Forum Replies Created
December 21, 2012 at 7:07 pm in reply to: No ‘Sticky Sessions’ so shop carts, banking etc drop out #51917
There is need to install.. NB.. If I will not install this, then any alternate??
Latest version(s) of Zeroshell have the net balancing code included so the old patches should no longer be needed.
With respect to the original post on this thread, if I read what you are setting up I think you are mixing and matching two different ways of doing things.
The Zeroshell “net balancing” and failover is working at the IP level while interface bonding is working at the ethernet packet level.
In my opinion, the Zeroshell net balancing feature is more useful if you have multiple ISPs and wish to distribute traffic between them and are unable to use the bonded interface approach.
In your case you have a single data center you are connecting to so you can use the bonded interface approach.
Your data center setup sounds reasonable to me. On the remote side, I’d forget about “net balancing” and setup three VPNs one on each of your three links and then bond those into one gateway interface. I think the VPN interfaces may need to be on the same subnet.. Been a while and I don’t remember the restrictions on bonding. Your routing is easy: The bonded interface is your gateway.
The Linux bonding driver has a bunch of options and it has been a while since I used them and I’ve never done it on Zeroshell. But I recall that there are options for load balancing and for fail over using the bonding interface, so that is where you want to focus.
Once you figure out the Linux command line you want to use, possibly something like those suggested on http://www.aboutlinux.info/2005/09/how-to-change-mac-address-of-your.html
Then put that command into the “pre-boot” script on the GUI, save your configuration and reboot.
If you want Asterisk on a firewall, I’d go with Astlinux rather than Zeroshell. That project actually has a very committed development group and are focused on embedded systems so their setup does not have the issues Zeroshell has with wearing out Compact Flash based “hard drives”.
They are primarily focused on the Asterisk side but they have firewall and routing features as well.
My upgrade was forced by a failing CF card in my net5501 box so I needed to replace the CF card (boot drive) at the same time.
If I recall correctly, I simply saved my current configuration to my laptop, installed b16 on to a new CF card, booted the new b16 and then restored my old configuration and rebooted again.
Were it me I’d investigate having the wireless links bonded into one interface (check out bonding). And the treat the rest of the problem as a transparent bridge between the local LAN interface and the bonded interface.
I would not try to use the load balancing and failover logic which is designed for routing between multiple ISP links. Bonding supports load balancing failover at the Ethernet level below the IP level. For that reason a single TCP connection can be balanced between the links. If you use the TCP level load balance and failover you lose that and each TCP connection will be constrained to a single microwave link.March 17, 2012 at 3:39 pm in reply to: Netbalancer forwarding all HTTPS traffic to specific gateway #52135
I want to know if this patch applies only in the case of load balancing and QoS on the same router ZS?
Load balancing in stock ZS is broken. So if you want to load balance you’ll be better off with the patch.
In stock ZS load balancing and QoS are incompatible. If you want to run both you will be better off with the patch.
I don’t recall a specific issue with QoS on stock ZS, so I think that if you just want to do QoS over a single WAN link you should be fine without the patch.
If you setup a bonded set of VPNs then the bonding interface will present one IP and one MAC address to use for routing traffic.
Even if you have only one IP address at your main site, you can still set up three VPNs from your remote office to the server at that site then bond the VPN interfaces into one bonded interface there too.March 3, 2012 at 5:20 pm in reply to: Netbalancer forwarding all HTTPS traffic to specific gateway #52133
I have been using the b16 version of the patch on b16 Zeroshell.
There are no functional changes between the latest version and the earlier one. The one change was to resolve a code change conflict with a new feature Fulvio added in b16. So if the early one gave you problems the this one will be no different. However I would like more information about the problems you’ve had to see if they can be fixed.
Link is in the earlier post on this thread. Install instructions are in a text file inside the compressed file.
I have not done this, but looking at your setup, I’d get rid of the load balancing and make the bonded VPN connection your default gateway.
Your English is quite good.
I think you can get around this by setting up a traffic classification rule so that all DNS traffic uses one of your dynamic links. Let the client always update OpenDNS for that one link.
General HTTP, mail, etc. traffic can be load balanced as usual.
One down side will be that if that link fails you will have to move all your DNS setup to another link to restore your Internet service.
By the way, I was unfamiliar with OpenDNS so I did a web search to find out what you were referring to. A number of the hits I got were posts by teenagers trying to figure out how to get around OpenDNS blocking their parents had set up. Typically the response was to set a new DNS server IP address on their individual computer. If you are worried about that, and if you are using OpenDNS I suppose you are, then you might go a bit farther and setup blocking rules in Zeroshell so no DNS request from your LAN can be made to servers other than either OpenDNS or Zeroshell.
I haven’t done this type of thing in the Zeroshell GUI but know it can be done via iptables commands through the command line. Probably possible in the GUI but you’ll have to research it.
