July 7, 2009 at 12:39 am #41770
First off, thank you Fulvio for making ZS!
I am trying to get aggregate bandwidth by bonding multiple vpn connections over 3g dongles and keep running into the following issues:
1) vpn traffic does not honor the gateway directive.
2) net balancer never recovers from a fault
3) remote vpn server indicates all connections are from a single 3g ppp ip (see point 1)
Here is the setup we are using:
3 * 3g dongles (autostart, default route, no nat)
3 * gateways ppp0 thu ppp2 defined in net balancer with 4x timeout.
3 * VPNs running on udp ports 4000 thu 4002 to remote VPN server
BOND00 comprising VPN00 thu VPN02 10.1.1.2
Remote VPNs Bond 10.1.1.1
ping from 10.1.1.1 to 10.1.1.2 works OK and vice versa
Vpns are all connecting to the same remote vpn server ip using UDP on separate ports 4000 to 4002, one for each vpn/3g modem in the range.
When running tcpdump on the separate ppp devices i see vpn traffic for all VPNs across all ppp devices. where as it should only route one vpn down one ppp device.
i have also tried adding net balancer rules to the effect of:
MARK udp opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpt:4000 MARK set 0x65 gw ppp0
MARK udp opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpt:4001 MARK set 0x66 gw ppp1
MARK udp opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpt:4002 MARK set 0x67 gw ppp1
but this does not make the vpns connect via each ppp gateway device
also in the net balancer when a 3g gateway gets marked with a fault it never seems to be able to recover and get marked back as active again, yet when you manually disable the gateway and and re-enable it it then says its active.
Our failover monitor settings are:
-ICMP failover checking: enabled
-Number of probes before marking DOWN: 2
-Number of probes before marking UP: 1
-Reply timeout (seconds): 5
-Pause before starting a new cycle (seconds): 3
-Immediately restart PPPoE and 3G Mobile: yes
with all 3 fail-over ip addresses set + enabled
All three usb 3g dongles are separated by +1m and always show blue connected (and are all on same 3g network operator)
Any help or recommendations gratefully received!
StuNovember 11, 2009 at 12:57 am #48370
Hello Stu, were you able to get it running correctly? I am in the same problem as you and I’m almost discarding the possibility that this could be done.
JosÃ© AntonioNovember 11, 2009 at 6:50 am #48371
were you able to get it running correctly? I am in the same problem as you and I’m almost discarding the possibility that this could be done.
Unfortunately not, I has hoping that lucky beta13 might have some of these issues fixed!November 11, 2009 at 9:48 am #48372
I have the same problem , some news?September 18, 2011 at 6:08 am #48373
[Note to admin: for some reason my BBcode options is disabled. could be this bug http://www.phpbb.com/bugs/phpbb3/ticket.php?ticket_id=23495&start=8 . So my posts are not formatted correctly . I have to add # instead of ‘space’ in the ascii art , else ‘space’ gets stripped]
did u manage to resolve it. If yes please share.
Problem seems to exist in 1.0 beta 16 also. VPN connections ignore the Gateway association in the settings page.
Here is my setup. Am trying to aggregate bandwidth over two ppp connections over EVDO ( USB wireless broadband dongle).Quote:#########–> VPN0 -> ppp0 ->
bond0 (rr)—>| ############ | —-> VPN server
#########–> VPN1 -> ppp1 ->
If am right, above is the suggested solution by Zeroshell. But right now am here.Quote:–> VPN0 -> ppp0 ->
############# | —-> VPN server
–> VPN1 -> ppp0 ->
As you can see both the VPN connect to remote VPN server using the same ppp0 device ( If I connect ppp1 before connecting ppp0, both VPN will connect to ppp1). Both ppp gateways are created in Netbalancer page and Netbalancer is active in ‘Load balancing and failover’ mode. FYI, Disabling /Enabling Netbalancer didn’t affect the way VPN connected.
I have not bothere to create the bond device yet because there is no point in bonding over the same ppp channel.
On examination of ps -ef ( changed the remote server name for security purpose), I find that there is no parameter specifying the gateway to the openvpn client. Wondering how zeroshell is enforcing the gateway association to VPN.Code:root@zeroshell root> ps -ef | grep vpn
root 11995 1 0 10:38 ? 00:00:00 openvpn –dev VPN01 –remote remotevpnserver.com –port 443 –proto tcp-client –tls-client –dh /etc/ssl/dh.pem –ca /etc/ssl/trusted_CAs.pem –cert /var/register/system/net/interfaces/VPN01/TLS/cert.pem –key /var/register/system/net/interfaces/VPN01/TLS/key.pem –tls-remote OpenVPN_Server –dev-type tap –float –keepalive 1 11 –script-security 3 –management 127.0.0.1 34001 –daemon VPN01_L2L –config /DB/watchyzs/ovpn/srix_auto/client.ovpn –down /root/kerbynet.cgi/scripts/vpn_mii
root 17834 1 0 11:00 ? 00:00:00 openvpn –dev VPN00 –remote remotevpnserver.com –port 443 –proto tcp-client –tls-client –dh /etc/ssl/dh.pem –ca /etc/ssl/trusted_CAs.pem –cert /var/register/system/net/interfaces/VPN00/TLS/cert.pem –key /var/register/system/net/interfaces/VPN00/TLS/key.pem –tls-remote OpenVPN_Server –dev-type tap –float –keepalive 1 11 –script-security 3 –management 127.0.0.1 34000 –daemon VPN00_L2L –config /DB/watchyzs/ovpn/srix_auto/client.ovpn –down /root/kerbynet.cgi/scripts/vpn_miiSeptember 26, 2011 at 11:13 am #48374
I also have the same problem… Was very excited to get this working. Any official response on the matter? Maybe we’re missing something basic.September 26, 2011 at 11:51 am #48375
It addresses this issue in the documentation, says it was upgraded from Static Routes requiring multiple public IP’s for each VPN on the server-side to the new Net-balancer way of doing things…
“VPN LAN-to-LAN that may be configured in Zeroshell may be obtained using OpenVPN and TAP virtual interfaces. The latter entirely resemble real Ethernet interfaces and, as such, they may be aggregated through Bonding. This feature has been available since the first release of Zeroshell. However, for VPN bonding to be justified, each VPN tunnel belonging to the bond must flow to a separate Internet link. Before Net Balancer was introduced, this was done through static routes which required at least one peer to have two public IP’s. Now, thanks to Net Balancer, the VPN site-to-site configuration form allows you to choose a gateway to set up the ciphered connection. This greatly simplifies configuration by no longer requiring static routes and two public IP addresses.”
It must be something small we’re missing….
I did notice in Windows when I change the gateway’s interface to use before clicking save it resets it back to
and when I return to change the gateways settings it doesn’t remember the interface I had previiously selected.January 24, 2013 at 3:30 pm #48376
Anyone figure out how to solve this yet?
Is there any way to redirect VPN traffic to specific gateway?
You must be logged in to reply to this topic.