VPN Routing problem – Trying to setup bonded WAN

Home Page Forums Network Management VPN VPN Routing problem – Trying to setup bonded WAN

This topic contains 4 replies, has 0 voices, and was last updated by  Hibbelharry 6 years ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #43511

    Hibbelharry
    Member

    Hi people,

    I’m new to zeroshell and I’m running into a problem ican’t solve.

    I want to use WAN Bonding from our business office to a datacenter with 3 Lines of equal speed. I’ve setup a machine in the corresponding datacentre and our office.

    Setup in the Datacenter:

    The zeroshell Host has one NIC with 1 external IP. I’ve setup the NIC for external access, defined the gateway settings, defined 3 OpenVPN LAN-2-LAN Interfaves listening on different ports and bonded the VPN Links. I’ve setup an IP for the bond and forwarding in the routing definitions and when I connect to it by using VPN, access to the Internet seems to be working alright, as proven by pings, tracepath and friends. Seemingly no problems here.

    Setup of the local machine in our office:

    The Box has one NIC with the local network and each of the 3 Uplinks connected to it by using 4 different VLANs. I’ve setup those 4 VLANs and added Gateways to each of the Uplinks by activating netbalancer with Loadbalancing and failover. I’ve found no other possibilty for setting up multiple Gateways. I’ve created 3 Openvpn LAN-to-LAN connections, each one connecting successfully to the datacenter. I’ve tied each of them to using one specific single Uplink by using the Gateways defined in the netbalancer setup. The OpenVPN Uplinks go straight into a bond setup equally to that one in the datacenter.

    The problem:

    The machines connected to the local zeroshell instance are getting internet connectivity, but the traffic doesn’t go through the bonded uplink. I’ve checked this via traceroute. Instead of using the bonded connections the traffic is routed directly via the single uplinks. I can see the used uplink changing when attempting traces multiple times but I can’t get them to behave like I want and the datacenter isn’t part of the traced routes.

    I think I’ve misconfigured netbalancer settings, i also think that I shouldn’t need the balancer since the bond should provide balancing but found no possibilty to configure multiple Gateways without turning the netbalancer on. I’ve toyed around with gateway metrics and giving my bond a metric of 1 and the multiple Uplink Gateways a metric of 50, but that didn’t help a bit.

    Just because I was curious I defined some static net routes to some external networks via the bonded connection. Traffic to that destinations works well as far as i can conclude.

    What am I missing to get the traffic routed into our bonded connection here ? Any help really appreciated !

    Greetings !
    Hibbelharry

    #52542

    m_elias
    Member

    I am working on something very similar with two bonded vpn lan-to-lan tunnels.

    My virtual private server (some datacenter) is running my zeroshell vpn server, single public IP on eth00 74.x.x.x, default gateway 74.x.x.1, so I have its public interface eth00 nat’d, It has two vpn tunnels in server mode and the vpn bond has an IP 10.10.20.1. This is it’s “lan” interface/IP.

    My local zeroshell install has eth00 with IP 192.168.6.1 (lan with all the computers), eth01 with two IPs and two gateways in the net balancer page for my two DSL routers on the same physical media but separate subnets, two vpn tunnels in client mode each set to use their own gateway and those two tunnels bonded with IP 10.10.20.10. Eth01 and bond00 are both nat’d.

    Normal netbalancing/loadbalancing is working pretty good. Some balancing rules are also working (directing certain destination ports through their respective DSL connection). I also have a couple static routes set for two particular public IPs, each on their own DSL connection for connection uptime monitoring from my desktop (pings).

    In my case, I wanted to start with sending only traffic for certain destination ports or IPs through the VPN bond. So I added a disabled gateway in the netbalancer for 10.10.20.1, the vpn server’s bond00 IP, and added a balancing rule for that my special dest port with 10.10.20.1 as the gateway but that does not seem to work.

    I also cannot get port forwarding to work from my zeroshell’s public IP back through the vpn bond to my desktop PC. Zeroshell’s NAT page lingo confuses me but I believe both eth01 and bond00 on the zeroshell client should be nat’d. It is my understanding that the nat enabled interfaces should the “public” or wan interfaces.

    I tried leaving my two netbalancer gateways in the list but disabling them and setting a single default gateway pointing at my zeroshell server’s bond IP of 10.10.20.1, it was no good.

    I read here https://www.zeroshell.org/forum/viewtopic.php?p=4784&sid=dfb93fcdfcb7705a431da9333e773728 that zeroshell is configured to only use TAP tunnels and may need tweaking to route to them instead of bridging but I don’t know how the bond plays into that. I originally tried bridging my local/client zeroshell’s bond00 with it’s eth00 and assigning my VPS zeroshell’s bond IP to something on the same subnet and then using that IP for my computer’s gateway but I don’t like the lan traffic on the vpn bond and that didn’t let me selectively route certain traffic down the bond.

    #52543

    m_elias
    Member

    I also sometimes notice strange ICMP timeouts when pinging 10.10.1.1 and 10.10.2.1 from my desktop PC. It seems that zeroshell on 192.168.6.1 sometimes blocks the pings for about an hour and then without any intervention on my part, it starts passing them again properly. It’s a bit frustrating when trying to use pings for diagnostic purposes. I can confirm that while the pings are blocked, the respective router’s web interface still works and internet traffic is still being routed through them.

    #52544

    atheling
    Member

    With respect to the original post on this thread, if I read what you are setting up I think you are mixing and matching two different ways of doing things.

    The Zeroshell “net balancing” and failover is working at the IP level while interface bonding is working at the ethernet packet level.

    In my opinion, the Zeroshell net balancing feature is more useful if you have multiple ISPs and wish to distribute traffic between them and are unable to use the bonded interface approach.

    In your case you have a single data center you are connecting to so you can use the bonded interface approach.

    Your data center setup sounds reasonable to me. On the remote side, I’d forget about “net balancing” and setup three VPNs one on each of your three links and then bond those into one gateway interface. I think the VPN interfaces may need to be on the same subnet.. Been a while and I don’t remember the restrictions on bonding. Your routing is easy: The bonded interface is your gateway.

    The Linux bonding driver has a bunch of options and it has been a while since I used them and I’ve never done it on Zeroshell. But I recall that there are options for load balancing and for fail over using the bonding interface, so that is where you want to focus.

    #52545

    m_elias
    Member

    I was not able to figure out how to direct each vpn tunnel to their own gateway without using the netbalancer’s gateways, like Hibbelharry mentioned. I don’t think static routes will work because we are trying to get away with only 1 public IP at the data center. Otherwise, with enough public IPs at the data center, a static route for each vpn tunnel’s target IP could be routed to the corresponding local internet gateway.

    In my case, when I first tried this I was bridging the vpn bond on my local zeroshell with it’s eth00 interface and this allowed me to specify the data center zeroshell’s vpn bond IP as a gateway. It kind of worked.

    #52546

    Hibbelharry
    Member

    That’s also what I’m doing now. It kinda works, but we’re suffering some strange issues and faulures with the routers from our ISP. Since these are dongled to our connections and we’re not able to choose sane ones on our own, talking to our ISP again and again to get better hardware is currently my main work…

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.