Software Dual-WAN Firewall / Router for Linux

[RJM62]

I have a client who has me looking for a software router / firewall that can be installed on a Linux server (Debian) that has one 10 mb/s DHCP cable connection and one 3 mb/s PPOE DHCP DSL connection.

He wants the router/firewall to be able to handle routing for a mixed Windows / Linux environment, provide both load-balancing and failover, and not require a separate appliance (by which I mean that the server would still be doing other duties). No VPN, no webserver, no mailserver. He does insist that it have a GUI... I guess so he can break it more easily. Must also provide DHCP and DNS services, and preferably be able to support 802.11a/b/g on a separate subnet (though that part I can work around easily enough).

I could use pfSense, but that would require a separate box; and the client is a tightwad. He claims he's being "environmentally responsible" by saving energy by running the router on the fileserver, which I could buy if he didn't drive a hummer and/or didn't just let me order a dual-WAN router and be done with it.

Basically, he wants router/firewall software, with a GUI, that will run on a Debian fileserver that's performing other duties, and will provide load-balancing and failover. Any ideas other than running pfSense in vmWare (already being considered, albeit with reservations)?

Thanks,

Rich

 

[TMetzinger]

Running a network firewall on a fileserver is stupid, really stupid. I can't in good conscience give you any recommendations without violating two or three parts of the CISSP code of ethics.

Did I mention that it's really stupid?

Be sure you don't assume any liability for this clients information security.

Timothy Metzinger, PMP, CISSP

 

[mikea]

Running a network firewall on a fileserver is stupid, really stupid. I can't in good conscience give you any recommendations without violating two or three parts of the CISSP code of ethics.

Did I mention that it's really stupid?

Be sure you don't assume any liability for this clients information security.

Timothy Metzinger, PMP, CISSP

He's didn't say it's a file server. If the "server" is a dedicated dual-homed firewall/router it's no difference from buying one in a box, except you have full access to the OS.

http://www.linux.com/feature/113828
http://www.shorewall.net/

The only downside for me would be the power required to run a full Lintell machine vs. an embedded system.

 

[TMetzinger]

Yes, he DID say it's a file server....

Basically, he wants router/firewall software, with a GUI, that will run on a Debian fileserver that's performing other duties, and will provide load-balancing and failover

 

[RJM62]

Running a network firewall on a fileserver is stupid, really stupid. I can't in good conscience give you any recommendations without violating two or three parts of the CISSP code of ethics.

Did I mention that it's really stupid?

Be sure you don't assume any liability for this clients information security.

Timothy Metzinger, PMP, CISSP

Thanks, Tim. I figured that would be your answer, and I appreciate it.

Yes, it is a fileserver; and yes, I know it's a stupid idea. As you may have guessed, I don't care for this client very much. I was willing to install either a commercial dual WAN firewall router or build him a cheap pfSense box out of an old PC, but the tightwad doesn't want to spend any money. He uses "energy conservation" as an excuse.

So he told me to look for a software solution that can run on the fileserver (which would also assume duties as the Internet gateway). I figured there was no good way to do this, but I wanted to ask around. I've been wrong before, so no harm in asking. I thought about various things that could be done with Webmin, iptables, and maybe Shorewall, as well as running pfSense in vmWare, but I just don't feel very comfortable with any of those ideas.

Anyone have any good experiences with a particular brand of dual-WAN firewall/routers? 12 nodes, mostly Windows, one Linux server, and occasional clients using wireless just for Internet on their laptops (not for access to the fileserver). Like I said, the guy's a tightwad; so the less expensive, the better.

I've not had good luck with Netgear or Hotbrick, but that could have been just bad luck. I don't use dual-WAN stuff very often; most of my clients moan about the cost of one Internet connection, much less two.

Any recommendations appreciated.

Thanks again,

Rich

 

[flyingcheesehead]

but the tightwad doesn't want to spend any money. He uses "energy conservation" as an excuse.

<snip>

the guy's a tightwad; so the less expensive, the better.

<snip>

I don't use dual-WAN stuff very often; most of my clients moan about the cost of one Internet connection, much less two.

Hmmm. So he will pay for two Internet connections, but won't pay to do the security right? Sheesh.

