Discussion:
Can a Firebrick help me?
(too old to reply)
Anthony R. Gold
2006-04-10 13:02:38 UTC
Permalink
Can a Firebrick help me with this situation:

I have a server in an unattended location with an unreliable DSL
connection. I will likely add a second DSL line or a cable line for more
resilience. The blunt way to increase access to the location would be to
run a separate server on the second Internet connection, but is there any
way to use a firebrick to access the same LAN of servers alternatively
through two Internet connections?

BTW both connections would likely use dynamic IP addresses, if that is
pertinent. Right now I have no difficulty finding the dynamic address
from the WAN side by use of a DynDNS client running on the server, but
that may no longer work if the server can see two external addresses.

Tony
Iain McWilliams
2006-04-10 14:28:51 UTC
Permalink
Post by Anthony R. Gold
I have a server in an unattended location with an unreliable DSL
connection. I will likely add a second DSL line or a cable line for more
resilience. The blunt way to increase access to the location would be to
run a separate server on the second Internet connection, but is there any
way to use a firebrick to access the same LAN of servers alternatively
through two Internet connections?
BTW both connections would likely use dynamic IP addresses, if that is
pertinent. Right now I have no difficulty finding the dynamic address
from the WAN side by use of a DynDNS client running on the server, but
that may no longer work if the server can see two external addresses.
We do something a bit similar with a firebrick...

We have 2 public IPs advertised for a web server and use the mapping
function of the firebrick to map those onto the private IP of the
webserver. As the firebrick is mapping the requests, the server itself
doesn't need to know what it's public IPs are.

Dynamic IP may cause a problem here though. (I have no experience with
using a firebrick with dynamic IP).

In fact we go one step further - we have a backup web server on the same
LAN and by manually enabling or disabling a profile on the firebrick we
can switch all requests from WebserverA to WebserverB or vice versa.
This makes it really easy to shunt requests away from a machine when you
wish to update software on it yet still keep the service running to the
end users.

Regards,
Iain
Anthony R. Gold
2006-04-11 13:50:42 UTC
Permalink
Post by Iain McWilliams
Dynamic IP may cause a problem here though. (I have no experience with
using a firebrick with dynamic IP).
Thanks for the comments Iain.

I hope someone from Watchfront or A&A will tell me whether using one or
more Firebricks will meet my needs - and with minimal setup complexity.

Tony
Ben Mack
2006-04-19 08:50:21 UTC
Permalink
Post by Anthony R. Gold
Post by Iain McWilliams
Dynamic IP may cause a problem here though. (I have no experience with
using a firebrick with dynamic IP).
Thanks for the comments Iain.
I hope someone from Watchfront or A&A will tell me whether using one or
more Firebricks will meet my needs - and with minimal setup complexity.
It should do, though I've not personally tried it

Does the FireBrick itself get a dynamic public IP from each ADSL router?
If so, you may have trouble having two DHCP servers (the ADSL routers)
on the same ethernet segment (the FireBrick WAN). If this is a problem,
purchase a 5 Port feature for the brick and run each WAN ADSL router on
a separate FireBrick port.

However if you can run the FireBrick on fixed private IPs on the LAN of
each ADSL router, and use NAT and incoming forwarding rules in each ADSL
router (i.e. your public IPs are on the ADSL router WAN side), then you
avoid this problem

Apart from that, should be straightforward as Iain says, just a mapping
rule for each WAN, and suitable firewall rules

I assume you are just running simple server apps such as http, that
don't mind NAT?

HTH
--
Ben Mack
Watchfront Electronics - Bespoke R&D - http://www.watchfront.co.uk/
Watchfront Internet - ADSL, Colo - http://www.watchfront.net/
Are you bricking it? - Firewalls - http://www.firebrick.co.uk/
Anthony R. Gold
2006-04-19 10:26:16 UTC
Permalink
Post by Ben Mack
Post by Anthony R. Gold
Post by Iain McWilliams
Dynamic IP may cause a problem here though. (I have no experience with
using a firebrick with dynamic IP).
Thanks for the comments Iain.
I hope someone from Watchfront or A&A will tell me whether using one or
more Firebricks will meet my needs - and with minimal setup complexity.
It should do, though I've not personally tried it
Does the FireBrick itself get a dynamic public IP from each ADSL router?
I am asking prior to buying any Firebrick or installing a second DSL
circuit. Right now I have just the one flakey DSL line.

