Hello, In order to minimize Internet connectivity downtime I am looking at obtaining connections from 2 ISPs and running BGP. However I won't have a publicly routeable IP block from ARIN. Each ISP will allocate some of their addresses and the LAN's rfc1918 addresses will be NATted.
This presents no real issues for short-lived connections (i.e. traditional HTTP transactions) but for longer lived connections (ssh sessions) some routing change out there on the Internet could cause an established flow to change it's (outbound) route via one of the ISPs to the other. This breaks NAT, or rather the change from one ISP to the other would change the NATing done to the flow and break the connection. What's the best way to solve this problem? The straightforward solution (idea gleaned from Simon Slaytor and the thread at http://marc.info/?l=openbsd-misc&m=122349653116879&w=2) is to use a separate OpenBSD router running BGP to connect to each ISP. +----Internet----+ | | +------- -+ +---------+ | ISP1 | | ISP2 | | ROUTER | | ROUTER | | | | | +---------+ +---------+ | Off-site | ============|================|=========== | On-site | +---------+ +---------+ | OpenBGP | | OpenBGP | | ROUTER |-------| ROUTER | | A | | B | +---------+ +---------+ | | | | +-------------------------+ | PRIVATE NETWORKS | +-------------------------+ Routers A and B would be configured with an ASN assigned by ARIN. Each router, A and B, would prefer it's own route to the Internet and I would load balance the traffic from the private networks to the two routers using carp on the interfaces facing the private networks. Because carp will always deliver any given machine's outbound traffic to either router A or router B any given machine's traffic will reach the Internet via a single ISP, resolving the NAT issue. (Existing connections will break should there be a failure and all traffic winds up routing via a single ISP, but that's life.) We would turn the BGP dead timers (holdtime) down low to minimize blackholed traffic. (I'm thinking 3 seconds. Comment?) Naturally we would not advertise our private networks or the routes between the 2 ISPs. What do people think of the above setup? A second question is whether or not it's possible to run 2 instances of bpgd on a single box, using separate routing tables and basically merge the two machines above into 1. (It would be nice then, to use the 2nd box as a carp based hot-spare.) AFAIK all the pieces seem to be in place to for such an approach, but would it really work? Thank you for your time. Regards, Karl <k...@meme.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
