At work we have four ADSL lines and to handle the load outgoing balancing we use a set of four ordinary DSL routers connected by ethernet to a four port D-Link ethernet card in a linux server which then does per-packet load balancing for outgoing traffic using the teql traffic scheduler. This post describes how we configure the load balancing.

The first step is to give each of the routers (we use Zyxel P660 routers) two different LAN addresses – one is in the 172.16 private address range and is unique to each router and used to address specific routers for management and configuration purposes; and the other is a common address from the block allocated to use by our ISP and is shared by all the routers.

The ability to configure multiple addresses for the LAN side interface is a requirement for this technique to work, and not all routers may support it…

Once that is done, we start the linux configuration (this is a RedHat/Fedora style system) by defining the bonded interface, teql0, by creating a teql.conf file in /etc/modprobe.d which defines an appropriate alias:

alias teql0 sch-teql

We then have to define the configuration for each interface in the normal way, with ifcfg files in /etc/sysconfig/network-scripts, starting with an ifcfg-ethN file for each of the bonded ethernet interfaces that looks something like:

DEVICE=eth{2,3,4,5}
ONBOOT=yes
BOOTPROTO=static
IPADDR=172.16.8.{1,5,9,13}
NETMASK=255.255.255.252
HWADDR=...

This places each ethernet interface on a local /30 network that is simply used for management purposes to allow each router to be connected to for configuration. An ifcfg-teql0 file is then created to define the bonded interface:

DEVICE=teql0
BOOTPROTO=static
IPADDR=...
NETMASK=...
ONBOOT=yes

The network details here are those for the IP range allocated by the ISP to us as this is the public interface where traffic sent to and from the ISP will be handled.

Next we have to make sure that reverse path filtering for the physical ethernet interfaces we are using is set to loose mode as they will be receiving packets that look like they should arrive on the traffic equalizer interface. To do this we edit /etc/sysctl.conf and add a line for each interface that looks like this:

net.ipv4.conf.eth{2,3,4,5}.rp_filter = 2

In order to bond the individual ethernet interfaces into the traffic equalizer we first create an ifup-pre-local script in /sbin which makes sure the teql0 interface is created before the ethernet interfaces are configured:

#!/bin/sh

case "$1" in
 ifcfg-eth2|ifcfg-eth3|ifcfg-eth4|ifcfg-eth5) modprobe teql0;;
esac

We then create an ifup-local script which adds the ethernet interfaces to the traffic equalizer:

#!/bin/sh

case "$1" in
 eth2|eth3|eth4|eth5) tc qdisc add dev $1 root teql0;;
esac

For good measure, an ifdown-local script removes the interfaces again:

#!/bin/sh

case "$1" in
 eth2|eth3|eth4|eth5) tc qdisc del dev $1 root;;
esac

A default route that uses the new bonded interface can be added in the normal by adding a line to /etc/sysconfig/network:

GATEWAY=...

The gateway address here is the common IP address allocated to each router.

For firewalling and packet tracing purposes, you should note that outgoing packets will be seen going into teql0 rather than the individual interfaces, but incoming packets will appear from each of the four ethernet interfaces, depending on which line they arrive from the ISP over.

That’s really about all there is to it – we do also have a small daemon process that monitors the lines and removes them from the traffic equalizer if they go down and adds them back when they come up again.

UPDATE: The traffic equalizer is completely broken in kernels 2.6.31 through 2.6.34…

A powerful desktop computer in a large tower case has a number of disadvantages however, both in terms of it’s physical size and the amount of power it needs to run on a 24/7 basis. So I have been meaning for some time to replace my firewall with a small, purpose built, low power system.

In the last few weeks I have finally got around to going ahead with this task so, after some hours perusing the hardware porn at LinITX I ordered an Intel D945GSEJT Atom based Mini-ITX motherboard and the exceedingly tiny Mini-Box M350 case. Here we see the result, with a 2Gb SODIMM and a 4Gb SATA flash module added.

Firewall with motherboard, memory, SATA flash module and WIFI aerials installed

Also visible here are a pair of dual frequency (2.4/5.0 GHz) aerials for WiFi as the firewall will also be replacing my existing wireless access point. An extra hole had to be drilled in the back plate for the second aerial, which necessitated a trip round the corner to the hardware store as sod’s law dictated that a 6.5mm hole was needed when the largest HSS bit in my collection was 6mm in size…

Part of my LinITX order was an Intel 512AN Mini-PCIe wireless card – this was carefully chosen based on the fact that Intel WiFi cards are well supported in the linux kernel with modern, mac80211 based drivers. Unfortunately as soon as I started investigating how to configure it as an access point it quickly became clear that the drivers for the Intel WiFi cards do not, in fact, support AP mode. The main authors of the drivers appear to be Intel themselves, and there seems to be little enthusiasm for supporting AP mode.

So that card went back (distance selling regulations to the rescue!) and in it’s place I sourced an Atheros card instead, which was easier said than done – Mini-PCIe wireless cards are surprisingly hard things to find, perhaps because they mainly sell to laptop manufacturers on a wholesale basis. I also had to wait a full week for Royal Mail to manage to deliver it (a first class recorded package) and that was before they went on strike!

While I was waiting for the replacement wireless card to arrive I was able to install the PCI riser (which had arrived a few days late having been missed when my order was packed) and a gigabit network card harvested from my old firewall which would provide the second network port needed in the firewall.

Firewall with PCI riser and gigabit network card installed

Finally, the replacement wireless card arrived and was installed in the Mini-PCIe slot (under the PCI card) and the aerials connected. All that was then needed was to knock up a configuration file for hostapd and it was up and running as an AP and the radio on my old Netgear access point could be turned off.

The only outstanding issue is that while my laptop (running linux) is quite happy to talk to the new AP my Windows Mobile 5 PDA seems to object to it for some reason that is still not entirely clear – it appears to successfully attach to the wireless network and sends DHCP requests but seems to be unable to receive (or perhaps to decrypt) the replies.

The completed firewall, all ready to be installed

So, after all that, my new firewall/access point is now installed in my network and, within a few hours of offering my old firewall on freecycle about a dozen different people had offered to take it (despite it lacking any operating system) and it now has a new home.