If the Firebrick could perform PPPoE logins then it could get public
dynamic IP addresses from the ISPs through modems running in bridged mode.
But can a Firebrick do either PPPoE login or NAT? I guess not.

I guess the configuration would be two bridged DSL modems followed by two
routers which do the NAT and PPPoE logins. The Firebrick would then be
connected to two routers and use two fixed LAN addresses on the two
interfaces connected to the two routers. And then the other LAN hosts
will also use LAN fixed addresses and hang off an ethernet switch/hub
connected to a third Firebrick port. Will a Firebrick manage the IP
traffic between the LAN hosts and whatever WAN route(s) are working?
Post by Ben Mack
If so, you may have trouble having two DHCP servers (the ADSL routers)
on the same ethernet segment (the FireBrick WAN). If this is a problem,
purchase a 5 Port feature for the brick and run each WAN ADSL router on
a separate FireBrick port.
Okay.
Post by Ben Mack
However if you can run the FireBrick on fixed private IPs on the LAN of
each ADSL router, and use NAT and incoming forwarding rules in each ADSL
router (i.e. your public IPs are on the ADSL router WAN side), then you
avoid this problem
I am not looking for any firewall (protection) features at this time.

So I plug two routers (which perform PPPoE login via each of two bridged
modems) into separate ports of a Firebrick with the 5 port feature and
then I can hang one LAN of fixed IP hosts off the Firebrick and each LAN
host will see and will be seen by the Internet via any working DSL
connection?

Do the LAN hosts use a LAN address which was assigned to the Firebrick as
their gateway address for sending out packets? Will that be one of the
two router interfaces of the Firebrick or some third address which will be
used by the Firebrick as a single virtual gateway?

Is this plug and play (or can it be configured by you prior to shipping)
or is it going to be complicated and experimental to set up? This is
going to be running when I am thousands of miles away, so I am looking for
an industrial strength solution and nothing of an experimental nature.
Post by Ben Mack
Apart from that, should be straightforward as Iain says, just a mapping
rule for each WAN, and suitable firewall rules
I assume you are just running simple server apps such as http, that
don't mind NAT?
The servers run HTTP servers on an array of port numbers for webcams and
for configuration screens of home automation remote control applications
and also run NNTP, pcAnywhere hosts and FTP servers, all of which now run
fine under NAT when using just the one and flakey DSL line.

Even if that all works and is easy, I am still concerned about how to
discover the WAN addresses of the two modems from a distant place. I
guess I could periodically be sending out emails from LAN hosts which will
show a trace the source address. But if both DSL circuits were working,
could I get the Firebrick to send something through each one to announce
the two WAN addresses to me?

Tony
Ben Mack
2006-04-24 13:12:58 UTC
Permalink
Post by Anthony R. Gold
If the Firebrick could perform PPPoE logins then it could get public
dynamic IP addresses from the ISPs through modems running in bridged mode.
But can a Firebrick do either PPPoE login or NAT? I guess not.
The FireBrick does NAT, but not PPP, it is purely an IP device
Post by Anthony R. Gold
I guess the configuration would be two bridged DSL modems followed by two
routers which do the NAT and PPPoE logins.
Most low-cost ADSL routers include both the modem and the PPP client

If your ISP only provides a single WAN IP address, then the ADSL routers
can run NAT, as you say

