Re: Can a Firebrick help me?

[Iain McWilliams]

Anthony R. Gold wrote:
> Can a Firebrick help me with this situation:
>
> I have a server in an unattended location with an unreliable DSL
> connection. I will likely add a second DSL line or a cable line for more
> resilience. The blunt way to increase access to the location would be to
> run a separate server on the second Internet connection, but is there any
> way to use a firebrick to access the same LAN of servers alternatively
> through two Internet connections?
>
> BTW both connections would likely use dynamic IP addresses, if that is
> pertinent. Right now I have no difficulty finding the dynamic address
> from the WAN side by use of a DynDNS client running on the server, but
> that may no longer work if the server can see two external addresses.

We do something a bit similar with a firebrick...

We have 2 public IPs advertised for a web server and use the mapping
function of the firebrick to map those onto the private IP of the
webserver. As the firebrick is mapping the requests, the server itself
doesn't need to know what it's public IPs are.

Dynamic IP may cause a problem here though. (I have no experience with
using a firebrick with dynamic IP).

In fact we go one step further - we have a backup web server on the same
LAN and by manually enabling or disabling a profile on the firebrick we
can switch all requests from WebserverA to WebserverB or vice versa.
This makes it really easy to shunt requests away from a machine when you
wish to update software on it yet still keep the service running to the
end users.

Regards,
Iain

[Ben Mack]

In article <gtcn32dk5jgqgti8b...@4ax.com>, Anthony R. Gold
<not-fo...@ahjg.co.uk> writes
>On Mon, 10 Apr 2006 15:28:51 +0100, Iain McWilliams <ia...@lmp.co.uk>
>wrote:

>
>> Dynamic IP may cause a problem here though. (I have no experience with
>> using a firebrick with dynamic IP).
>

>Thanks for the comments Iain.
>
>I hope someone from Watchfront or A&A will tell me whether using one or
>more Firebricks will meet my needs - and with minimal setup complexity.

It should do, though I've not personally tried it

Does the FireBrick itself get a dynamic public IP from each ADSL router?
If so, you may have trouble having two DHCP servers (the ADSL routers)
on the same ethernet segment (the FireBrick WAN). If this is a problem,
purchase a 5 Port feature for the brick and run each WAN ADSL router on
a separate FireBrick port.

However if you can run the FireBrick on fixed private IPs on the LAN of
each ADSL router, and use NAT and incoming forwarding rules in each ADSL
router (i.e. your public IPs are on the ADSL router WAN side), then you
avoid this problem

Apart from that, should be straightforward as Iain says, just a mapping
rule for each WAN, and suitable firewall rules

I assume you are just running simple server apps such as http, that
don't mind NAT?

HTH
--
Ben Mack
Watchfront Electronics - Bespoke R&D - http://www.watchfront.co.uk/
Watchfront Internet - ADSL, Colo - http://www.watchfront.net/
Are you bricking it? - Firewalls - http://www.firebrick.co.uk/

[Ben Mack]

In article <j40c42hbgb82mhqhb...@4ax.com>, Anthony R. Gold
<not-fo...@ahjg.co.uk> writes
>If the Firebrick could perform PPPoE logins then it could get public
>dynamic IP addresses from the ISPs through modems running in bridged mode.
>But can a Firebrick do either PPPoE login or NAT? I guess not.

The FireBrick does NAT, but not PPP, it is purely an IP device

>I guess the configuration would be two bridged DSL modems followed by two
>routers which do the NAT and PPPoE logins.

Most low-cost ADSL routers include both the modem and the PPP client

If your ISP only provides a single WAN IP address, then the ADSL routers
can run NAT, as you say

However, why don't you use an ISP that can supply public IP addresses
for the LAN side of your ADSL routers? This makes the whole thing *much*
simpler

> Will a Firebrick manage the IP
>traffic between the LAN hosts and whatever WAN route(s) are working?

Yes

>So I plug two routers (which perform PPPoE login via each of two bridged
>modems) into separate ports of a Firebrick with the 5 port feature and
>then I can hang one LAN of fixed IP hosts off the Firebrick and each LAN
>host will see and will be seen by the Internet via any working DSL
>connection?

Yes,
- you only need 5 Port feature if using DHCP on both WANs
- incoming sessions are mapped from each WAN to server
- outgoing sessions can be handled by either
a) manual routing
b) automatic failover using Profiles feature
c) load sharing using Bonding feature

>Do the LAN hosts use a LAN address which was assigned to the Firebrick as
>their gateway address for sending out packets? Will that be one of the
>two router interfaces of the Firebrick or some third address which will be
>used by the Firebrick as a single virtual gateway?

If you are stuck with NAT on ADSL routers, something like

Server 10.0.0.1/24 gateway 10.0.0.254

FireBrick LAN 10.0.0.254/24
FireBrick WAN1 10.0.1.1/24 gateway 10.0.1.2
FireBrick WAN2 10.0.2.1/24 gateway 10.0.2.2

ADSL Router 1 LAN 10.0.1.2/24, incoming forwarding rule
ADSL Router 2 LAN 10.0.2.2/24, incoming forwarding rule

>Is this plug and play (or can it be configured by you prior to shipping)
>or is it going to be complicated and experimental to set up? This is
>going to be running when I am thousands of miles away, so I am looking for
>an industrial strength solution and nothing of an experimental nature.

The FireBrick config should be pretty solid. However I am always wary of
unusual ADSL setups, so I would suggest testing

Watchfront can offer ad-hoc configuring of FireBricks for 80 quid an
hour, normally takes a couple of hours, if that helps

>Even if that all works and is easy, I am still concerned about how to
>discover the WAN addresses of the two modems from a distant place. I
>guess I could periodically be sending out emails from LAN hosts which will
>show a trace the source address. But if both DSL circuits were working,
>could I get the Firebrick to send something through each one to announce
>the two WAN addresses to me?

