Routing question #2 - comp.os.vms

I would like to set up the following: Remote User | V --Internet-- | | (T1) | | (DSL) V V Firewall 1 Firewall 2 | | V V --------------- [ VMS ] --------------- The remote user could access a web server on the VMS box using either t1.company.com or dsl.company.com with each firewall forwarding the connection to the same VMS box. The idea is that if one of the lines fail, the other would provide a backup path, but both would be links on another site so a user could pick either one. The problem is the default route to return the packets appears to only allow one gateway back to the internet. What I would like is packets coming in on the T1 to go back thru the T1 and the same for the DSL. The system has the latest version of VMS and TCP/IP services.

Jeffrey Coffield wrote: > I would like to set up the following: > > Remote User > | > V > --Internet-- > | | > (T1) | | (DSL) > V V > Firewall 1 Firewall 2 > | | > V V > --------------- > [ VMS ] > --------------- > > The remote user could access a web server on the VMS box using either > t1.company.com or dsl.company.com with each firewall forwarding the > connection to the same VMS box. The idea is that if one of the lines > fail, the other would provide a backup path, but both would be links on > another site so a user could pick either one. > > The problem is the default route to return the packets appears to only > allow one gateway back to the internet. What I would like is packets > coming in on the T1 to go back thru the T1 and the same for the DSL. > > The system has the latest version of VMS and TCP/IP services. > Set static routes to whatever networks (t1 or dsl) "Remote User" might be addressed as.

Jeffrey Coffield wrote: > I would like to set up the following: > > Remote User > | > V > --Internet-- > | | > (T1) | | (DSL) > V V > Firewall 1 Firewall 2 > | | > V V > --------------- > [ VMS ] > --------------- > > The remote user could access a web server on the VMS box using either > t1.company.com or dsl.company.com with each firewall forwarding the > connection to the same VMS box. The idea is that if one of the lines > fail, the other would provide a backup path, but both would be links on > another site so a user could pick either one. You can put DNS entries with one name that translates to both addresses, and other names that translate to one each. > The problem is the default route to return the packets appears to only > allow one gateway back to the internet. What I would like is packets > coming in on the T1 to go back thru the T1 and the same for the DSL. Yes, that is how routing works. You can use RIP, or another routing protocol, so that it will switch if one goes down. All that I know of route on destination not source. > The system has the latest version of VMS and TCP/IP services. -- glen

In article <sMGfc.23092$P%7.9356@newssvr27.news.prodigy.com>, Jeffrey Coffield <jeffrey@digitalsynergyinc.com> writes: > I would like to set up the following: > > Remote User > | > V > --Internet-- > | | > (T1) | | (DSL) > V V > Firewall 1 Firewall 2 > | | > V V > --------------- > [ VMS ] > --------------- > > The remote user could access a web server on the VMS box using either > t1.company.com or dsl.company.com with each firewall forwarding the > connection to the same VMS box. The idea is that if one of the lines > fail, the other would provide a backup path, but both would be links on > another site so a user could pick either one. > > The problem is the default route to return the packets appears to only > allow one gateway back to the internet. What I would like is packets > coming in on the T1 to go back thru the T1 and the same for the DSL. I posted a similar question a while back. At the time, I wanted to access my hobbyist cluster through DSL or through ISDN. The problem, as you say, is that the return path is set as a route. As someone suggested, you could use static routes, but that would only allow some folks to come in through route 1 and some through route 2, which is not what you want. JF Mezei posted a brilliant solution (at least for my case; I think it would apply to yours as well): before "VMS" above, install a NAT/PAT router, but backwards.

Phillip Helbig---remove CLOTHES to reply wrote: > In article <sMGfc.23092$P%7.9356@newssvr27.news.prodigy.com>, Jeffrey > Coffield <jeffrey@digitalsynergyinc.com> writes: > > >>I would like to set up the following: >> >> Remote User >> | >> V >> --Internet-- >> | | >>(T1) | | (DSL) >> V V >> Firewall 1 Firewall 2 >> | | >> V V >> --------------- >> [ VMS ] >> --------------- >> >>The remote user could access a web server on the VMS box using either >>t1.company.com or dsl.company.com with each firewall forwarding the >>connection to the same VMS box. The idea is that if one of the lines >>fail, the other would provide a backup path, but both would be links on >>another site so a user could pick either one. (snip) > JF Mezei posted a brilliant solution (at least for my case; I think it > would apply to yours as well): before "VMS" above, install a NAT/PAT > router, but backwards. If both are on the same net, which could be true if Firewall 1 or Firewall 2 did NAT, that could work. Otherwise you need an additional NAT router. Well, a NAT implementation running on FreeBSD or Linux might have enough configuration options to do it, but the typical home DSL/cable/NAT router won't do it. It doesn't eliminate a common point of failure, but that might not be too bad. -- glen

