Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Dec 2005 01:42:39 -0800
From:      "Ted Mittelstaedt" <tedm@toybox.placo.com>
To:        "Winelfred G. Pasamba" <winelfredpasamba@gmail.com>, <danial_thom@yahoo.com>
Cc:        "Loren M. Lang" <lorenl@alzatex.com>, Yance Kowara <yance_kowara@yahoo.com>, freebsd-questions@freebsd.org
Subject:   RE: FreeBSD router two DSL connections
Message-ID:  <LOBBIFDAGNMAMLGJJCKNKECEFDAA.tedm@toybox.placo.com>
In-Reply-To: <d38eca100512262026s12d6e287iaacc85617c3fe47e@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help

Does it meet the test I already outlined?

Download the FreeBSD iso then upload it to a remote server,
with both lines connected.  Time it.

Disconnect 1 line, then repeat the test.  If the time to
download and upload when both DSL lines are connected is
half the time it takes when 1 DSL line is connected, then
your load-balancing.

If not, then you are not - although if it makes you feel
like you haven't wasted your money claim your
"per session load balancing" then I suppose it would be
uncharitable to make you feel bad by pointing out that
this is purely a marketing term with no networking
significance.

Oops.

Ted

>-----Original Message-----
>From: owner-freebsd-questions@freebsd.org
>[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Winelfred G.
>Pasamba
>Sent: Monday, December 26, 2005 8:27 PM
>To: danial_thom@yahoo.com
>Cc: Loren M. Lang; Yance Kowara; Ted Mittelstaedt;
>freebsd-questions@freebsd.org
>Subject: Re: FreeBSD router two DSL connections
>
>
>ted, danial, and the rest,
>
>i'm learning a lot in this thread.
>
>i have a pfsense (freebsd) router that has two connections to
>the same ISP
>and one connection to a linux squid (another server).  i use the ported
>openbsd packet filter in freebsd for (whatever) load balancing.
> i can paste
>the freebsd->/etc/pf.conf and give you a sample of 'pfctl -s
>state' which
>looks like a firewall state table (i'm not sure though).  i can
>also capture
>traffic graphs on all three interfaces of the pfsense router.
>
>just want to know what's happening in the (freebsd) pfsense
>router.  is it
>route balancing, packet round-robin'ing,
>connection-round-robining, or what?
>
>one thing is that both these isp lines don't have any CIR. one is "up to
>128kbps" and the other is "up to 256 kbps". and i don't know
>which is which,
>hehe.
>
>here are the graphs and dump:
>http://geocities.com/winelfredpasamba/is_this_load_balancing_or_what/
>
>On 12/26/05, Danial Thom <danial_thom@yahoo.com> wrote:
>>
>>
>>
>> --- Ted Mittelstaedt <tedm@toybox.placo.com>
>> wrote:
>>
>> >
>> >
>> > >-----Original Message-----
>> > >From: Danial Thom
>> > [mailto:danial_thom@yahoo.com]
>> > >Sent: Friday, December 23, 2005 3:47 PM
>> > >To: Ted Mittelstaedt; Loren M. Lang
>> > >Cc: Yance Kowara;
>> > freebsd-questions@freebsd.org
>> > >Subject: RE: FreeBSD router two DSL
>> > connections
>> > >
>> > >
>> > >Ted the incompetent, wrong on all counts once
>> > >again:
>> > >
>> > >
>> > >--- Ted Mittelstaedt <tedm@toybox.placo.com>
>> > >wrote:
>> > >
>> > >>
>> > >>
>> > >> >-----Original Message-----
>> > >> >From: Danial Thom
>> > >> [mailto:danial_thom@yahoo.com]
>> > >> >Sent: Wednesday, December 21, 2005 9:56 AM
>> > >> >To: Loren M. Lang; Ted Mittelstaedt
>> > >> >Cc: Yance Kowara;
>> > >> freebsd-questions@freebsd.org
>> > >> >Subject: Re: FreeBSD router two DSL
>> > >> connections
>> > >> >
>> > >> >
>> > >> >All upstream ISPs are
>> > >> >connected to everyone on the internet, so
>> > it
>> > >> >doesn't matter which you send your packets
>> > to
>> > >> >(the entire point of a "connectionless"
>> > >> network.
>> > >> >They both can forward your traffic to
>> > wherever
>> > >> >its going.
>> > >>
>> > >> They aren't going to forward your traffic
>> > >> unless
>> > >> it's sourced by an IP number they assign.
>> > To
>> > >> do otherwise means they would permit you to
>> > >> spoof IP
>> > >> numbers.  And while it's possible some very
>> > >> small
>> > >> ISP's run by idiots that don't know any
>> > better
>> > >> might
>> > >> still permit this, their feeds certainly
>> > will
>> > >> not.
>> > >
>> > >Yes they will.
>> >
>> > I assure you they will not.
>> >
>> > >Routers route based on dest
>> > >address only. Are you somehow suggesting that
>> > an
>> > >ISP can't be dual homed and use only one link
>> > if
>> > >one goes down, since some of the addresses
>> > sent
>> > >up the remaining pipe wouldn't have source
>> > >addresses assigned by that upstream provider?
>> >
>> > ISP's that are dual-homed have to register
>> > their
>> > subnets with both providers.
>> >
>> > For example, suppose I'm a small ISP and I go
>> > get a