With the Profiles feature, you could config the FireBrick to send pings
up both WANs to, say, another FireBrick, that log the source addresses

I'm sure there are lots of other ways, but I'm no expert on dynamic
addresses, we like to keep ours nice and static ;-)

[Ben Mack]

In article <hotp42pil566gqm8q...@4ax.com>, Anthony R. Gold
<not-fo...@ahjg.co.uk> writes
>On Mon, 24 Apr 2006 14:12:58 +0100, Ben Mack <nos...@ben.watchfront.co.uk>
>wrote:

>
>> In article <j40c42hbgb82mhqhb...@4ax.com>, Anthony R. Gold
>> <not-fo...@ahjg.co.uk> writes
>>

>>> I guess the configuration would be two bridged DSL modems followed by two
>>> routers which do the NAT and PPPoE logins.
>>
>> Most low-cost ADSL routers include both the modem and the PPP client
>

>I have had very bad experiences using integrated modem/routers in PPPoE
>which work perfectly well with PPPoA. They seem unable to become unable
>to reconnect after a disconnection, which of course is a dire condition in
>unattended locations. Plain modems (Westell and Netopia) followed by
>PPPoE routers have been far more reliable.

Odd, though I have little experience with pppoe. Have you tried the
Linksys AG241? We find it very good at reconnecting and general
stability, though of course on pppoa

>> If your ISP only provides a single WAN IP address, then the ADSL routers
>> can run NAT, as you say
>>
>> However, why don't you use an ISP that can supply public IP addresses
>> for the LAN side of your ADSL routers? This makes the whole thing *much*
>> simpler
>

>I need to use far more IP addresses than can be affordably obtained at
>those particular locations.

You can still use private IPs on the LAN side of the FireBrick, with the
FireBrick running NAT.

Having a public address for each line on the FireBrick WAN makes the WAN
connections very straightforward, with none of the concerns over DHCP
(and hence not needing 5 Port feature), and no need for forwarding rules
in the ADSL routers (which can cause problems)

>>> Will a Firebrick manage the IP
>>> traffic between the LAN hosts and whatever WAN route(s) are working?
>>
>> Yes
>>
>>> So I plug two routers (which perform PPPoE login via each of two bridged
>>> modems) into separate ports of a Firebrick with the 5 port feature and
>>> then I can hang one LAN of fixed IP hosts off the Firebrick and each LAN
>>> host will see and will be seen by the Internet via any working DSL
>>> connection?
>>
>> Yes,
>> - you only need 5 Port feature if using DHCP on both WANs
>> - incoming sessions are mapped from each WAN to server
>> - outgoing sessions can be handled by either
>> a) manual routing
>> b) automatic failover using Profiles feature
>> c) load sharing using Bonding feature
>

>Sounds great so long as I can get that translated into a working
>configuration.

>
>>> Do the LAN hosts use a LAN address which was assigned to the Firebrick as
>>> their gateway address for sending out packets? Will that be one of the
>>> two router interfaces of the Firebrick or some third address which will be
>>> used by the Firebrick as a single virtual gateway?
>>
>> If you are stuck with NAT on ADSL routers, something like
>>
>> Server 10.0.0.1/24 gateway 10.0.0.254
>>
>> FireBrick LAN 10.0.0.254/24
>> FireBrick WAN1 10.0.1.1/24 gateway 10.0.1.2
>> FireBrick WAN2 10.0.2.1/24 gateway 10.0.2.2
>>
>> ADSL Router 1 LAN 10.0.1.2/24, incoming forwarding rule
>> ADSL Router 2 LAN 10.0.2.2/24, incoming forwarding rule
>>
>>> Is this plug and play (or can it be configured by you prior to shipping)
>>> or is it going to be complicated and experimental to set up? This is
>>> going to be running when I am thousands of miles away, so I am looking for
>>> an industrial strength solution and nothing of an experimental nature.
>>
>> The FireBrick config should be pretty solid. However I am always wary of
>> unusual ADSL setups, so I would suggest testing
>

>No problems with testing; I intend to install this personally and not have
>anything drop shipped to non-technical users.

>
>
>> Watchfront can offer ad-hoc configuring of FireBricks for 80 quid an
>> hour, normally takes a couple of hours, if that helps
>

>Yes, that would help a lot.

>
>>> Even if that all works and is easy, I am still concerned about how to
>>> discover the WAN addresses of the two modems from a distant place. I
>>> guess I could periodically be sending out emails from LAN hosts which will
>>> show a trace the source address. But if both DSL circuits were working,
>>> could I get the Firebrick to send something through each one to announce
>>> the two WAN addresses to me?
>>
>> With the Profiles feature, you could config the FireBrick to send pings
>> up both WANs to, say, another FireBrick, that log the source addresses
>>
>> I'm sure there are lots of other ways, but I'm no expert on dynamic
>> addresses, we like to keep ours nice and static ;-)
>

>I guess hanging a host running a DynDNS client onto each router on a
>separate port from the Firebrick would also solve that problem.

Yes, although seems overkill. If you have multiple machines on the LAN,
you could run a dyndns update client on each machine, and use specific
routing rules on the FireBrick to route dyndns updates from each client
up a specific line

>Could a surplus SoHo do this or does it need a new 105?

A soho could do fixed routing to 2 WANs, but not much more

> Also, where is
>the 105 on its product life cycle? Will it be the current product for the
>next year or two or is it likely to be replaced during that time frame?

The 105 will certainly be available for the next year or two, that's not
to say there won't be new FireBrick products in that time. Sorry we
cannot be more specific until we are ready to launch new products

Cheers