Community discussions

MUM Europe 2020
 
rodolfo
Long time Member
Long time Member
Topic Author
Posts: 545
Joined: Sat Jul 05, 2008 11:50 am

two isp and one server

Wed Feb 10, 2010 6:20 pm

Hi all.
I have an rb750, the eth1 is linked to the ISP1, the eth2 is linked to the ISP2.
Each isp have its own public subnet.
I have one web server and I need to open web pages from isp1 and from isp2.

This is the schema:

isp1 10.0.1.1-------------------10.0.1.2 (eth1)RB750

isp2 10.0.2.1-------------------10.0.2.2 (eth2)RB750

webs 10.0.3.2------------------10.0.3.1 (eth3)RB750

My problem is that the web server answers always come from then default gateway of rb750 (i.e. ISP1) even if the requests come from isp2.

How can I reselve this ?

Thanks
rodolfo
IZ0UQV
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: two isp and one server

Wed Feb 10, 2010 6:47 pm

Make sure traffic coming in one pipe leaves out the same pipe. The PCC examples on the wiki show how.
 
rodolfo
Long time Member
Long time Member
Topic Author
Posts: 545
Joined: Sat Jul 05, 2008 11:50 am

Re: two isp and one server

Thu Feb 11, 2010 6:13 pm

I tried to use a routing marker and two gateway:
/ip firewall mangle
add action=mark-connection chain=prerouting comment="incoming wan1" \
    dst-address=89.119.132.48/28 in-interface=ether1 \
    new-connection-mark=conn_teleunit passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn_teleunit new-routing-mark=rt_teleunit passthrough=no

add action=mark-connection chain=prerouting comment="incoming wan2" \
    dst-address=95.88.154.32/28 in-interface=ether4 \
    new-connection-mark=conn_telecom passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn_telecom new-routing-mark=rt_telecom passthrough=no
Then I added two gateway with routing mark:
/ip route
add distance=1 dst-address=0.0.0.0/0 routing-mark=rt_teleunit gateway=89.119.132.62 scope=30 target-scope=10
add distance=2 dst-address=0.0.0.0/0 routing-mark=rt_telecom gateway=95.88.154.33 scope=30 target-scope=10
but it doens not function.
The two routers are reachable and function correctly if I active one or the other.
Where I'm wrong ?

thanks
rodolfo
IZ0UQV
 
User avatar
DeVerm
just joined
Posts: 24
Joined: Thu Feb 11, 2010 2:49 am
Location: Panama
Contact:

Re: two isp and one server

Thu Feb 11, 2010 7:16 pm

Hi Rodolfo,

There are two ways to do this good and which one you choose depends on who you are: an ISP or not.

If you are an ISP you should have a good solid base of customers and be on good speaking terms with your upstream ISP's. If not, you should choose the other option.

non-ISP: you want to multi-home your server and/or network.The best way to do this is by using DNS load-balancing. Simply give your servers two Ethernet interfaces each with it's own IP address, making sure that both are public IP addresses as assigned by your upstream ISP's and that one address is from the first ISP and the other from the second ISP.

Now, if you would connect these ports straight to the two ISP's, the server can be reached on both addresses. In DNS, give your server two type-A records and the requests to the server will start coming in from both ISP's.

But you want to connect more to the ISP's. Simply connect two routers, one for each ISP. Connect the routers together with a direct Ethernet and each into a separate switch with another Ethernet. On each router, insert a static route so that you can reach every IP on each leg of your network without forwarding to one of the ISP's. Now, you can connect your multi-homed server(s) to each switch and balance other stations or network parts over the two switches.

This will work fine. You can use one router and try to make two out of it with tagging etc. but with the price of the MT routers it is silly to do so. But anything multi-homed needs two IP addresses, one for each ISP.

Now in case you are an ISP with plans to conquer the world: you must become autonomous to do that right and all the established ISP's want to see you fail in that endeavor so be sure you have a good relation with your upstream ISP's. If you succeed it will be because you are their customer and you have been nice to them. What you will need:
- AN number: This is your Autonomous System number. It lets you define your routing policy in the global Internet routing tables.
- IP address space: you now have address space from your upstream ISP's. What you want is your own address space.
- BGP routing: routing in your network is always needed but until now it has been a technical thing. BGP routing is a political thing and a technical thing. It is not so difficult (easier than OSPF) but you must get it right or else your network will be cut off from the Internet.

That's it but there will be much more to learn and to deal with. Start with Google & Wikipedia and search for: AS number, LIR (if you're in EU this is RIPE), BGP, Internet Exchange etc. and follow all the links with references.

When this is done, you can assign 1 IP address from your own assignment block to any device and announce it to all your upstream ISP's plus make peering agreements with competitors around you (so you don't need your ISP for traffic between you and the other ISP's around you). Also, when you don't like an upstream ISP anymore, you can go away without returning IP addresses and renumbering because they are your own addresses. This is why they don't like it much when you become autonomous ;-)

good luck (start with the non-ISP option because it takes a long time for the other option!)
Nick.
 
rodolfo
Long time Member
Long time Member
Topic Author
Posts: 545
Joined: Sat Jul 05, 2008 11:50 am

Re: two isp and one server

Fri Feb 12, 2010 9:40 am

thank-you-very-much!
rodolfo
IZ0UQV
 
steen
Member
Member
Posts: 469
Joined: Sat Oct 23, 2010 2:15 am
Location: Sweden
Contact:

Re: two isp and one server

Sun Sep 15, 2013 1:34 pm

Hello Folks!

Not much activity in this thread for several years.

We also start with the none-ISP solution.
So I am in same situation, we will have two ISP:s and 16 public IP addresses from each of them.

I understood the DNS and router parts, but how about the server, what is default GW in server ?