However, why don't you use an ISP that can supply public IP addresses
for the LAN side of your ADSL routers? This makes the whole thing *much*
simpler
Post by Anthony R. Gold
Will a Firebrick manage the IP
traffic between the LAN hosts and whatever WAN route(s) are working?
Yes
Post by Anthony R. Gold
So I plug two routers (which perform PPPoE login via each of two bridged
modems) into separate ports of a Firebrick with the 5 port feature and
then I can hang one LAN of fixed IP hosts off the Firebrick and each LAN
host will see and will be seen by the Internet via any working DSL
connection?
Yes,
- you only need 5 Port feature if using DHCP on both WANs
- incoming sessions are mapped from each WAN to server
- outgoing sessions can be handled by either
a) manual routing
b) automatic failover using Profiles feature
c) load sharing using Bonding feature
Post by Anthony R. Gold
Do the LAN hosts use a LAN address which was assigned to the Firebrick as
their gateway address for sending out packets? Will that be one of the
two router interfaces of the Firebrick or some third address which will be
used by the Firebrick as a single virtual gateway?
If you are stuck with NAT on ADSL routers, something like

Server 10.0.0.1/24 gateway 10.0.0.254

FireBrick LAN 10.0.0.254/24
FireBrick WAN1 10.0.1.1/24 gateway 10.0.1.2
FireBrick WAN2 10.0.2.1/24 gateway 10.0.2.2

ADSL Router 1 LAN 10.0.1.2/24, incoming forwarding rule
ADSL Router 2 LAN 10.0.2.2/24, incoming forwarding rule
Post by Anthony R. Gold
Is this plug and play (or can it be configured by you prior to shipping)
or is it going to be complicated and experimental to set up? This is
going to be running when I am thousands of miles away, so I am looking for
an industrial strength solution and nothing of an experimental nature.
The FireBrick config should be pretty solid. However I am always wary of
unusual ADSL setups, so I would suggest testing

Watchfront can offer ad-hoc configuring of FireBricks for 80 quid an
hour, normally takes a couple of hours, if that helps
Post by Anthony R. Gold
Even if that all works and is easy, I am still concerned about how to
discover the WAN addresses of the two modems from a distant place. I
guess I could periodically be sending out emails from LAN hosts which will
show a trace the source address. But if both DSL circuits were working,
could I get the Firebrick to send something through each one to announce
the two WAN addresses to me?
With the Profiles feature, you could config the FireBrick to send pings
up both WANs to, say, another FireBrick, that log the source addresses

I'm sure there are lots of other ways, but I'm no expert on dynamic
addresses, we like to keep ours nice and static ;-)

