Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Internet load balancing advice (2 x vdsl connections)

  • 01-07-2015 9:10pm
    #1
    Registered Users, Registered Users 2 Posts: 3,717 ✭✭✭


    I need some advice from my peers or IT professionals please.

    After an IT nightmare week which hasn't fully been resolved I'm determined to make some changes for my business.

    Our dsl line melted down last Friday and is still only uploading at 2-3 k/b per second. This line usually uploads at 230 k/b per second and is heavily used for exchange mail and RDC for several other offices we have. We also host a web server that some customers use.

    It has been a nightmare. The fault isn't with our line specifically, in fact I believe half of the ISP's customers are having the same problem.

    I'm thinking of doing the following and I'm totally open to suggestions onto how to implement it.

    I was thinking of getting two vdsl lines. From two different ISP's. One was already installed today. What hardware should I get to do the load balancing? Our citrix virtualised modern dell server has two gigabit connections connected to a gigabit switch and currently one adsl connection.

    One company is recommending something like a sonic wall tz400 as it would also provide strong protection.
    http://www.sonicwall.com/us/en/products/TZ400.html#tab=services

    It would be important for me that if either connection went down that we would have full redundancy.

    Problems =

    1) If we have two vdsl lines we will obviously have two static ip's. Where do I set my MX records / PTR records pointing to?

    2) people dialling in through RDC, currently they connect to our single IP.

    3) people using our web server (currently using our single IP address to connect).

    4) I desperately want to avoid our emails being treated like spam by other servers

    Any help I can get would be greatly appreciated,

    thanks


Comments

  • Registered Users, Registered Users 2 Posts: 137 ✭✭AmilcarAlho


    I'll throw Sophos in the mix. The SG series is quite good hardware wise, and will scale even with gig speeds ( 4th generation intel cpus under the hood)

    https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophos-sg-series-appliances-brna.pdf?la=en

    Sophos also works if you provide the hardware or even a VM. If you have a spare machine with a few gig nics you can trial for 30 days and even extend it.


    Problems =

    1) If we have two vdsl lines we will obviously have two static ip's. Where do I set my MX records / PTR records pointing to?

    I created 2 mx records, something along the lines of smtp1 and 2, one to each ip. Just give them different priorities

    2) people dialling in through RDC, currently they connect to our single IP.

    Same as above, just have 2 addresses, something like vpn 1 and 2. Bonus for Sophos: You can setup RDP sessions from the Portal, so you are not exposing RDP to the outside. Any session will be logged under the UTM

    3) people using our web server (currently using our single IP address to connect).

    Sophos will secure the website, they have diferent mechanisms. You can get a /29 or /30 so you can get 1, 2 , static ips. Makes it easier than having to mess around with NAT. Eircom charged 50€ one off fee.

    4) I desperately want to avoid our emails being treated like spam by other servers

    Route outgoing emails via smart host, all isps will have a mail router. Incoming emails will work with minimal tweaking. Usually smaller domains will be flagged as spam, once you add a known domain to the whitelist, it will work, while still having AV scan on incoming emails.

    The advantage of a UTM device, be it Sophos, Sonicwall, meraki, palo alto, etc, is that you will have a single interface for multiple features. The more features ,the more expensive of course.


  • Registered Users, Registered Users 2 Posts: 36,170 ✭✭✭✭ED E


    In short, because I'm on a 5" phone, there are two types of setup, and you've sort of specced a mix.

    For redundancy you should:
    Use two ISPs
    Ideally use ADSL on one so a cab fault doesn't drop both lines

    For routing:
    You should lease a bonded/teamed conection so that you only have one logical link. This requires ISP co-operation and doesn't allow you to mix ISPs.

    Dyndns might solve your issues somewhat. You could have a local box updating with the primary wan and if that failed it'd then see the 2nd WAN connection and the updated DNS record would propagate within a few minutes.

    Hardware wise you sound like the perfect candidate for a Draytek. The vigors can take two VDSL lines and a well rounded routers.


  • Registered Users, Registered Users 2 Posts: 3,717 ✭✭✭Praetorian


    Thanks guys, that gives me good ideas in the directions I should be heading in.


  • Registered Users, Registered Users 2 Posts: 137 ✭✭AmilcarAlho


    As Ed E said, for failover purposes 2 different providers and technologies are recommended.

    Having 2 vdsl connections means the same cab is feeding them, if cab goes, or even the exchange, it wont be of much help.

    Peplink also have decent gear for load balancing without breaking the bank if you are looking for routing only, and some support 4g failover.


  • Closed Accounts Posts: 5,019 ✭✭✭ct5amr2ig1nfhp


    As AmilcarAlho said above, having two VDSL lines is not the best idea, as learned a few years ago.

    First line with provider A went down, switched over to backup line with provider B...and nadda.
    The entire exchange was down.

    I would look at using another technology for the backup line.

    We tested 4G and it was surprisingly good. While obviously not ideal it works OK. But we have a mast not far from the office so the speeds are very good.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 36,170 ✭✭✭✭ED E


    The exchanges themselves have a large industrial power feed that is unlikely to go down, the NGA nodes are on small power pedestals, so if theres a localized fault the cab goes down but not the exchange. If the exchange does lose power though the OLTs will drop and both technologies will be offline. But its less likely for the exchange to lose mains.