Reminds me of an old client of mine who refused to buy good $35/ea surge protectors as part of a deal where they were buying $20,000 of computer equipment. Instead, they went and bought the $6 Walgreens variety, despite my warnings. Three months, one lightning strike, and another $20,000 of equipment later, they bought the surge protectors I'd recommended in the first place. At least they took my advice on backups...

 

[RogerT]

Run away. If anything happens then you'll be the target. Don't
install something that you think is a bad idea.

 

[RJM62]

Hmmm. So he will pay for two Internet connections, but won't pay to do the security right? Sheesh.

Reminds me of an old client of mine who refused to buy good $35/ea surge protectors as part of a deal where they were buying $20,000 of computer equipment. Instead, they went and bought the $6 Walgreens variety, despite my warnings. Three months, one lightning strike, and another $20,000 of equipment later, they bought the surge protectors I'd recommended in the first place. At least they took my advice on backups...

Yeah, I know those types, as well. Backup and UPS are tough to sell to some people until they have an "event" that persuades them otherwise.

The guy I need the router for is especially annoying because his business doesn't actually require uninterrupted Internet access. He's a drywall installation contractor and could easily weather the occasional short outage. Optimum tends to get business accounts back on line very quickly around here (actually, they're pretty good with residential, too).

But about a year ago, he got into online trading. He now has a special PC custom-built for online trading (six monitors), and from what I'm told he's rarely emerged from the office since. Until a couple of weeks ago, anyway, when the cable connection went down for a few minutes, and he ran from the office like a stark raving lunatic screaming, "THE INTERNET IS DOWN! THE INTERNET IS DOWN!"

The office manager called me and told me to talk to him before he had a stroke, but by the time I was halfway through telling him, "Click Start, then run, then the letters C-M-D...," the service was back up again, and he hung up on me. But this week he scheduled Verizon to install DSL (no FIOS in his neighborhood yet) as a backup to the cable connection.

If all he wanted were failover, I think I would just run Ethernet from the DSL bridge into his office, run it through a decent SOHO router/firewall, install a second NIC in the machine, and configure it using the DSL router as a second gateway with a higher metric. But he figures if he's going to be paying for the DSL service all the time, he doesn't want it sitting idle until the cable line fails. He wants to load-balance -- despite the fact that his whole office doesn't generate enough traffic that load-balancing would make a bit of difference in anyone's experience.

So now I need a router that provides both load-balancing and failover that will work on one DHCP cable connection and one static DSL connection. (I was wrong about the DSL being dynamic; it will be a static IP.)

I've decided not to build this guy anything because I don't want to listen to him screaming if a NIC fries or something in a box that I built. I'm leaning toward specifying a PePLink Balance 200 instead.

I never used PePLink products before, but they have good reviews, are Linux-based, and are very inexpensive considering their features. The Balance 200 weighs in at just under $900.00. If the client screams and stamps his feet, I can suggest the Balance 30 instead at just under $500.00. Then he'll merely pout. Either router should meet his modest needs, but I know that he'll balk at whatever my first suggestion is, so I need a good fallback position.

Anyone have any experience with PePLink?

Thanks,

Rich

 

[ReverendSlappy]

You could have a look at SmoothWall. I used to run 2.whatever and was happy with it. Dual-WAN functionality is probably available through a plug-in (they're a pretty active development community).

Not sure if you'd be able to install it on top of the current OS, though. But it's a slick product that it may be worth looking at installing first, then implementing file services on top of (I don't think you need any more warnings about how bad an idea that is). And it's free.

 

[mikea]

...
The office manager called me and told me to talk to him before he had a stroke, but by the time I was halfway through telling him, "Click Start, then run, then the letters C-M-D...," the service was back up again, and he hung up on me. But this week he scheduled Verizon to install DSL (no FIOS in his neighborhood yet) as a backup to the cable connection.

If all he wanted were failover, I think I would just run Ethernet from the DSL bridge into his office, run it through a decent SOHO router/firewall, install a second NIC in the machine, and configure it using the DSL router as a second gateway with a higher metric. But he figures if he's going to be paying for the DSL service all the time, he doesn't want it sitting idle until the cable line fails. He wants to load-balance -- despite the fact that his whole office doesn't generate enough traffic that load-balancing would make a bit of difference in anyone's experience.

So now I need a router that provides both load-balancing and failover that will work on one DHCP cable connection and one static DSL connection. (I was wrong about the DSL being dynamic; it will be a static IP.)

I've decided not to build this guy anything because I don't want to listen to him screaming if a NIC fries or something in a box that I built. I'm leaning toward specifying a PePLink Balance 200 instead.

I never used PePLink products before, but they have good reviews, are Linux-based, and are very inexpensive considering their features. The Balance 200 weighs in at just under $900.00. If the client screams and stamps his feet, I can suggest the Balance 30 instead at just under $500.00. Then he'll merely pout. Either router should meet his modest needs, but I know that he'll balk at whatever my first suggestion is, so I need a good fallback position.

Anyone have any experience with PePLink?

Thanks,

Rich

You could have a look at SmoothWall. I used to run 2.whatever and was happy with it. Dual-WAN functionality is probably available through a plug-in (they're a pretty active development community).

Not sure if you'd be able to install it on top of the current OS, though. But it's a slick product that it may be worth looking at installing first, then implementing file services on top of (I don't think you need any more warnings about how bad an idea that is). And it's free.

Dual links is not as easy as you think. You can't have two default routes...and you especially can't do load balancing. To do such would require the router to keep track of which interface a given transaction for a given node was on and then route each appropriately. Nothing does that.

This can easily have the second WAN link ready to go as a failover. You just can't use both at once for the same clients.

The easiest way to get what he wants is to set up two IP networks and use two hardware router/firewalls.. They can even be the same physical network.

Half the clients use the DSL router and half use the cable router but they can't use both. The best way to make it all work is by running a custom DHCP server on that Linux server. The DHCP server can dynamically give clients the addresses of the working router when it detects that the primary failed.

Yeah, I could make that work.

 

[RJM62]

Dual links is not as easy as you think. You can't have two default routes...and you especially can't do load balancing. To do such would require the router to keep track of which interface a given transaction fro a given node was on and then route each appropriately. Nothing does that.

This can easily have the second WAN link ready to go as a failover. You just can't use both at once for the same clients.

The easiest way to get what he wants is to set up two IP networks and use two hardware router/firewalls.. They can even be the same physical network.

Half the clients use the DSL router and half use the cable router but they can't use both. The best way to make it all work is by running a custom DHCP server on that Linux server. The DHCP server can dynamically give clients the addresses of the working router when it detects that the primary failed.

Yeah, I could make that work.

Hmmm...

So... two routers, one feeding some and the other the rest... connected to each other by a switch... with the DHCP server also connected to the same switch and sensing which connection is up and assigning IP addresses accordingly?



DSL Router ---> Some clients
|
Switch --- DHCP Server
|
Cable Router ---> Some clients



Something like that?

I faxed him a quote based on the PePLink Balance 200... No answer yet.

Thanks for the input.

Rich

 

[RJM62]

You could have a look at SmoothWall. I used to run 2.whatever and was happy with it. Dual-WAN functionality is probably available through a plug-in (they're a pretty active development community).

Not sure if you'd be able to install it on top of the current OS, though. But it's a slick product that it may be worth looking at installing first, then implementing file services on top of (I don't think you need any more warnings about how bad an idea that is). And it's free.

I was thinking about Shorewall via Webmin, but I'm kind of soured on the idea of building anything for him at this point, and of course running the firewall on the file server is a stupid idea, as has been pointed out.

But this is pretty interesting. I also have a cable and a DSL connection for redundancy, but my failover consists of running an Ethernet cable from the working connection to the other switch when one or the other goes down. This may be a good project for a slow day, using my own office as a test lab.

Rich

 

[mikea]

Another way it could work work is if the clients were listening to a routing protocol like RIP and got the default route dynamically. In that case you would still not be using both links unless you could put two IP networks on the router interface, which is not something you can do with a $75 box. Also I wouldn't count on Windows clients to handle that well.

 

[mikea]

I was thinking about Shorewall via Webmin, but I'm kind of soured on the idea of building anything for him at this point, and of course running the firewall on the file server is a stupid idea, as has been pointed out.

But this is pretty interesting. I also have a cable and a DSL connection for redundancy, but my failover consists of running an Ethernet cable from the working connection to the other switch when one or the other goes down. This may be a good project for a slow day, using my own office as a test lab.

Rich

The way you do is the easiest way to do it. There are elegant and not so much ways to fail over, there just are no easy ways to use both at the same time.

