Date: Tue, 27 Dec 2005 01:42:39 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Winelfred G. Pasamba" <winelfredpasamba@gmail.com>, <danial_thom@yahoo.com> Cc: "Loren M. Lang" <lorenl@alzatex.com>, Yance Kowara <yance_kowara@yahoo.com>, freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Message-ID: <LOBBIFDAGNMAMLGJJCKNKECEFDAA.tedm@toybox.placo.com> In-Reply-To: <d38eca100512262026s12d6e287iaacc85617c3fe47e@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Does it meet the test I already outlined? Download the FreeBSD iso then upload it to a remote server, with both lines connected. Time it. Disconnect 1 line, then repeat the test. If the time to download and upload when both DSL lines are connected is half the time it takes when 1 DSL line is connected, then your load-balancing. If not, then you are not - although if it makes you feel like you haven't wasted your money claim your "per session load balancing" then I suppose it would be uncharitable to make you feel bad by pointing out that this is purely a marketing term with no networking significance. Oops. Ted >-----Original Message----- >From: owner-freebsd-questions@freebsd.org >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Winelfred G. >Pasamba >Sent: Monday, December 26, 2005 8:27 PM >To: danial_thom@yahoo.com >Cc: Loren M. Lang; Yance Kowara; Ted Mittelstaedt; >freebsd-questions@freebsd.org >Subject: Re: FreeBSD router two DSL connections > > >ted, danial, and the rest, > >i'm learning a lot in this thread. > >i have a pfsense (freebsd) router that has two connections to >the same ISP >and one connection to a linux squid (another server). i use the ported >openbsd packet filter in freebsd for (whatever) load balancing. > i can paste >the freebsd->/etc/pf.conf and give you a sample of 'pfctl -s >state' which >looks like a firewall state table (i'm not sure though). i can >also capture >traffic graphs on all three interfaces of the pfsense router. > >just want to know what's happening in the (freebsd) pfsense >router. is it >route balancing, packet round-robin'ing, >connection-round-robining, or what? > >one thing is that both these isp lines don't have any CIR. one is "up to >128kbps" and the other is "up to 256 kbps". and i don't know >which is which, >hehe. > >here are the graphs and dump: >http://geocities.com/winelfredpasamba/is_this_load_balancing_or_what/ > >On 12/26/05, Danial Thom <danial_thom@yahoo.com> wrote: >> >> >> >> --- Ted Mittelstaedt <tedm@toybox.placo.com> >> wrote: >> >> > >> > >> > >-----Original Message----- >> > >From: Danial Thom >> > [mailto:danial_thom@yahoo.com] >> > >Sent: Friday, December 23, 2005 3:47 PM >> > >To: Ted Mittelstaedt; Loren M. Lang >> > >Cc: Yance Kowara; >> > freebsd-questions@freebsd.org >> > >Subject: RE: FreeBSD router two DSL >> > connections >> > > >> > > >> > >Ted the incompetent, wrong on all counts once >> > >again: >> > > >> > > >> > >--- Ted Mittelstaedt <tedm@toybox.placo.com> >> > >wrote: >> > > >> > >> >> > >> >> > >> >-----Original Message----- >> > >> >From: Danial Thom >> > >> [mailto:danial_thom@yahoo.com] >> > >> >Sent: Wednesday, December 21, 2005 9:56 AM >> > >> >To: Loren M. Lang; Ted Mittelstaedt >> > >> >Cc: Yance Kowara; >> > >> freebsd-questions@freebsd.org >> > >> >Subject: Re: FreeBSD router two DSL >> > >> connections >> > >> > >> > >> > >> > >> >All upstream ISPs are >> > >> >connected to everyone on the internet, so >> > it >> > >> >doesn't matter which you send your packets >> > to >> > >> >(the entire point of a "connectionless" >> > >> network. >> > >> >They both can forward your traffic to >> > wherever >> > >> >its going. >> > >> >> > >> They aren't going to forward your traffic >> > >> unless >> > >> it's sourced by an IP number they assign. >> > To >> > >> do otherwise means they would permit you to >> > >> spoof IP >> > >> numbers. And while it's possible some very >> > >> small >> > >> ISP's run by idiots that don't know any >> > better >> > >> might >> > >> still permit this, their feeds certainly >> > will >> > >> not. >> > > >> > >Yes they will. >> > >> > I assure you they will not. >> > >> > >Routers route based on dest >> > >address only. Are you somehow suggesting that >> > an >> > >ISP can't be dual homed and use only one link >> > if >> > >one goes down, since some of the addresses >> > sent >> > >up the remaining pipe wouldn't have source >> > >addresses assigned by that upstream provider? >> > >> > ISP's that are dual-homed have to register >> > their >> > subnets with both providers. >> > >> > For example, suppose I'm a small ISP and I go >> > get a >> > Sprint connection and get assigned a range of >> > 11 IP subnets, 192.168.1.0 - 192.168.10.0 >> > >> > These are Sprint-owned IP addresses of course. >> > As >> > I source traffic from 192.168.1.x, Sprint >> > recognizes >> > it as valid traffic and allows it to pass >> > Sprint's >> > ingress filter to me. >> > >> > Now I get a bit bigger and decide I need a >> > redundant >> > connection. So I contact ARIN and buy an AS >> > number, >> > then contact ATT and get a connection to them, >> > then >> > setup BGP between myself and ATT & Sprint. >> > >> > When ATT and I are setting up BGP, ATT's techs >> > will >> > ask me what subnets I'm advertising, I tell >> > them >> > 192.168.1.0 - 192.168.10.0 ATT then checks >> > with >> > ARIN's whois server to make sure Sprint has >> > entered >> > a record for that list of subnets that says I'm >> > authorized to use them. If all that checks out >> > OK >> > then ATT adjusts their ingress filters so I can >> > source traffic to them from those subnets. >> > >> > Now I get even bigger and need more IP's than >> > what >> > Sprint will provide, so I go to ARIN and buy >> > them. >> > Then all my feeds have to adjust their ingress >> > filters >> > to the new subnet. >> > >> > Now I get even more bigger and I start trying >> > to setup >> > peering relationships with other networks, so I >> > don't have to pay them directly. Well now >> > guess what, >> > those networks are now monitoring the traffic >> > volume >> > I'm sending them, because they don't want me to >> > use >> > and abuse them and give them little peering in >> > return. >> > So I now have an enormous financial incentive >> > to make >> > sure that any traffic coming from any of my end >> > users >> > is in fact valid traffic, so you better believe >> > I'm >> > going to enforce that with ingress filters to >> > my >> > downstream customers. >> > >> > Anyway, this is all academic because the >> > wrongly-sourced >> > packet won't even get into my network to be >> > forwarded >> > and blocked by ATT or Sprint, or my peer >> > routers, in the >> > first place. Why? Because every >> > wrongly-sourced packet >> > I allow a customer to send to me, can >> > potentially displace >> > a correct packet from a customer, making their >> > traffic slower >> > and setting up potential for complaints. >> > >> > The ONLY Internet routers that don't igress >> > filter today are >> > transit routers run by transit ASs, and no >> > network that >> > is worth anything allows direct connections to >> > those >> > routers to their end-user customers. There is >> > just too much >> > potential for abuse, and even more potential >> > for being >> > blackholed as a rogue network by the rest of >> > the Internet. >> > >> > Everybody today that knows anything >> > about what they are doing, applies ingress >> > filters, or >> > they require their downstreams to ingress >> > filter. In fact I'd >> > say this is one of the reasons Cisco was >> > disloged >> > as the core router vendor by Juniper, because >> > of the need >> > for enough CPU in routers closer and closer to >> > the core >> > to be able to run access lists. >> > >> > Chances today that a cable line or a DSL line >> > going to an >> > end user could get a packet with a non-network >> > source >> > very far in to the Internet are zilch. >> > >> > One of the largest sources of bogus source IP >> > numbers in >> > fact are those cheap-as-shit DSL/Cable routers, >> > as some >> > of those models will ARP both their legal WAN >> > IP address, >> > and the LAN IP addresses, on their WAN port. >> > All of the >> > ActionTec routers do this in bridged mode, for >> > example, >> > and Qwest has thousands of them deployed. And >> > the second >> > largest source are infected PC's >> > that have DDoS trojans on them, which some >> > mothership >> >> You're not using illegal addresses when you load >> balance, Ted. You're using real address that all >> of your upstream ISPs need to know about. Why >> can't you grasp this concept? >> >> DT >> >> >> >> __________________________________________ >> Yahoo! DSL – Something to write home about. >> Just $16.99/mo. or less. >> dsl.yahoo.com >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > > > >-- >Seek ye first the kingdom of God and all these things shall be >added unto >you. > >Winelfred G. Pasamba >Adventist University of the Philippines >Computer Science Department, AUP Online Information System > >-- >No virus found in this incoming message. >Checked by AVG Free Edition. >Version: 7.1.371 / Virus Database: 267.14.7/214 - Release Date: >12/23/2005 >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNKECEFDAA.tedm>