SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0000802: VPN: Transparent bonding of multiple uplinks if both ends run endian fw - MantisBT
MantisBT - Endian Firewall
View Issue Details
0000802Endian FirewallNetwork related (VPN, uplinks)public2008-05-14 12:272010-09-24 09:20
mgabriel 
 
normalfeatureN/A
acknowledgedopen 
2.2-rc1 
 
0000802: VPN: Transparent bonding of multiple uplinks if both ends run endian fw
it would be a killer feature, if one could take multiple uplinks, bond them together and have one transparent OpenVPN/VPN connection over all available uplinks.

situation:

- multiple uplink lines (2x DSL, 3x DSL, 2x UMTS, whatever)
- endian firewall on both sides
- at least in one of the different sites only slow network connections are available

advantages:
- it's cheap to have multiple DSL lines instead of one leased line
- if one DSL line doesn't work, all traffic could be routed through the working lines. the connection would be slower, but it would still be available.

I know of some pretty expensive routers which can handle this. and this would be a driver for the enterprise edition as it would be possible to replace expensive leased lines through multiple cheap dsl / umts lines.

No tags attached.
has duplicate 0001494new  VPN (Multichannel) 
Issue History
2008-05-14 12:27mgabrielNew Issue
2008-05-14 12:27mgabrielStatusnew => assigned
2008-05-14 12:27mgabrielAssigned To => peter-endian
2008-05-16 09:46peter-endianNote Added: 0001190
2008-05-16 09:51mgabrielNote Added: 0001191
2008-05-16 10:31peter-endianNote Added: 0001192
2009-06-10 13:43peter-endianRelationship addedhas duplicate 0001494
2009-06-10 13:43peter-endianAssigned Topeter-endian =>
2009-07-28 01:52tomakosNote Added: 0002796
2009-07-28 01:57tomakosNote Added: 0002799
2009-07-28 02:00tomakosNote Edited: 0002799
2009-07-28 02:24tomakosNote Edited: 0002799
2009-07-28 10:54tomakosNote Added: 0002805
2009-07-28 10:57tomakosNote Edited: 0002805
2009-07-28 17:17peter-endianNote Added: 0002811
2010-09-24 09:20peter-endianStatusassigned => acknowledged

Notes
(0001190)
peter-endian   
2008-05-16 09:46   
that's very interesting.
did you try this? probably with uplinks of different speed?
(0001191)
mgabriel   
2008-05-16 09:51   
no, I've not tried this, but I know of some routers which can handle such setups - and they're pretty expensive.

afaik, bonding in linux has the disadvantage that each connection will be processed through one of the bonded connections. so it is more a load balancing than a real bonding. but I am not too deep into this, so I can't provide any tech detail.
(0001192)
peter-endian   
2008-05-16 10:31   
linux bonding can do also link aggregation.. it has several modes.
but i don't know what happens if one line is slower than the other
(0002796)
tomakos   
2009-07-28 01:52   
Please see also the closely related:
http://bugs.endian.com/view.php?id=2041 [^]
http://bugs.endian.com/view.php?id=2042 [^]
(0002799)
tomakos   
2009-07-28 01:57   
(edited on: 2009-07-28 02:24)
Keywords:
link balancing, load balancing, multiple uplinks, link aggregation, transparent, combine DSL, balance-rr, round-robin, round robin, active-backup, balance-xor, 802.3ad, balance-tlb, balance-alb, layer2, layer2+3, layer3+4, Ethernet trunk, NIC teaming, port channel, port teaming, port trunking, link bundling, EtherChannel, Multi-Link Trunking (MLT), NIC bonding, Network Fault Tolerance NFT, WAN, WAN uplink

(0002805)
tomakos   
2009-07-28 10:54   
(edited on: 2009-07-28 10:57)
Hello peter and mgabriel!

I am not a master of this subject, but I have set up a server who's NICs are bonded and have read a little about bonding of internet links. So let me explain with the little of what I know about the subject:

There is a difference when speaking about combining some LAN-NICs and WAN-NICs (=uplinks to the internet).

When bonding LAN-NICs,
**********************
e.g. with one of the existing modes called 802.3ad (AKA "Link Aggregation"), those bonded NICs recieve 1 IP. The switch to which those NICs are connected needs be a manageable switch and to support this protocol. You go into the settings of the switch and tell him: "Those NICs are bonded, so please treat them as one and don't be confused about that 1 IP and scrambled traffic." The switch then handles the traffic appropriately.

There are 7 different modes and 3 different hash-policies.. The ultimate mode is balanced-rr, which truely spreads all traffic on the NICs, down to the packet level. It's comparable with a RAID0 on those NICs.. Even a single file that you send will be spread over the multiple NICs.. I have not managed this, since my switch doesn't seem to support it. And secondly there is a lot of loss, since the packets are scrambled so much, that a lot of packages get dropped because of timeouts.. The next best choice is 802.3ad with hash-policy "layer3+4". This means, that the kernel will analyse traffic based on the IP and the protocol used. With this way at least, the kernel will try to span traffic to the same IP over different NICs according to the protocol used. E.g. FTP traffic towards IP1 via NIC1 and SIP-Telephony-Traffic towards IP1 via NIC2.


When bonding Internet Uplinks,
******************************
AKA "Link balancing", there is one problem that makes it impossible to use the same bonding techniques as with the LAN NICs: You can't influence the other side, that what would be the switch in you LAN: The internet providers!

So the balance-rr and 802.3ad modes are out of the game for sure.
But there are other modes of bonding, that may be of interest for further researching:

511 balance-tlb or 5
512
513 Adaptive transmit load balancing: channel bonding that
514 does not require any special switch support. The
515 outgoing traffic is distributed according to the
516 current load (computed relative to the speed) on each
517 slave. Incoming traffic is received by the current
518 slave. If the receiving slave fails, another slave
519 takes over the MAC address of the failed receiving
520 slave.

and:

527 balance-alb or 6
528
529 Adaptive load balancing: includes balance-tlb plus
530 receive load balancing (rlb) for IPV4 traffic, and
531 does not require any special switch support. The
532 receive load balancing is achieved by ARP negotiation.
533 The bonding driver intercepts the ARP Replies sent by
534 the local system on their way out and overwrites the
535 source hardware address with the unique hardware
536 address of one of the slaves in the bond such that
537 different peers use different hardware addresses for
538 the server.
539
540 Receive traffic from connections created by the server
541 is also balanced.


I don't know if those modes of bonding are really usable for internet-uplink-bonding. I have found some other approaches in the internet:
- Changing the routing tables
- Making DNS-Round-Robins

I hope those information is somewhat helpful!

Best regards,
Tom

P.S. Those lines are taken of the "bonding.txt" THE source of information for setting up a NIC bond: http://www.mjmwired.net/kernel/Documentation/networking/bonding.txt [^]
You will find all needed information about the modes and hash policies there!

(0002811)
peter-endian   
2009-07-28 17:17   
I never tried with openvpn, in theory it should work to bond the tap devices.
What makes me think that it maybe could not work is that openvpn does not understand instantly that the openvpn connection is down, so the link would not be down too and the bonding algorithm would not understand not to send to that device anymore.

But this has to be tested. I don't know if it works or not.