 

[TMetzinger]

The normal way to do this with dual routers is to have the routers support something like hot standby router protocol (HSRP). Each router has an ip address and a mac address, and generates a second virtual ip address and mac address. Each router polls the other and will assume the other's virtual addresses if the other goes down.

Once that's done, you simply assign one router (virtual IP) as the default gateway for half your clients, and the other router (virtual IP) as the default gateway for the other half of the clients. When a router fails (or loses it's WAN link), the clients don't change anything, as the virtual IP address fails over to the other router. There's a delay while the spanning-tree protocol updates in the switch to reflect the changed MAC addresses, but it's generally less than 5 seconds.

The other way to do it is with a router and dual WAN interfaces - it will on a session-by-session basis round-robin between the two WAN links, and if you were using leased lines to a serious ISP you could even use OSPF so it would choose the "best" path for every packet. But then your router is a single point of failure.

Since what it sounds like your idiot client wants is redundancy and utilization of both wan links, the dual routers with HSRP is probably the best solution. But again, given the constraints you're under (use a single box as your router/firewall/fileserver) you can't achieve the level of redundancy he really wants - you're just shifting one single point of failure (the ISP) to another (the server).

You should charge this guy your "idiot rate" (usually 3X) in the hopes that he either then develops enough respect for you to follow your advice, or fires you. Either way sounds like a win.

 

[mikea]

The normal way to do this with dual routers is to have the routers support something like hot standby router protocol (HSRP). Each router has an ip address and a mac address, and generates a second virtual ip address and mac address. Each router polls the other and will assume the other's virtual addresses if the other goes down.

Once that's done, you simply assign one router (virtual IP) as the default gateway for half your clients, and the other router (virtual IP) as the default gateway for the other half of the clients. When a router fails (or loses it's WAN link), the clients don't change anything, as the virtual IP address fails over to the other router. There's a delay while the spanning-tree protocol updates in the switch to reflect the changed MAC addresses, but it's generally less than 5 seconds.

The other way to do it is with a router and dual WAN interfaces - it will on a session-by-session basis round-robin between the two WAN links, and if you were using leased lines to a serious ISP you could even use OSPF so it would choose the "best" path for every packet. But then your router is a single point of failure.

Since what it sounds like your idiot client wants is redundancy and utilization of both wan links, the dual routers with HSRP is probably the best solution. But again, given the constraints you're under (use a single box as your router/firewall/fileserver) you can't achieve the level of redundancy he really wants - you're just shifting one single point of failure (the ISP) to another (the server).

You should charge this guy your "idiot rate" (usually 3X) in the hopes that he either then develops enough respect for you to follow your advice, or fires you. Either way sounds like a win.

I hadn't heard of any routers doing either but then i haven't been in the loop for a few years.

Neither feature sounds like something you would find on sub $200 box, although i thought I saw an SMC box that had some kind of redundancy in it. I thought it was just a dial backup.

Sonofagun. Forget what I said.

http://www.smc.com/index.cfm?event=viewProduct&localeCode=EN_USA&cid=1&scid=17&pid=1654

I don't see anybody in the US that sells it. I bet it's $300-400.

Charge the client $1500 for a custom solution and then just drop one of those on his network.

Energy sayings and all...

 

[TMetzinger]

That's a nice solution. Cheap enough that you could probably buy two, configure them identically, and have a warm-spare ready to go.

 

[mikea]

That's a nice solution. Cheap enough that you could probably buy two, configure them identically, and have a warm-spare ready to go.

Except that I looked at all of their "places to buy" and none had any mention of it. I'll bet it was discontinued. Ebay!

I'd call SMC and ask.

 

[jesse]

Dual links is not as easy as you think. You can't have two default routes...and you especially can't do load balancing. To do such would require the router to keep track of which interface a given transaction for a given node was on and then route each appropriately. Nothing does that.

Not quite. Lots of cheap business routers/firewalls exist with that capability. I'm sure that the open source solutions can do it as well. It does pose some problems since there is potential for the source ip address changing. This is often not even a problem. If this does become a problem for certain sites with poorly written authentication systems it can overcame by tracking source/destination addresses and making sure to always send them over the same WAN link for a predetermined amount of time. This is a basic feature they pretty much all do.