Phillip Helbig---remove CLOTHES to reply wrote: > > JF Mezei posted a brilliant solution (at least for my case; I think it > would apply to yours as well): before "VMS" above, install a NAT/PAT > router, but backwards. > I had though about this but it would seem to have the disadvantage of not showing the real remote ip address in the server logs, which may or may not be that useful.

Gib Copeland wrote: > > > Set static routes to whatever networks (t1 or dsl) "Remote User" might > be addressed as. > The remote user is on the Internet and may choose either path to get in, so a static route would always send the the packet back on only one of the lines.

glen herrmannsfeldt wrote: > > Yes, that is how routing works. You can use RIP, or another > routing protocol, so that it will switch if one goes down. > > > -- glen > As far as I can see, this would still only use one of the lines to send data back. Someone outside this group mentioned a box that would aggregate multiple connections to the Internet but I am looking for a solution that doesn't have a single point of failure.

Jeffrey Coffield wrote: > Phillip Helbig---remove CLOTHES to reply wrote: > >> >> JF Mezei posted a brilliant solution (at least for my case; I think it >> would apply to yours as well): before "VMS" above, install a NAT/PAT >> router, but backwards. >> > I had though about this but it would seem to have the disadvantage of > not showing the real remote ip address in the server logs, which may or > may not be that useful. > This may depend on your current version of TCPIP, but you should be able to put a second IP address on your Alpha NIC. Then you could use one address for the T1 and one for the DSL. This would allow you to use static routes. You could leave the current address for your default or preferred Internet connection and add the second address for your other. The original address would still be used for all inside traffic, but now all traffic for the secondary Internet connection would go to the 2nd IP address on the same ethernet card. I have done to adresses (interfaces) on the same card before using UCX4.2. I am now on TCPIP 5.3 and I believe that the feature still works. You treat the addresses like different cards, but they are both bound on the same card. Thomas Wirt Systems Manager Kittle's Home Furnishings Indianapolis, IN

In article <e3Sfc.37513$RZ5.12175@newssvr29.news.prodigy.com>, Jeffrey Coffield <jeffrey@digitalsynergyinc.com> writes: > Phillip Helbig---remove CLOTHES to reply wrote: >> >> JF Mezei posted a brilliant solution (at least for my case; I think it >> would apply to yours as well): before "VMS" above, install a NAT/PAT >> router, but backwards. >> > I had though about this but it would seem to have the disadvantage of > not showing the real remote ip address in the server logs, which may or > may not be that useful. Probably not feasible, but let me throw it out there anyway... Instead of doing NAT on the client's source IP, do NAT on the server's destination IP. So traffic coming in through the one gateway is directed to one server alias IP. And traffic coming through the other gateway is directed at the other server alias IP. Now on the return trip you have the problem that you need to route based on source IP rather then destination IP. So you throw in a Cisco router and do policy routing. e.g. access-list extended from-one-alias permit ip host 10.1.1.1 any access-list extended from-other-alias permit ip host 10.2.2.2 any route-map return-route-magic permit 10 match ip address from-one-alias set ip next-hop 192.168.1.1 route-map return-route-magic permit 20 match ip address from-other-alias set ip next-hop 192.168.2.2 interface fastethernet 0/0 (Toward server) ip address 10.9.9.9 255.0.0.0 ip policy route-map return-route-magic interface fastethernet 0/1 (Toward gateways) ip address 192.168.9.9 255.255.0.0 John Briggs

Jeffrey Coffield wrote: > glen herrmannsfeldt wrote: >> Yes, that is how routing works. You can use RIP, or another >> routing protocol, so that it will switch if one goes down. > As far as I can see, this would still only use one of the lines to send > data back. Someone outside this group mentioned a box that would > aggregate multiple connections to the Internet but I am looking for a > solution that doesn't have a single point of failure. Yes. The advantage is that if one router is down it can choose to route through the other. If you have a static route, it won't do that. -- glen