The next thing they can do is use a web browser to access a DNS lookup web site and find the IP address for the server(s) you have blocked through OpenDNS. They can then use the IP adddress directly to access the site(s). On a case by case basis you can block those by blocking IP address ranges in Zeroshell.
Best of luck. Personally I’d rather not have to be playing spy/counter spy with my family.February 29, 2012 at 4:23 pm in reply to: Netbalancer forwarding all HTTPS traffic to specific gateway #52131
OK this is done 🙂 thanks
but my actual question is something like this…(maybe i was not clear @ first place)
now lets say PC01 makes HTTPS request… i want zeroshell to take and forward it to the best possible gateway (wan1 wan2 wan3 or wan4) and then stick with that wan till session is over…
i dont want to have a static rule … i just need to make zeroshell choose 1 gateway and stick with it till session is over for the HTTPS requests
hope now my question is more clear 🙂
can not do that
review how does https request to have more clarity
My patch to fix net balancing and quality of service does provide for “sticky connections” so that your HTTPS traffic all uses one interface for the session.
Patch for b16 is at http://dl.dropbox.com/u/19663978/nb_qos_b16_patch.tar.gz
Patch for b14 is at http://dl.dropbox.com/u/19663978/ZS_nb_qos_b14_b.tar.gz
(The patch for b14 will work on b15 so there is no separate patch for that.)
we have a slightly different issue – and are using a client / server model to connect a regional office to a data centre (over 3g)
Our bandwidth drops when we try and use Netbalancer – to bond / aggregate – should we be using Net balancer at both ends?
In your situation I’d look into setting up multiple VPNs, one on each link, between your regional office and the data center. And then use bonding, not net balancing, to create one virtual link between the office and the data center. I haven’t used bonding on Zeroshell but in a previous life I used it between a Linux based storage device and some servers. If I recall correctly there are a number of bonding options including some designed for load balancing.
Not sure if you are using my net balancing and QoS patch or not but… I would expect your speed test to match the data rate of one of your interfaces, not the sum of all of them.
Internet traffic is between specific IP addresses. And TCP connections over IP require fixed end points. The end result is that once your router, Zeroshell in this case, picks an interface to use for the speed test it should send all the traffic for that connection by that interface. So net balancing only balances connections between interfaces. It does not and cannot balance data between interfaces except in the roughest possible way. Net balancing will help you if you have multiple TCP connections going to many different destinations, but not multiple TCP connections going to the same destination.
Further, if you are using my patch or a non-Zeroshell router, connections can be “sticky”. That is if a connection to server A used interface 1, the subsequent connections to server A will use that same interface. You need this so that sites that use HTTPS will work.
If you wish to aggregate multiple interfaces in a way that will balance the data rates on multiple links then you will need to look into “bonding” rather than “net balancing”. This allows one IP address to be shared among multiple Ethernet adaptors. Bonding only works on interfaces that look like Ethernet adaptors to the Linux operating system. And bonding takes set up on both ends so you will need a service provider or other entity on the other side to set up a compatible configuration for you.
You can make your two different ISP connections look like Ethernet interfaces by setting up VPNs on each interface to an appropriately configured service provider (the VPN software simulates an Ethernet interface to Linux) and then bond the multiple VPN interfaces into one logical Ethernet interface to be used for actual traffic.
So to make bonding work you will need a server some place on the Internet that you can route all your traffic through. And that server will need to be set up to allow you multiple VPN connections and then bond those VPN connections into one logical Ethernet interface. Needless to say most people don’t have a way to do this. I’ve only really seen this done for setting up remote office access to headquarters. This works because you have one IT department that is responsible for setting up both ends of each link and who can dedicate appropriate equipment to the service.February 22, 2012 at 9:44 pm in reply to: Failover default ethernet->adsl to 3G dongle – exist. sys #52215
A ITX PC should work fine. The ones I looked at don’t have enough network ports to make a great router but it sounds like you only really need two ethernet ports and something to plug your 3G modem into.
I am using a couple of Soekris Net5501 boxes, one for ZeroShell and one for AstLinux.
In both cases I am using Compact Flash (CF) cards for the “mass storage” device.
The fit for the Soekris Net5501 is actually a bit better for the AstLinux as that distribution is much better about minimizing writes to disk so the CF cards don’t get worn out. ZS insists on logging lots of stuff to disk which means I accept having to replace the CF card as a regular item. So far I’ve had to do that once in three years.
Current versions of AstLinux have firewall and routing capability in addition to telephony. And there is an Asterisk package available for ZeroShell. So in theory I could eliminate one of the two boxes, but so far I see no reason to. ZS is easy to manage as a firewall and router while the older version of AstLinux I have is hard to manage as a firewall and router but easy (for Asterisk) to manage as a phone system.