Linux based n-way router?

Andrew Hammond ahammond-swQf4SbcV9C7WVzo/KQ3Mw at public.gmane.org
Fri Sep 24 18:04:14 UTC 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fraser Campbell wrote:
| On Friday 24 September 2004 08:09, Scott Allen wrote:
|
|>I'm thinking of using Slackware Linux and the FireHOL iptables
|>generator script, since my experience with both has been quite
|>positive. FireHOL looks like it would make it easy to set up and
|>maintain all the "virtual" routers required (see:
|><http://firehol.sourceforge.net/> ).
|
| Linux distro is pretty much irrelevant for a firewall although you'd
probably
| want to avoid those that are targetted to the desktop.

Need to care about which kernel for obvious reasons. Ideally, you want
this to be a pretty stripped down box. Probably only ssh for admin, and
then turn on apache only when you're actively admining the firewall app
layer.

If you want to monitor, then setting up an SNMP daemon is pretty easy,
but you might find it easier to just set up mrtg locally. Downside is
running a web server on your router.

If performance / reliability justifies the budget, then a pair of HP
routing switchs would be the way to go:
http://www.hp.com/rnd/products/routing_switches/9300_series/overview.htm

Their proprietary VRSP is a big win over STP for layer 2 failover. And
in term of raw performance, it will blow away any PCI-X bus based PC.
But the fact that you're asking on this list kind of implies you're not
looking at this kind of price range. :)

Speaking of performance, Lennart recommended aggregating ports (called
bonding in linux) and running VLANs over them. I tried doing this about
a year ago and had no luck getting the VLANs to work over the bonded ports.

| I looked at firehol right now (for about 60 seconds) didn't like the
looks of
| it.  That's probably just because I'm used to shorewall and it's config
| files ... I'm sure firehol is capable, it's probably best to go with what
| keeps you comfortable, once deployed I expect you'll rarely be changing
| firewall rules anyway.

I'll second the vote for shorewall. It's a good tool.

| There are 4 port cards from DLink we had pretty good luck in the past
with
| DFE570TX but chances are you can't get that anymore.  There's a new
one (580)
| based on the sundance driver, the old one was tulip (or de4x5).  We've
had
| some duds from both batches but overall I think the 570s were better.

I've used these cards too and am quite happy with them.

| I think Syskonnect makes 4 port gigabit nics, they are probably pricey
but I
| expect they're good.
|
| You should consider throughput.  I'm sure today's normal PCs are
capable of
| saturating many 100Mb networks, Gigabit I am not so sure ... there is
| probably a bottleneck in there. I'll leave the math for others though
since I
| have absolutely no idea ;-)

The guidline I've always followed is no more than 100 PC's per subnet.

| Someone else already mentioned this but I'll add it as well, build 2.  2
| identical systems with heartbeat makes failover trivial, it will save
you a
| lot of stress.

Instead of using heartbeat, I'd strongly suggest checking out the
keepalived's VRRP implementation.

http://www.keepalived.org/

- --
Andrew Hammond    416-673-4138    ahammond-swQf4SbcV9C7WVzo/KQ3Mw at public.gmane.org
Database Administrator, Afilias Canada Corp.
CB83 2838 4B67 D40F D086 3568 81FC E7E5 27AF 4A9A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBVGGdgfzn5SevSpoRAuNJAKCdbmz7UaZ4JEwNrrNGkBB5TLYsSwCeMV59
WA+K3Z+O7GCqfbjILjLrfc4=
=Cr8f
-----END PGP SIGNATURE-----
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list