[nycphp-talk] multiple gateways and linux

Hans Zaunere zaunere at
Tue Jun 4 18:22:54 EDT 2002

While I've been out of the game [network admin] for a while, let me say
that solving this The Right Way will be either hard, or expensive - or

For one, you need to pin down exactly what it is you want to do:
ingress redundancy, egress redundancy, ingress load-balancing, egress
load-balancing, or multiplexing.  Each is at least slightly different,
and will require different solutions.

Egress stuff is much easier, since you have the most control.  But,
note that if a packet from your box goes out one T1, and then it goes
down, the return packets will still try to hit the downed T1.  AFAIK,
the only way to handle this is with some fancy routing/cooperation from
your providers/and possibly additional hardware.

Ingress is more involved.  Consider, even if you are announcing your
routes, and a T1 goes down, you'll most likely need cooperation from
your provuider, since the outside world won't know where to look for
your route broadcasts (since where it's expecting to find them, is

Since you have two T1s from one provider, and one from an additional
provider, you may want to consider using the third T1 for general
Internet access, and with possible additional hardware/professional IP
network designer/cooperation from the provider, you could multiplex the
other two T1s to increase failover and bandwidth.

> 1) enable linux to do dead gateway detection and avoid using a
> gateway if it
> is not up

Fairly simple.  Best done in C, or there are probably utils for this
already.  Basically, once a dead gateway is discovered, you change your
routing table, but you will lose any existing connections I believe.

> 2) enable linux to distribute traffic among the gateways to whichever
> one is
> least busy (this might be a little bit more difficult)

Slightly more complex, because you need a reliable way to determine
"least busy", but basically the same as above.

> 3) enable linux to figure out from a list of hosts which gateway
> would allow
> connection to a specific host with minimum lag and/or hops

Again, harder to determine this, but same principals apply.

> I guess some shell scripts could accomplish some of these tasks
> unless someone knows a better way?

No.  This is a kernel, userland C at best, problem.  I wouldn't want to
do per packet analysis with any language except C (not even PHP).

A close look at some of the Open Source firewall utils would help, but
overall, to do what you really want (using 3 T1s as one, with aggregate
bandwidth and redundancy, no?) is not easy.  What is easy, is to
manually segragate your [office] to use each of the T1s.  Or, be
prepared to spend some money, on hardware and/or a IP network engineer.

To go the Open Source/Do-It-Yourself route: I generally follow the
ipfilter mailing list, which often has discussion about this sort of
thing.  The mailing list archives via:

may get you a good start.  Also, they are very helpful/knowledgable, so
posting your own question would probably be good too.  I've always been
partial to ipfilter and BSD for this type of thing, but you can
substitute whatever they call the latest Linux firewall package for
'ipfilter' for more specific info.  But note that load-balancing, isn't
really across T1s, but within the same network, once your upstream link
has been crossed.

Also, some helpful links:

but also note most of these are per-machine high-availability -
crossing network links is a whole other ball of wax.

And if it makes you feel any better, I'd be happy to pay to colocate a
small web/email server with you, to take advantage of one of those T1s.

Good luck, and keep us informed,

Hans Z.

Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup

More information about the talk mailing list