HTH
--
Ben Mack
Watchfront Electronics - Bespoke R&D - http://www.watchfront.co.uk/
Watchfront Internet - ADSL, Colo - http://www.watchfront.net/
Are you bricking it? - Firewalls - http://www.firebrick.co.uk/
Anthony R. Gold
2006-04-24 16:19:57 UTC
Permalink
Post by Ben Mack
Post by Anthony R. Gold
I guess the configuration would be two bridged DSL modems followed by two
routers which do the NAT and PPPoE logins.
Most low-cost ADSL routers include both the modem and the PPP client
I have had very bad experiences using integrated modem/routers in PPPoE
which work perfectly well with PPPoA. They seem unable to become unable
to reconnect after a disconnection, which of course is a dire condition in
unattended locations. Plain modems (Westell and Netopia) followed by
PPPoE routers have been far more reliable.
Post by Ben Mack
If your ISP only provides a single WAN IP address, then the ADSL routers
can run NAT, as you say
However, why don't you use an ISP that can supply public IP addresses
for the LAN side of your ADSL routers? This makes the whole thing *much*
simpler
I need to use far more IP addresses than can be affordably obtained at
those particular locations.
Post by Ben Mack
Post by Anthony R. Gold
Will a Firebrick manage the IP
traffic between the LAN hosts and whatever WAN route(s) are working?
Yes
Post by Anthony R. Gold
So I plug two routers (which perform PPPoE login via each of two bridged
modems) into separate ports of a Firebrick with the 5 port feature and
then I can hang one LAN of fixed IP hosts off the Firebrick and each LAN
host will see and will be seen by the Internet via any working DSL
connection?
Yes,
- you only need 5 Port feature if using DHCP on both WANs
- incoming sessions are mapped from each WAN to server
- outgoing sessions can be handled by either
a) manual routing
b) automatic failover using Profiles feature
c) load sharing using Bonding feature
Sounds great so long as I can get that translated into a working
configuration.
Post by Ben Mack
Post by Anthony R. Gold
Do the LAN hosts use a LAN address which was assigned to the Firebrick as
their gateway address for sending out packets? Will that be one of the
two router interfaces of the Firebrick or some third address which will be
used by the Firebrick as a single virtual gateway?
If you are stuck with NAT on ADSL routers, something like
Server 10.0.0.1/24 gateway 10.0.0.254
FireBrick LAN 10.0.0.254/24
FireBrick WAN1 10.0.1.1/24 gateway 10.0.1.2
FireBrick WAN2 10.0.2.1/24 gateway 10.0.2.2
ADSL Router 1 LAN 10.0.1.2/24, incoming forwarding rule
ADSL Router 2 LAN 10.0.2.2/24, incoming forwarding rule
Post by Anthony R. Gold
Is this plug and play (or can it be configured by you prior to shipping)
or is it going to be complicated and experimental to set up? This is
going to be running when I am thousands of miles away, so I am looking for
an industrial strength solution and nothing of an experimental nature.
The FireBrick config should be pretty solid. However I am always wary of
unusual ADSL setups, so I would suggest testing
No problems with testing; I intend to install this personally and not have
anything drop shipped to non-technical users.
Post by Ben Mack
Watchfront can offer ad-hoc configuring of FireBricks for 80 quid an
hour, normally takes a couple of hours, if that helps
Yes, that would help a lot.
Post by Ben Mack
Post by Anthony R. Gold
Even if that all works and is easy, I am still concerned about how to
discover the WAN addresses of the two modems from a distant place. I
guess I could periodically be sending out emails from LAN hosts which will
show a trace the source address. But if both DSL circuits were working,
could I get the Firebrick to send something through each one to announce
the two WAN addresses to me?
With the Profiles feature, you could config the FireBrick to send pings
up both WANs to, say, another FireBrick, that log the source addresses
I'm sure there are lots of other ways, but I'm no expert on dynamic
addresses, we like to keep ours nice and static ;-)
I guess hanging a host running a DynDNS client onto each router on a
separate port from the Firebrick would also solve that problem.
Post by Ben Mack
HTH
Indeed.

Could a surplus SoHo do this or does it need a new 105? Also, where is
the 105 on its product life cycle? Will it be the current product for the
next year or two or is it likely to be replaced during that time frame?

Tony
Ben Mack
2006-04-25 10:02:06 UTC
Permalink
Post by Anthony R. Gold
Post by Ben Mack
Post by Anthony R. Gold
I guess the configuration would be two bridged DSL modems followed by two
routers which do the NAT and PPPoE logins.
Most low-cost ADSL routers include both the modem and the PPP client
I have had very bad experiences using integrated modem/routers in PPPoE
which work perfectly well with PPPoA. They seem unable to become unable
to reconnect after a disconnection, which of course is a dire condition in
unattended locations. Plain modems (Westell and Netopia) followed by
PPPoE routers have been far more reliable.
Odd, though I have little experience with pppoe. Have you tried the
Linksys AG241? We find it very good at reconnecting and general
stability, though of course on pppoa
Post by Anthony R. Gold
Post by Ben Mack
If your ISP only provides a single WAN IP address, then the ADSL routers
can run NAT, as you say
However, why don't you use an ISP that can supply public IP addresses
for the LAN side of your ADSL routers? This makes the whole thing *much*
simpler
I need to use far more IP addresses than can be affordably obtained at
those particular locations.
You can still use private IPs on the LAN side of the FireBrick, with the
FireBrick running NAT.