  • Closed Accounts Posts: 5,019 ✭✭✭ct5amr2ig1nfhp


    Unfortunately our exchange did go down (for whatever reason) and we had near 60 staff unable to work for about 4-5 hours. So it does happen, however unlikely.
    In the grand scheme of things it's not much but still 300 man hours wasted for that once incidence. It was a no brainer for us to get a second line in using a different technology.

    Edit: In fact I've just been reminded that was the second time in the space of about 3 years.


  • Registered Users, Registered Users 2 Posts: 36,170 ✭✭✭✭ED E


    Road works are your biggest enemy for large problems like that, and re-splicing fibre takes time.

    If you want a real failover connection go UPC where available and if not 4G is your man.


  • Registered Users, Registered Users 2 Posts: 3,717 ✭✭✭Praetorian


    I fixed our immediate problem with a changeover from our old adsl line to our vdsl line. MX records and ptr's are sorted, and everything is working 100%.

    Yes I agree on the benefits of having two totally different systems. Ideally I'd love to have UPC in here as well. They said they were coming but never did. 4g I'll definitely consider.

    On the other hand though in all the years we had two different ISP's in on the same technology, I never saw the two of them go down at the same time. It was always one or the other.


  • Registered Users, Registered Users 2 Posts: 2,116 ✭✭✭ItHurtsWhenIP


    Praetorian wrote: »
    Yes I agree on the benefits of having two totally different systems. Ideally I'd love to have UPC in here as well. They said they were coming but never did. 4g I'll definitely consider.

    4G would definitely be a good failover position for the (hopefully) rare occasions when then VDSL goes down, but if you want load balancing then watch for data limits, as you would end up sending/receiving a lot of data over the 4G and that may prove costly. :)


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 382 ✭✭Gmaximum


    Just a question, if connectivity is vital to your business why not pay for a premium service with an enterprise level SLA?


  • Registered Users, Registered Users 2 Posts: 326 ✭✭domeld


    2 cisco routers + glbp


  • Registered Users, Registered Users 2 Posts: 36,170 ✭✭✭✭ED E


    Gmaximum wrote: »
    Just a question, if connectivity is vital to your business why not pay for a premium service with an enterprise level SLA?

    The step up to a BIP circuit is pretty huge. For SMEs in that "middle-ground" its kinda prohibitive. Hopefully the new FTTH efforts for residential use will create a cheap option for SMEs with a 4/8hr SLA addon.


  • Closed Accounts Posts: 5,019 ✭✭✭ct5amr2ig1nfhp


    Prices on eircom biz fiber have dropped significantly. We were quoted 20k/year for a 50mb only 3 years ago. Its about 9k this year.


  • Closed Accounts Posts: 129 ✭✭trompele


    I'm not sure how are you familiar with networking concepts (routing, DNS etc), but from my experience (small and medium enterprises) your best option would be Cisco Meraki MX series firewalls. (sizing and models https://meraki.cisco.com/products/appliances#models ).

    Generally in terms of MX devices setup, firewall will treat one of your links as primary and other as secondary. Most important (handy) feature is that Meraki has own dynamic DNS service. DNS from meraki always points at IP for currently active connection (xxxxx.dynamic-m.com). So if primary fails dynamic DNS will be updated with secondary uplink IP.

    So generally all services available from outside are accessed via your CNAME DNS record pointing to meraki one ( xxxxx.dynamic-m.com ) ie:

    mail.acme.com CNAME xxxxx.dynamic-m.com
    citrix.acme.com CNAME xxxxx.dynamic-m.com

    etc,etc.

    In terms of inbound NAT rules Meraki allows you to select inbound interface (internet1, internet2 or both). It has also lot of features for outbound traffic redirection etc (Priorities, per src/dest subnet, per port etc).

    Other than that it has many other handy options that your can read about via website.
    Please let me know if you need more info.


  • Registered Users, Registered Users 2 Posts: 3,717 ✭✭✭Praetorian


    ED E wrote: »
    The step up to a BIP circuit is pretty huge. For SMEs in that "middle-ground" its kinda prohibitive. Hopefully the new FTTH efforts for residential use will create a cheap option for SMEs with a 4/8hr SLA addon.

    That's exactly the reason. We got quoted ridiculous money. Really the providers should have had packages for SME's and perhaps the government should have gotten involved as well to force the issue.

    Having down time from last Friday to the following Thursday was also pretty unprecedented.

    I actually don't have much faith that the industrial estates will see FTTH any time soon (certainly in my one at least).

    Perhaps also a rollout of cheap FTTH products may lose operators expensive product sales in some cases.


  • Registered Users, Registered Users 2 Posts: 3,717 ✭✭✭Praetorian


    Just to give you guys an update. The load balancing with 2 x exchange fed vdsl lines both synced at 40 x 10 works really well. It distributes load perfectly, I have the router set to 50/50 distribution.

    I was also surprised to see this speedtest! ;)

    I would recommend it for any sme's or bandwidth crazy home users :)

    4544517613.png

    the two combined aren't quite as fast as my home connection, but I'm happy enough. Still interesting seeing the superior ping. I know this was explained in another thread.

    4544501461.png


Advertisement