Forum Replies Created
Thanks for the reply. Bonding and netbalancer have worked very well in trials. I am keen to setup bonding to multiple remote sites and establish inter-site routing in addition to internet routing. Initial tests are very promising and ZS is excellent in its capabilities.
The need to setup the central or head router without specifying the remote peer IP address was very important, especially for dynamic DNS and especially for NAT router/firewall configuration.
I assume I simply set one VPN end as server and do not specify the remote IP address. At the client end I then specify the IP address of the server. As long as I use a unique UDP port for the VPN and same port at each end it should be fine? At this stage I am using PSK for simplicity.
BTW Thanks for all the great work you are doing on ZS. Much appreciated.
Thanks for the reply.
That could be an option. I need to add a rule to look atthe destination IP address and make sure the traffic does not NAT if it is for a remote network via VPN. I will give this a go and report back.
Thanks for the update … I will keep an eye on developments!
Excellent! That will make a very useful addition. I look forward to that!
MultiNAT is quite simple. It allows the use of multiple public IP addresses on the WAN interface with each IP address or an IP:protocol/port to be mapped to internal hosts.
One situation that it is often used with is a DMZ or mapping to internal hosts. An example may make it clear. If the WAN interface has a /29 allocated, allowing for network, broadcast and upstream router there will be 5 addresses available. 1 would be taken by the ZS box and used as its public interface. This also becomes the address that you SNAT with when masquerading the internal network. 4 addresses remain idle.
You may decide that you would like to use a separate address for mail server. Maybe you have two mail servers with one as a backup MX and need a unique IP address. Possibly you want to keep VPN on different address to mail server. You may want a web server on another address. This situation needs multiple public addresses.
Each service is assigned a unique IP or an allocation of IP/protocol/port. The ZS box needs to respond for each of the public addresses on the WAN interface. This is done by proxyARP or alias IP on the WAN i/f – as long as the ZS responds to the ARP request for the additional IP to the upstream router and delivers the packets into the input or forward chain. The ZS then performs Destination NAT (DNAT) on the address packet and sends the packet to the correct internal or DMZ server.
On Linux it is easy. ProxyARP or address alias can be used. I prefer the alias and I just assign additional addresses to the WAN interface. When the packet is received it is processed and has dest address translated by using the DNAT option in IPTables. The connection tracker then works and tracks the translation so the reverse translation (SNAT) is applied on egress reply packets. The packet then enters the forward chain and the routing system will egress on the correct internal interface. IN the same way that conn_track manages the translation of reply packets for MASQ traffic it will manage the translation of reply packets for DNAT traffic.
Another application for this is the reverse where you may want an internal server to appear publicly on a different address to the rest of the LAN devices. Typically I would use this on mail servers where I need to ensure mail is sent from an MX and the relevant SPF TXT entries are in place to verify the sender.
I hope this makes some sense! I have tried it on ZS and it is quite easy to implement at console … just would be nice to add to web interface!
Thanks for update … looking forward to netbalance.
Thanks for feedback on the linitx device … i will go ahead and get one for some testing.
The multiNAT is as you say quite easy to do on iptables. I have implemented a form of netbalance in iptables. However I agree that is much better to have it in the UI and the UI on ZS is very good indeed … I guess MultiNAT could be easily added in.
I am very eager to test on the FX5620 platform and have been considering buying some samples. Before I do I was wondering if you have any feedback on how well the hardware performs? After the patches did you have any issues with the NIC?
Using the stock setup I did not get fault tolerance to work with bonding.
I have done bonding many times with Linux and other tools – in fact I am working on a solution now. Fault tolerance is always the issue. On Linux I tend to do the bonding with teql driver. The solution I am working on now simply creates an ipencap tunnel between sites (using dest ip routing to select correct WAN) then creates a teql driver and enslaves the ipip tunnels. I then simply implement ping based link monitoring and when I see a lack of response from the remote end I remove the enslaved interface until it returns. Works quite well.
I was able to implement this on ZS both at shell using the method outlined above. I was able to create this using part GUI to create the VPN etc. then use shell to fudge the netbalance stuff. I didnt add any link state monitoring on OpenVPN system as I didnt have time to look into how to dynamically add or remove the VPN links using shell.
This is part of the reason I mentioned the query on ZS as a shell only tool and when the netbalance would be added to the GUI. I can see a lot of potential for this and ZS is an excellent package for this.
BTW I have been thinking on bonding and clearly there is a lot of interest. I have ZS systems (along with my other bonding systems) installed in a data centre. I also have a /20 that I subnet and allocate to installed systems and can thus route allocations to routers that can then route them onwards. I have used this to deliver a block of IP from data centre to client-side ZS unit. At data centre I also have BGP routed transit at Tier-1 and can thus provide excellent routing to the Internet. At the head-end I have full access to our own DSL platform and can deploy ZS at head and tail end of the DSL service to provide a bonded DSL with full resilient routing.
I already offer this service to a range of clients as we can also host servers at the head-end and have peering with VoIP interconnect etc. I had been contemplating the option to provide a ZS head-end bonding service providing bonded public Internet access. That is one of the reasons I have been so keen to test with ZS! I wonder would there be much interest for this as a general service rather than a specific solution.
1. Is there any suggestion on when NetBalance will be available? I am willing to Beta test this or get involved in the development if it helps. I would be very eager to test this and I have a live test environment setup for testing bonded systems.
I know that without the net balancer that allows to make routing decisions based on iptables rules it is not easy to use the VPN Bonding to increase the bandwidth.
The next week will be available the 1.0.beta7 release that will include the support for the Road Warrior VPN connections with OpenVPN. I decided to allow the use of OpenVPN also for Host-to-LAN VPN because I notice that many users have difficulty to configure L2TP/IPSec clients.
I will start to develop the 1.0.beta8 release in October and I hope to complete it in November. This release will include the NetBalancer module.
I assume the NetBalancer module will provide an easy way to configure gateway selection based on destination UDP Port which is effectively what I did on CLI to test the function. This would be a great function and will make ZS a very useful tool!
2. What distribution is ZS built upon?
I don’t use a pre-built distribution such as Debian, Fedora, …, but I use to compile the packages directly from source tar.gz.
In any case, I started with Linux From Scratch.
I have done a few LFS builds but have always wanted to find a small,tight router distribution that could bring ease of development. Having said that LFS is not that difficult once a development system is available (or indeed the LiveCD build systems is used)
3. Would you provide the core distribution of ZS as a general router distribution possibly with no web interface? A self-contained easy to deploy CF based Linux could be very useful for a range of projects.
Why? You don’t like ZeroShell’s web interface?
Quite the opposite! I love the GUI and it is a great tool to have. Keep up the great work on this! The only idea I had was to have a purely CLI system that would allow automated build and deployment based upon a central database. This would make management of multi-sites and remote deployment much easier. I had an idea that a “call home” feature for blank routers would allow easy download of a configuration.
However it was just a thought and something I would have liked to play around with. ZS interface and ease of use is excellent and you have done a great job on this!
Finally, my particular interest is in bonded configurations and I see others are keen on this. I have a lot of experience in this area and I would be willing to create some documentation and setup guides if anyone would be interested in these.
Any documentation is welcome. Specially if the documentation is about the VPN bonding on which many users ask for greater details, but I am too busy to answer.
I will certainly help on this in due course. As soon as you get the NetBalancer module complete I will happily deloy test configurations and extensively test them on mult-line bonded DSL then document the information with setup guides etc.
Thanks and I look forward to developments!