So yes. You can get pretty even load balancing over completely different WAN links. Just set it to remember source/destination addresses and always send them out the same interface. This can expire after a hour or so.

 

[ReverendSlappy]

The SMC product looks like it'd do the job... Two WAN interfaces running RIP between the two. Doesn't get much simpler than that.

I'd actually be interested in that device... I currently have DSL through Speakeasy so I can host my website and email (and lab and so forth). I'd like to get cable so I can D/L faster... It looks like you might be able to prioritize traffic to a WAN interface by internal subnet, which is exactly what I'd need to do. Very intriguing... Ebay here I come!

Edit: One thing... I've used SMC products in the past, and I've found the software wanting.

 

[ReverendSlappy]

There's also this one from Linksys: http://www.linksys.com/servlet/Sate...nksys/Common/VisitorWrapper&lid=7161822279B04

 

[RJM62]

There's also this one from Linksys: http://www.linksys.com/servlet/Sate...nksys/Common/VisitorWrapper&lid=7161822279B04

Hmmm... Can't find the SMC anywhere, but the Linksys unit is way cheap and has gotten decent reviews.

I bought a Linksys dual-WAN router about two years ago for a client, and had nothing but trouble with it. It was about $600.00, so I didn't expect miracles, but I did expect it not to drop the connections every two or three days and have to be rebooted. They RMA'd it twice, but I finally switched to a Netgear model that wasn't much better. I don't know how it worked out in the long run because I fired the client for repeated bad checks.

But this Linksys unit has decent reviews on first glance. I'll have to research it some more.

I appreciate everyone's advice, really. I was originally trained in straight electronics, not I.T., and I admit to having some pretty big gaps in my knowledge. Luckily, I'm also cognizant enough of those gaps to ask around for advice when in doubt about something.

I also dug out an old P3 box and I think I'll build myself a dual-WAN firewall just for the learning experience.

Tim, this particular client is obnoxious, hard-headed, and demanding; but the one thing I do like about him is that once all is said and done, he mails the check the next day. Also, his office manager (who is the one I usually deal with) is an absolute pleasure, so I guess you take the bad with the good.

Thanks again,

Rich

 

[ReverendSlappy]

I don't think it's a concern, but just to be sure: The client isn't looking to load balance incoming traffic (he's not hosting like a website or anything), correct? I doubt it given the use of dynamic IPs, but if so, that's a whole 'nother ball of wax (BGP and other similar network-fu stuff I have precisely zero understanding of.)

 

[mikea]

I don't think it's a concern, but just to be sure: The client isn't looking to load balance incoming traffic (he's not hosting like a website or anything), correct? I doubt it given the use of dynamic IPs, but if so, that's a whole 'nother ball of wax (BGP and other similar network-fu stuff I have precisely zero understanding of.)

That's not the issue. The issue is, ahead (outside) of the NAT an internal client has a given IP address and TCP session. You can't request a transfer with every other one of your acks being on a different network, much less having the remote side knowing that you and that's-also-you-on-another-network are looking for the next packet in the sequence.

What these routers have to do is remember that a specific session used a specific interface, which is possible - after all, they lately can do Session aware Packet Filtering - but it requires some fancy code footwork.

 

[ReverendSlappy]

That's not the issue. The issue is, ahead (outside) of the NAT an internal client has a given IP address and TCP session. You can't request a transfer with every other one of your acks being on a different network, much less having the remote side knowing that you and that's-also-you-on-another-network are looking for the next packet in the sequence.

What these routers have to do is remember that a specific session used a specific interface, which is possible - after all, they lately can do Session aware Packet Filtering - but it requires some fancy code footwork.

Network-fu isn't my specialty by any stretch, but I thought that's what RIP (which the SMC uses for sure and I think the Linksys might) and OSPF do...? I think the way it works is that the router determines the best pipe to use for a given request, and then that pipe gets used for the duration of that session... so you don't wind up getting packets coming back from both pipes.

Meh, I've tried to pretend to be a CCNA or whatever before and that hasn't worked out so well, so I prolly shouldn't try again.

 

[mikea]

Network-fu isn't my specialty by any stretch, but I thought that's what RIP (which the SMC uses for sure and I think the Linksys might) and OSPF do...? I think the way it works is that the router determines the best pipe to use for a given request, and then that pipe gets used for the duration of that session... so you don't wind up getting packets coming back from both pipes.