Having a public address for each line on the FireBrick WAN makes the WAN
connections very straightforward, with none of the concerns over DHCP
(and hence not needing 5 Port feature), and no need for forwarding rules
in the ADSL routers (which can cause problems)
Post by Anthony R. Gold
Post by Ben Mack
Post by Anthony R. Gold
Will a Firebrick manage the IP
traffic between the LAN hosts and whatever WAN route(s) are working?
Yes
Post by Anthony R. Gold
So I plug two routers (which perform PPPoE login via each of two bridged
modems) into separate ports of a Firebrick with the 5 port feature and
then I can hang one LAN of fixed IP hosts off the Firebrick and each LAN
host will see and will be seen by the Internet via any working DSL
connection?
Yes,
- you only need 5 Port feature if using DHCP on both WANs
- incoming sessions are mapped from each WAN to server
- outgoing sessions can be handled by either
a) manual routing
b) automatic failover using Profiles feature
c) load sharing using Bonding feature
Sounds great so long as I can get that translated into a working
configuration.
Post by Ben Mack
Post by Anthony R. Gold
Do the LAN hosts use a LAN address which was assigned to the Firebrick as
their gateway address for sending out packets? Will that be one of the
two router interfaces of the Firebrick or some third address which will be
used by the Firebrick as a single virtual gateway?
If you are stuck with NAT on ADSL routers, something like
Server 10.0.0.1/24 gateway 10.0.0.254
FireBrick LAN 10.0.0.254/24
FireBrick WAN1 10.0.1.1/24 gateway 10.0.1.2
FireBrick WAN2 10.0.2.1/24 gateway 10.0.2.2
ADSL Router 1 LAN 10.0.1.2/24, incoming forwarding rule
ADSL Router 2 LAN 10.0.2.2/24, incoming forwarding rule
Post by Anthony R. Gold
Is this plug and play (or can it be configured by you prior to shipping)
or is it going to be complicated and experimental to set up? This is
going to be running when I am thousands of miles away, so I am looking for
an industrial strength solution and nothing of an experimental nature.
The FireBrick config should be pretty solid. However I am always wary of
unusual ADSL setups, so I would suggest testing
No problems with testing; I intend to install this personally and not have
anything drop shipped to non-technical users.
Post by Ben Mack
Watchfront can offer ad-hoc configuring of FireBricks for 80 quid an
hour, normally takes a couple of hours, if that helps
Yes, that would help a lot.
Post by Ben Mack
Post by Anthony R. Gold
Even if that all works and is easy, I am still concerned about how to
discover the WAN addresses of the two modems from a distant place. I
guess I could periodically be sending out emails from LAN hosts which will
show a trace the source address. But if both DSL circuits were working,
could I get the Firebrick to send something through each one to announce
the two WAN addresses to me?
With the Profiles feature, you could config the FireBrick to send pings
up both WANs to, say, another FireBrick, that log the source addresses
I'm sure there are lots of other ways, but I'm no expert on dynamic
addresses, we like to keep ours nice and static ;-)
I guess hanging a host running a DynDNS client onto each router on a
separate port from the Firebrick would also solve that problem.
Yes, although seems overkill. If you have multiple machines on the LAN,
you could run a dyndns update client on each machine, and use specific
routing rules on the FireBrick to route dyndns updates from each client
up a specific line
Post by Anthony R. Gold
Could a surplus SoHo do this or does it need a new 105?
A soho could do fixed routing to 2 WANs, but not much more
Post by Anthony R. Gold
Also, where is
the 105 on its product life cycle? Will it be the current product for the
next year or two or is it likely to be replaced during that time frame?
The 105 will certainly be available for the next year or two, that's not
to say there won't be new FireBrick products in that time. Sorry we
cannot be more specific until we are ready to launch new products

Cheers
--
Ben Mack
Watchfront Electronics - Bespoke R&D - http://www.watchfront.co.uk/
Watchfront Internet - ADSL, Colo - http://www.watchfront.net/
Are you bricking it? - Firewalls - http://www.firebrick.co.uk/
Loading...