SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
| Anonymous | Login | 2020-05-28 01:16 UTC |  |
| Main | My View | View Issues | Change Log | Roadmap |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||||
| 0000802 | Endian Firewall | Network related (VPN, uplinks) | public | 2008-05-14 12:27 | 2010-09-24 09:20 | ||||||
| Reporter | mgabriel | ||||||||||
| Assigned To | |||||||||||
| Priority | normal | Severity | feature | Reproducibility | N/A | ||||||
| Status | acknowledged | Resolution | open | ||||||||
| Platform | OS | OS Version | |||||||||
| Product Version | 2.2-rc1 | ||||||||||
| Target Version | Fixed in Version | ||||||||||
| Summary | 0000802: VPN: Transparent bonding of multiple uplinks if both ends run endian fw | ||||||||||
| Description | it would be a killer feature, if one could take multiple uplinks, bond them together and have one transparent OpenVPN/VPN connection over all available uplinks. situation: - multiple uplink lines (2x DSL, 3x DSL, 2x UMTS, whatever) - endian firewall on both sides - at least in one of the different sites only slow network connections are available advantages: - it's cheap to have multiple DSL lines instead of one leased line - if one DSL line doesn't work, all traffic could be routed through the working lines. the connection would be slower, but it would still be available. I know of some pretty expensive routers which can handle this. and this would be a driver for the enterprise edition as it would be possible to replace expensive leased lines through multiple cheap dsl / umts lines. | ||||||||||
| Tags | No tags attached. | ||||||||||
| Attached Files | |||||||||||
 Relationships |
||||||
|
||||||
 Relationships |
|
Notes |
|
|
(0001190) peter-endian (administrator) 2008-05-16 09:46 |
that's very interesting. did you try this? probably with uplinks of different speed? |
|
(0001191) mgabriel (reporter) 2008-05-16 09:51 |
no, I've not tried this, but I know of some routers which can handle such setups - and they're pretty expensive. afaik, bonding in linux has the disadvantage that each connection will be processed through one of the bonded connections. so it is more a load balancing than a real bonding. but I am not too deep into this, so I can't provide any tech detail. |
|
(0001192) peter-endian (administrator) 2008-05-16 10:31 |
linux bonding can do also link aggregation.. it has several modes. but i don't know what happens if one line is slower than the other |
|
(0002796) tomakos (reporter) 2009-07-28 01:52 |
Please see also the closely related: http://bugs.endian.com/view.php?id=2041 [^] http://bugs.endian.com/view.php?id=2042 [^] |
|
(0002799) tomakos (reporter) 2009-07-28 01:57 edited on: 2009-07-28 02:24 |
Keywords: link balancing, load balancing, multiple uplinks, link aggregation, transparent, combine DSL, balance-rr, round-robin, round robin, active-backup, balance-xor, 802.3ad, balance-tlb, balance-alb, layer2, layer2+3, layer3+4, Ethernet trunk, NIC teaming, port channel, port teaming, port trunking, link bundling, EtherChannel, Multi-Link Trunking (MLT), NIC bonding, Network Fault Tolerance NFT, WAN, WAN uplink |
|
(0002805) tomakos (reporter) 2009-07-28 10:54 edited on: 2009-07-28 10:57 |
Hello peter and mgabriel! I am not a master of this subject, but I have set up a server who's NICs are bonded and have read a little about bonding of internet links. So let me explain with the little of what I know about the subject: There is a difference when speaking about combining some LAN-NICs and WAN-NICs (=uplinks to the internet). When bonding LAN-NICs, ********************** e.g. with one of the existing modes called 802.3ad (AKA "Link Aggregation"), those bonded NICs recieve 1 IP. The switch to which those NICs are connected needs be a manageable switch and to support this protocol. You go into the settings of the switch and tell him: "Those NICs are bonded, so please treat them as one and don't be confused about that 1 IP and scrambled traffic." The switch then handles the traffic appropriately. There are 7 different modes and 3 different hash-policies.. The ultimate mode is balanced-rr, which truely spreads all traffic on the NICs, down to the packet level. It's comparable with a RAID0 on those NICs.. Even a single file that you send will be spread over the multiple NICs.. I have not managed this, since my switch doesn't seem to support it. And secondly there is a lot of loss, since the packets are scrambled so much, that a lot of packages get dropped because of timeouts.. The next best choice is 802.3ad with hash-policy "layer3+4". This means, that the kernel will analyse traffic based on the IP and the protocol used. With this way at least, the kernel will try to span traffic to the same IP over different NICs according to the protocol used. E.g. FTP traffic towards IP1 via NIC1 and SIP-Telephony-Traffic towards IP1 via NIC2. When bonding Internet Uplinks, ****************************** AKA "Link balancing", there is one problem that makes it impossible to use the same bonding techniques as with the LAN NICs: You can't influence the other side, that what would be the switch in you LAN: The internet providers! So the balance-rr and 802.3ad modes are out of the game for sure. But there are other modes of bonding, that may be of interest for further researching: 511 balance-tlb or 5 512 513 Adaptive transmit load balancing: channel bonding that 514 does not require any special switch support. The 515 outgoing traffic is distributed according to the 516 current load (computed relative to the speed) on each 517 slave. Incoming traffic is received by the current 518 slave. If the receiving slave fails, another slave 519 takes over the MAC address of the failed receiving 520 slave. and: 527 balance-alb or 6 528 529 Adaptive load balancing: includes balance-tlb plus 530 receive load balancing (rlb) for IPV4 traffic, and 531 does not require any special switch support. The 532 receive load balancing is achieved by ARP negotiation. 533 The bonding driver intercepts the ARP Replies sent by 534 the local system on their way out and overwrites the 535 source hardware address with the unique hardware 536 address of one of the slaves in the bond such that 537 different peers use different hardware addresses for 538 the server. 539 540 Receive traffic from connections created by the server 541 is also balanced. I don't know if those modes of bonding are really usable for internet-uplink-bonding. I have found some other approaches in the internet: - Changing the routing tables - Making DNS-Round-Robins I hope those information is somewhat helpful! Best regards, Tom P.S. Those lines are taken of the "bonding.txt" THE source of information for setting up a NIC bond: http://www.mjmwired.net/kernel/Documentation/networking/bonding.txt [^] You will find all needed information about the modes and hash policies there! |
|
(0002811) peter-endian (administrator) 2009-07-28 17:17 |
I never tried with openvpn, in theory it should work to bond the tap devices. What makes me think that it maybe could not work is that openvpn does not understand instantly that the openvpn connection is down, so the link would not be down too and the bonding algorithm would not understand not to send to that device anymore. But this has to be tested. I don't know if it works or not. |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2008-05-14 12:27 | mgabriel | New Issue | |
| 2008-05-14 12:27 | mgabriel | Status | new => assigned |
| 2008-05-14 12:27 | mgabriel | Assigned To | => peter-endian |
| 2008-05-16 09:46 | peter-endian | Note Added: 0001190 | |
| 2008-05-16 09:51 | mgabriel | Note Added: 0001191 | |
| 2008-05-16 10:31 | peter-endian | Note Added: 0001192 | |
| 2009-06-10 13:43 | peter-endian | Relationship added | has duplicate 0001494 |
| 2009-06-10 13:43 | peter-endian | Assigned To | peter-endian => |
| 2009-07-28 01:52 | tomakos | Note Added: 0002796 | |
| 2009-07-28 01:57 | tomakos | Note Added: 0002799 | |
| 2009-07-28 02:00 | tomakos | Note Edited: 0002799 | |
| 2009-07-28 02:24 | tomakos | Note Edited: 0002799 | |
| 2009-07-28 10:54 | tomakos | Note Added: 0002805 | |
| 2009-07-28 10:57 | tomakos | Note Edited: 0002805 | |
| 2009-07-28 17:17 | peter-endian | Note Added: 0002811 | |
| 2010-09-24 09:20 | peter-endian | Status | assigned => acknowledged |
|
Issue History |
| Copyright © 2000 - 2012 MantisBT Group |
 |