Meh, I've tried to pretend to be a CCNA or whatever before and that hasn't worked out so well, so I prolly shouldn't try again.

The routing protocols dynamically say "the best way to get there" but they can only give "the best way" not "the two best ways," although the metric gives a preference, like "This router is 3 hops away from where you want to go and this one is 5 hops," so you'd send to the one that's three hops.

Ummmm....here's the deal: To use the route to a given network you need to send to a given router. ONE router - the best one for you to use. In this case you want your router to have TWO equally good routes to talk to the entire world and to use them equally. That's not something that routing alone can do without some magic that looks at TCP sessions, that is, one layer up on the model.

 

[RJM62]

I don't think it's a concern, but just to be sure: The client isn't looking to load balance incoming traffic (he's not hosting like a website or anything), correct? I doubt it given the use of dynamic IPs, but if so, that's a whole 'nother ball of wax (BGP and other similar network-fu stuff I have precisely zero understanding of.)

Nah, none of that. No Web site, no VPN, no mail server, no CRM, or anything like that. Just the boss's online trading, email access for the staff, and ordering materials via the Web. Everything else is hosted at Singlehop.

Frankly, they really don't even need as much bandwidth as they already have; and surely no one will be able to tell the difference with load balancing. So I can understand his wanting redundancy, given his online trading activities; but the load balancing is a complete waste of time and effort, IMHO.

Rich

 

[ReverendSlappy]

The routing protocols dynamically say "the best way to get there" but they can only give "the best way" not "the two best ways," although the metric gives a preference, like "This router is 3 hops away from where you want to go and this one is 5 hops," so you'd send to the one that's three hops.

Ummmm....here's the deal: To use the route to a given network you need to send to a given router. ONE router - the best one for you to use. In this case want your router to have TWO equally good routes to talk to the entire world and to use them equally. That's not something that routing alone can do without some magic that looks at TCP sessions, that is, one layer up on the model.

Right right... So lemme see if I've got this right: Say I get that Linksys dual-WAN router for my house and have cable and DSL. Requests coming from my LAN, bound for the Internet hit the router and it says, "I've determined (using RIP or EIGRP or whatever) that the destination for that packet is closer using the <DSL/Cable> route. You, Mr. Packet, head on down the line to the next router, whose address is..." From there on, the traffic edit: for that particular session is going to come back down the same pipe it went out on -- at least so long as the requests keep going out via the same route. Right? I know that's a flaw with RIP... It has a set refresh time of xx seconds at which point it may say, "This is now the new best route" and packets could get lost in passing.

Now, doing multihomed hosting is a whole different ballgame, and one I'm not really concerned with, but I know that's all about BGP which all works on AS proximity. All of which I don't claim to understand in the least.

 

[ReverendSlappy]

Nah, none of that. No Web site, no VPN, no mail server, no CRM, or anything like that. Just the boss's online trading, email access for the staff, and ordering materials via the Web. Everything else is hosted at Singlehop.

Frankly, they really don't even need as much bandwidth as they already have; and surely no one will be able to tell the difference with load balancing. So I can understand his wanting redundancy, given his online trading activities; but the load balancing is a complete waste of time and effort, IMHO.

Rich

From what I can tell, fail-over capability is a lot easier to configure and manage in those devices than load balancing. So you've got that going for you.

 

[RJM62]

From what I can tell, fail-over capability is a lot easier to configure and manage in those devices than load balancing. So you've got that going for you.

And frankly, no one's going to notice the difference, anyway. I'll try to install the most trouble-free of the devices in terms of failover, and let the load balancing be what it may. As long as he has an uninterrupted way of staring at his six screens and watching the numbers change in real-time, he'll be happy.

Thanks again,

Rich

 

[mikea]

And frankly, no one's going to notice the difference, anyway. I'll try to install the most trouble-free of the devices in terms of failover, and let the load balancing be what it may. As long as he has an uninterrupted way of staring at his six screens and watching the numbers change in real-time, he'll be happy.

Thanks again,

Rich

But make sure you get paid up front, preferably in cash, rather than waiting for the riches he's gonna make with is trades.

Find out if he learned all he knows by listening to the tapes he bought at a "Create Wealth" seminar in a hotel conference room.