In my case the servers will sit behind NAT/Firewalls so they are not exposed directly to internet or have public IP's.
Also we considered dual reverse proxies, that shuffle the tcp traffic to and from the servers.

Any suggestions ?
 
deejayq
Member Candidate
Member Candidate
Posts: 195
Joined: Wed Feb 23, 2011 8:33 am

Re: two isp and one server

Wed Sep 18, 2013 10:53 am

maybe you could post a diagram of the network topology
 
steen
Member
Member
Posts: 469
Joined: Sat Oct 23, 2010 2:15 am
Location: Sweden
Contact:

Re: two isp and one server

Wed Sep 25, 2013 5:35 pm

Hello Folks!

text drawing:

ISP1 --> public IP A Firewall --> NAT --> private IP A, Server network port A

ISP2 --> public IP B Firewall --> NAT --> private IP B, Server network port B

Where should default GW point, to which ISP ?
If I put reverse proxy at NAT place, what about default GW then ?
 
User avatar
Kreacher
Member
Member
Posts: 359
Joined: Wed Sep 25, 2013 3:58 pm
Location: Hogwarts

Re: two isp and one server

Thu Sep 26, 2013 7:24 am

Hello steen,

the firewall should have two WAN ports where each of them has a modem connected.
Then decide your self for one way:
- session based load balancing
server internet access is over ISP 1 and the rest entire LAN internet access over the ISP 2
Gateway in the Router IP of the DMZ IP and the DMZ goes only over ISP 1 out

- Policy based routing
for both zones the LAN and the DMZ the Gateway is the IP of the router

If you are using something as a http proxy with redirection it is more the question if this is a transparent
proxy, then the Gateway IP address will be the IP like in the examples above, but if this is not a transparent
proxy the IP of the http proxy is for the server LAN ports the Gateway!
Kindly regards
Kreacher ♬

--------------------------------------
Karma points must not be paid by you
 
steen
Member
Member
Posts: 469
Joined: Sat Oct 23, 2010 2:15 am
Location: Sweden
Contact:

Re: two isp and one server

Thu Sep 26, 2013 11:04 am

Hello steen,

the firewall should have two WAN ports where each of them has a modem connected.
Then decide your self for one way:
- session based load balancing
server internet access is over ISP 1 and the rest entire LAN internet access over the ISP 2
Gateway in the Router IP of the DMZ IP and the DMZ goes only over ISP 1 out

- Policy based routing
for both zones the LAN and the DMZ the Gateway is the IP of the router

If you are using something as a http proxy with redirection it is more the question if this is a transparent
proxy, then the Gateway IP address will be the IP like in the examples above, but if this is not a transparent
proxy the IP of the http proxy is for the server LAN ports the Gateway!
Okidoki, that makes sense if having one firewall.
However I missed one thing in the "text drawing", it is fully two legged separated so to say, there are two of everything except the server. Two "modems", two firewalls, two switches etc.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: two isp and one server

Fri Sep 27, 2013 10:44 am

You will find here examples on how to do this on the router as server OS will differ from user to user. If you want to use topology as you already have, you have to look up how policy routing works on your server OS.

IMO it is much easier to have one firewall for both connections and server connected to that one device that does all the smart stuff with the packets (balancing, routing to correct ports, QoS etc.) while server only provides services.
 
User avatar
Kreacher
Member
Member
Posts: 359
Joined: Wed Sep 25, 2013 3:58 pm
Location: Hogwarts

Re: two isp and one server

Fri Sep 27, 2013 5:50 pm

IMO it is much easier to have one firewall for both connections and server connected to that one device that does all the smart stuff with the packets (balancing, routing to correct ports, QoS etc.) while server only provides services.
IMO it is so called "best practice" and this should be also done for not running even later with several other
set ups or needs into a trap!

@steen

The only thing you could try out if the server OS is supporting this, to work with the command:
add route -p IP addresse subnet mask gateway IP
But for the right syntax please refer the man page of your server OS.

If the server OS is not accepting this command or syntax it would be better to convert the entire server
into a VM and set up two VMs inside the real server, if you have problems to change the network set up
or design!

But really said under us, please take on boarder gateway (Router or Firewall) that is able to act as a dual
WAN Port appliance, you will be much better solving out this problem, only in my eyes but I want to try out
if I am in your situation!

At least you can try to give each LAN Port on the server a different subnet like 192.168.1.0/24 for the
LAN Port 1 and 192.168.2.0/24 for the LAN Port 2 and then enabling routing on the server OS if this will be
supported from the OS.

Sorry but more hints I don´t know, but sure one of them even runs like a charm, the variant with the
dual wan router, VLANs with different subnets and a load balancing method!

Good luck!
Kindly regards
Kreacher ♬

--------------------------------------
Karma points must not be paid by you
 
steen
Member
Member
Posts: 469
Joined: Sat Oct 23, 2010 2:15 am
Location: Sweden
Contact:

Re: two isp and one server

Sat Sep 28, 2013 1:02 pm

Hello Folks!

Thanks for all suggestions, that gave me more insight and enligted me.

Idea was to have one single point of failure, like a firewall, there should be two, and two independent legs all way down to the server, all other part of infrastructure from cabling swithes and power supply supports it.

I think I need to have a dialogue with my MT supplyer and get some payed help here, it would be funny to solve it in house, but lack of time due to core busineess prevents me to. :-/

I will be back with the more detailed drawings and hopefully solution to after some time.

(I any case we hit a showstopper, the new internet supplyer hit a problem, we did not have more cable capacity up to our company, so they have to dig :-) first they had to rebuild their local telco-station for us, and now also digging. But that is good, I will got more time for planning and bring in Limmared to help me with the dual leg)

Who is online

Users browsing this forum: No registered users and 28 guests