>> > Sprint connection and get assigned a range of
>> > 11 IP subnets, 192.168.1.0 - 192.168.10.0
>> >
>> > These are Sprint-owned IP addresses of course.
>> > As
>> > I source traffic from 192.168.1.x, Sprint
>> > recognizes
>> > it as valid traffic and allows it to pass
>> > Sprint's
>> > ingress filter to me.
>> >
>> > Now I get a bit bigger and decide I need a
>> > redundant
>> > connection.  So I contact ARIN and buy an AS
>> > number,
>> > then contact ATT and get a connection to them,
>> > then
>> > setup BGP between myself and ATT & Sprint.
>> >
>> > When ATT and I are setting up BGP, ATT's techs
>> > will
>> > ask me what subnets I'm advertising, I tell
>> > them
>> > 192.168.1.0 - 192.168.10.0  ATT then checks
>> > with
>> > ARIN's whois server to make sure Sprint has
>> > entered
>> > a record for that list of subnets that says I'm
>> > authorized to use them.  If all that checks out
>> > OK
>> > then ATT adjusts their ingress filters so I can
>> > source traffic to them from those subnets.
>> >
>> > Now I get even bigger and need more IP's than
>> > what
>> > Sprint will provide, so I go to ARIN and buy
>> > them.
>> > Then all my feeds have to adjust their ingress
>> > filters
>> > to the new subnet.
>> >
>> > Now I get even more bigger and I start trying
>> > to setup
>> > peering relationships with other networks, so I
>> > don't have to pay them directly.  Well now
>> > guess what,
>> > those networks are now monitoring the traffic
>> > volume
>> > I'm sending them, because they don't want me to
>> > use
>> > and abuse them and give them little peering in
>> > return.
>> > So I now have an enormous financial incentive
>> > to make
>> > sure that any traffic coming from any of my end
>> > users
>> > is in fact valid traffic, so you better believe
>> > I'm
>> > going to enforce that with ingress filters to
>> > my
>> > downstream customers.
>> >
>> > Anyway, this is all academic because the
>> > wrongly-sourced
>> > packet won't even get into my network to be
>> > forwarded
>> > and blocked by ATT or Sprint, or my peer
>> > routers, in the
>> > first place.  Why? Because every
>> > wrongly-sourced packet
>> > I allow a customer to send to me, can
>> > potentially displace
>> > a correct packet from a customer, making their
>> > traffic slower
>> > and setting up potential for complaints.
>> >
>> > The ONLY Internet routers that don't igress
>> > filter today are
>> > transit routers run by transit ASs, and no
>> > network that
>> > is worth anything allows direct connections to
>> > those
>> > routers to their end-user customers.  There is
>> > just too much
>> > potential for abuse, and even more potential
>> > for being
>> > blackholed as a rogue network by the rest of
>> > the Internet.
>> >
>> > Everybody today that knows anything
>> > about what they are doing, applies ingress
>> > filters, or
>> > they require their downstreams to ingress
>> > filter.  In fact I'd
>> > say this is one of the reasons Cisco was
>> > disloged
>> > as the core router vendor by Juniper, because
>> > of the need
>> > for enough CPU in routers closer and closer to
>> > the core
>> > to be able to run access lists.
>> >
>> > Chances today that a cable line or a DSL line
>> > going to an
>> > end user could get a packet with a non-network
>> > source
>> > very far in to the Internet are zilch.
>> >
>> > One of the largest sources of bogus source IP
>> > numbers in
>> > fact are those cheap-as-shit DSL/Cable routers,
>> > as some
>> > of those models will ARP both their legal WAN
>> > IP address,
>> > and the LAN IP addresses, on their WAN port.
>> > All of the
>> > ActionTec routers do this in bridged mode, for
>> > example,
>> > and Qwest has thousands of them deployed.  And
>> > the second
>> > largest source are infected PC's
>> > that have DDoS trojans on them, which some
>> > mothership
>>
>> You're not using illegal addresses when you load
>> balance, Ted. You're using real address that all
>> of your upstream ISPs need to know about. Why
>> can't you grasp this concept?
>>
>> DT
>>
>>
>>
>> __________________________________________
>> Yahoo! DSL – Something to write home about.
>> Just $16.99/mo. or less.
>> dsl.yahoo.com
>>
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe@freebsd.org"
>>
>
>
>
>--
>Seek ye first the kingdom of God and all these things shall be
>added unto
>you.
>
>Winelfred G. Pasamba
>Adventist University of the Philippines
>Computer Science Department, AUP Online Information System
>
>--
>No virus found in this incoming message.
>Checked by AVG Free Edition.
>Version: 7.1.371 / Virus Database: 267.14.7/214 - Release Date:
>12/23/2005
>




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNKECEFDAA.tedm>