SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0000802: VPN: Transparent bonding of multiple uplinks if both ends run endian fw - MantisBT Endian Bugtracker
Endian Issue Tracker

Please see now our new Bugtracker system: JIRA

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000802Endian FirewallNetwork related (VPN, uplinks)public2008-05-14 12:272010-09-24 09:20
Assigned To 
PlatformOSOS Version
Product Version2.2-rc1 
Target VersionFixed in Version 
Summary0000802: VPN: Transparent bonding of multiple uplinks if both ends run endian fw
Descriptionit would be a killer feature, if one could take multiple uplinks, bond them together and have one transparent OpenVPN/VPN connection over all available uplinks.


- multiple uplink lines (2x DSL, 3x DSL, 2x UMTS, whatever)
- endian firewall on both sides
- at least in one of the different sites only slow network connections are available

- it's cheap to have multiple DSL lines instead of one leased line
- if one DSL line doesn't work, all traffic could be routed through the working lines. the connection would be slower, but it would still be available.

I know of some pretty expensive routers which can handle this. and this would be a driver for the enterprise edition as it would be possible to replace expensive leased lines through multiple cheap dsl / umts lines.

TagsNo tags attached.
Attached Files

- Relationships
has duplicate 0001494new VPN (Multichannel) 

-  Notes
peter-endian (administrator)
2008-05-16 09:46

that's very interesting.
did you try this? probably with uplinks of different speed?
mgabriel (reporter)
2008-05-16 09:51

no, I've not tried this, but I know of some routers which can handle such setups - and they're pretty expensive.

afaik, bonding in linux has the disadvantage that each connection will be processed through one of the bonded connections. so it is more a load balancing than a real bonding. but I am not too deep into this, so I can't provide any tech detail.
peter-endian (administrator)
2008-05-16 10:31

linux bonding can do also link aggregation.. it has several modes.
but i don't know what happens if one line is slower than the other
tomakos (reporter)
2009-07-28 01:52

Please see also the closely related: [^] [^]
tomakos (reporter)
2009-07-28 01:57
edited on: 2009-07-28 02:24

link balancing, load balancing, multiple uplinks, link aggregation, transparent, combine DSL, balance-rr, round-robin, round robin, active-backup, balance-xor, 802.3ad, balance-tlb, balance-alb, layer2, layer2+3, layer3+4, Ethernet trunk, NIC teaming, port channel, port teaming, port trunking, link bundling, EtherChannel, Multi-Link Trunking (MLT), NIC bonding, Network Fault Tolerance NFT, WAN, WAN uplink

tomakos (reporter)
2009-07-28 10:54
edited on: 2009-07-28 10:57

Hello peter and mgabriel!

I am not a master of this subject, but I have set up a server who's NICs are bonded and have read a little about bonding of internet links. So let me explain with the little of what I know about the subject:

There is a difference when speaking about combining some LAN-NICs and WAN-NICs (=uplinks to the internet).

When bonding LAN-NICs,
e.g. with one of the existing modes called 802.3ad (AKA "Link Aggregation"), those bonded NICs recieve 1 IP. The switch to which those NICs are connected needs be a manageable switch and to support this protocol. You go into the settings of the switch and tell him: "Those NICs are bonded, so please treat them as one and don't be confused about that 1 IP and scrambled traffic." The switch then handles the traffic appropriately.

There are 7 different modes and 3 different hash-policies.. The ultimate mode is balanced-rr, which truely spreads all traffic on the NICs, down to the packet level. It's comparable with a RAID0 on those NICs.. Even a single file that you send will be spread over the multiple NICs.. I have not managed this, since my switch doesn't seem to support it. And secondly there is a lot of loss, since the packets are scrambled so much, that a lot of packages get dropped because of timeouts.. The next best choice is 802.3ad with hash-policy "layer3+4". This means, that the kernel will analyse traffic based on the IP and the protocol used. With this way at least, the kernel will try to span traffic to the same IP over different NICs according to the protocol used. E.g. FTP traffic towards IP1 via NIC1 and SIP-Telephony-Traffic towards IP1 via NIC2.

When bonding Internet Uplinks,
AKA "Link balancing", there is one problem that makes it impossible to use the same bonding techniques as with the LAN NICs: You can't influence the other side, that what would be the switch in you LAN: The internet providers!

So the balance-rr and 802.3ad modes are out of the game for sure.
But there are other modes of bonding, that may be of interest for further researching:

511 balance-tlb or 5
513 Adaptive transmit load balancing: channel bonding that
514 does not require any special switch support. The
515 outgoing traffic is distributed according to the
516 current load (computed relative to the speed) on each
517 slave. Incoming traffic is received by the current
518 slave. If the receiving slave fails, another slave
519 takes over the MAC address of the failed receiving
520 slave.


527 balance-alb or 6
529 Adaptive load balancing: includes balance-tlb plus
530 receive load balancing (rlb) for IPV4 traffic, and
531 does not require any special switch support. The
532 receive load balancing is achieved by ARP negotiation.
533 The bonding driver intercepts the ARP Replies sent by
534 the local system on their way out and overwrites the
535 source hardware address with the unique hardware
536 address of one of the slaves in the bond such that
537 different peers use different hardware addresses for
538 the server.
540 Receive traffic from connections created by the server
541 is also balanced.

I don't know if those modes of bonding are really usable for internet-uplink-bonding. I have found some other approaches in the internet:
- Changing the routing tables
- Making DNS-Round-Robins

I hope those information is somewhat helpful!

Best regards,

P.S. Those lines are taken of the "bonding.txt" THE source of information for setting up a NIC bond: [^]
You will find all needed information about the modes and hash policies there!

peter-endian (administrator)
2009-07-28 17:17

I never tried with openvpn, in theory it should work to bond the tap devices.
What makes me think that it maybe could not work is that openvpn does not understand instantly that the openvpn connection is down, so the link would not be down too and the bonding algorithm would not understand not to send to that device anymore.

But this has to be tested. I don't know if it works or not.

- Issue History
Date Modified Username Field Change
2008-05-14 12:27 mgabriel New Issue
2008-05-14 12:27 mgabriel Status new => assigned
2008-05-14 12:27 mgabriel Assigned To => peter-endian
2008-05-16 09:46 peter-endian Note Added: 0001190
2008-05-16 09:51 mgabriel Note Added: 0001191
2008-05-16 10:31 peter-endian Note Added: 0001192
2009-06-10 13:43 peter-endian Relationship added has duplicate 0001494
2009-06-10 13:43 peter-endian Assigned To peter-endian =>
2009-07-28 01:52 tomakos Note Added: 0002796
2009-07-28 01:57 tomakos Note Added: 0002799
2009-07-28 02:00 tomakos Note Edited: 0002799
2009-07-28 02:24 tomakos Note Edited: 0002799
2009-07-28 10:54 tomakos Note Added: 0002805
2009-07-28 10:57 tomakos Note Edited: 0002805
2009-07-28 17:17 peter-endian Note Added: 0002811
2010-09-24 09:20 peter-endian Status assigned => acknowledged

Copyright © 2005-2008 Endian, SRL. All rights reserved.

Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker