
some mailing lists filter it entirely -- especially since CERT and
Microsoft have jointly anounced a very major flaw in the HTML rendering
engine used in all Microsoft products (in versions still widely in use,
and which isn't even properly fixed in the most recent releases).

For more information see, for instance, the following articles:

	http://www.georgedillon.com/web/html_email_is_evil.shtml

	http://www.georgedillon.com/web/html_email_is_evil_still.shtml

	http://www.greydragon.org/library/email_list_etiquette.html

Please send all your messages as plain text only.

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>