Quoted:


Cisco ASA 5505. Used to use a Linksys rv082 and the difference in throughput is substantial. Plus the 5505 comes with a nice vpn and is highly configurable.

Quoted:
Anyone have any recommendations for load balancing two 25down/3up connections (different ISP)?

My initial thought before reading this thread was to simply have servers running on one connection and workgroup on the other... but if it's relatively inexpensive and painless to implement, I'd prefer to let the servers have access to both connections (simultaneously... I could route different traffic pretty easily, but would prefer to combine the upload speed).

Quoted:
I run a pfsense box.  

wan1 is a cable line, wan2 is dsl, then LAN, WLAN and dmz interfaces.

Quoted:
Anyone have any recommendations for load balancing two 25down/3up connections (different ISP)?

My initial thought before reading this thread was to simply have servers running on one connection and workgroup on the other... but if it's relatively inexpensive and painless to implement, I'd prefer to let the servers have access to both connections (simultaneously... I could route different traffic pretty easily, but would prefer to combine the upload speed).

Quoted:


This is one of the reasons Border Gateway Protocol (BGP) was designed for. BGP paired with route-maps on the BGP attributes.

On a side note, I load balanced two ISP connections (with a squid proxy) as follows:.....Hope this helps:

                                    ––––––––––––-(eth1)GW:192.168.6.1––––––
                                    |
10.0.0.1 LAN (eth0)
                                    |
                                    ––––––––––––-(eth2)GW:10.85.0.1––––––––-

System
Operating System: Centos 5
Kernel: 2.6.18-53.1.19.el5
Squid version: squid-2.6.STABLE6-5.el5_1.3
Iptables version: 1.3.5-1.2.1

Ip Addresses
Eth0: 10.0.0.1
Eth1: 192.168.6.237
Eth2: 10.85.1.42

Networks
LAN: 10.0.0.0/24 (eth0)
Wan1 (T1): 192.168.6.0/24 GW: 192.168.6.1 (eth1)
Wan2 (T2): 10.85.0.0/23 GW: 10.85.0.1 (eth2)

Name Resolution
Edit /etc/resolv.conf and add the following lines:
Nameserver 1.1.1.1
Nameserver 2.2.2.2
Search somenetwork.com
Nameserver 3.3.3.3
Nameserver 4.4.4.4
Nameserver 5.5.5.5
Nameserver 6.6.6.6

Procedure
1. We must delete all default routes that are created upon bootup
$/sbin/route del default gw 192.168.6.1
$/sbin/route del default gw 10.85.0.1

2. Setup iptables to allow packets from internal network to the internet:
a.Route packets to the Internet connected to first ISP (T1)
$/sbin/iptables –t nat –A POSTROUTING –o eth1 –j MASQUERADE

b. Route packets to the Internet connected to second ISP (T2)
$/sbin/iptables –t nat –A POSTROUTING –o eth2 –j MASQUERADE

c. Forwarding from internal LAN
$/sbin/iptables –A FORWARD –s 10.0.0.0/24 –j ACCEPT
$/sbin/iptables –A FORWARD –d 10.0.0.0/24 –j ACCEPT
$/sbin/iptables –A FORWARD –s ! 10.0.0.0/24 –j DROP

d. Save the configuration
$/sbin/iptables-save > /etc/sysconfig/iptables

3. We MUST enable ip_forwarding. There are two ways to do this:
a. $echo 1 > /prov/sys/net/ipv4/ip_forwarding
***this will be lost upon the next reboot***
b. edit /etc/sysctl.conf:
net.ipv4.ip_forward = 1

3. Load Balance the routes
$/sbin/ip route add default equalize nexthop via 192.168.6.1 dev eth1 nexthop via 10.85.0.1 dev eth2

4. Edit /proc/sys/net/ipv4/route/gc_timeout and change the value to 10. The gc_timeout file contains a timeout value that the kernel declares a route to be dead and automatically switches to the other route

5. Squid:
Edit /etc/squid/squid.conf and add:

http_port wan2:3128 transparent
visible_hostname wan2

acl our_networks src 10.0.0.1/24
http_access allow our_networks

a. Issue the following command for transparent proxy to work:
$/sbin/iptables –t nat –A PREROUTING –i eth0 –p tcp –dport 80 –j DNAT –to\ 10.85.1.42:3128

Helpful Commands
1. $netstat –rn
This will show you the current routing table
2. $/sbin/ip route list
Show all routes

Quoted:


I have a Sonicwall NSA 2400 that is doing exactly that. It is load balancing two fiber connections that are 20 Mbit synchronous. Lower model Sonicwalls will do it as well... I put in a TZ210 at a clients to load balance two 6 Mbit lines, works dang good.

-d

It's times like these when I realize how inadequate my Linux skills/knowledge is.

Are you setting up a separate box in place of a router/firewall here?

Sorry, I'm a Windows Server nerd, but fail at Linux... beyond the fact that I can comprehend some of the commands from the little bit of Linux management I've done (Unraid servers), I'm in the dark here.

Quoted:


I tried a 5505, but I wasn't able to do policy NAT with it so it didn't fit my needs.
 

Quoted:


Do you feel that it is doing an adequate job & running smoothly/effeciently?

I started off this same client with two Sonicwall firewalls, and both seemed to be hit and miss. They performed fine most of the time, but had a lot of glitches/hangs/restarts a little too frequently for my liking. I upgraded them to PIX devices and thought it was a major improvement (at a large cost increase, tho) to the sonicwalls.

The NSA 2400 is definitely out of the client's pricerange. Even just $1k is really stretching it... I know that puts us into the budget realm for this type of request, so I may just forgo that and leave the servers and workstations separated.

But it is worth looking into... so if the 210 (or another affordable brand/model) does this well, I'd be willing to give it a try.