Astlinux Notes

Dual ISP Astlinux

This page does not yet indicate how to achieve the goal but only defines the desired requirements. Reading through the documentation for the Arno IP Tables Firewall used by Astlinux, these appear to be achievable

Long Term Goal

With a sufficient number of interfaces, each function should be separated. Servers in their own DMZ, VoIP equipment on a dedicated LAN for QoS considerations, etc. The result would be something like:

Ideal Astlinux firewall/router

With Present Hardware

With a stock Soekris Net5501 there are only four ethernet interfaces. Given the small number of servers, VoIP adaptors, limited number of simultaneous calls and fairly secure desktop environment, we will combine most functions into a “LAN” segment but leave our wireless access point on a separate area for security reasons:

Ideal Astlinux firewall/router

Environment

Internet Service Providers

Currently we have two Internet Service Providers (ISPs) to provide redundancy.

ISP 1

ISP 2

Servers

Local servers are used for mail and web. Mail redundancy is provided via MX records while, at present, all incoming web traffic is directed over ISP 2.

A Cisco PIX is currently used for remote VPN access to facility

Requirements

Load Balance/Failover

Load balancing, per se, is not required but being able to select preferred routes based on traffic is strongly desired: VoIP via ISP 1, DNS to appropriate ISP, all other traffic to ISP 2, etc.

Failures on links must be detected in a reasonable amount of time (<2 minutes) and all traffic redirected over remaining link. Recover of failed link must also be detected and default load balance/traffic rules restored in a reasonable amount of time (<2 minutes).

While it is desired that VoIP use one ISP we cannot require incoming ENUM calls or roaming equipment to use a specific link: All VoIP requests, regardless of source interface should be accepted.

DNS

Domain Name Service (DNS) should be provided by the Astlinux box to devices located on the LAN and on the DMZ segments. This can be a DNS forwarding service, preferably with caching, but if forwarding is used care must be take that the appropriate ISP is used for each query based on what DNS server IP address is used. That is if using ISP 1’s DNS server the request must be sent to ISP 1.

If possible, names for local DHCP assigned addresses should be returned for local equipment.

If possible, local address(es) for servers should be returned for the mail and web servers. Baring that, then it must be possible to use the external IP address to access the local servers.

DHCP

Support for DCHP address assignment must be available for at least the LAN segment. This is needed to provide addresses for roaming laptop computers and for IP phones that are moved from time to time (and sometimes to locations outside of the LAN).

Support for setting NTP information in the DHCP exchange would be very nice.

VoIP

ITSP

It should be possible to register with the ITSP through either external interface. What ever interface is used for registration should also be used for all other traffic to that ITSP (RTP streams, etc.).

ENUM

Asterisk on the Astlinux box is configured to check with a number of ENUM servers and place calls, if possible, directly to the end recipient. Numbers served by this system are registered with e164.org and incoming calls from other systems must be accepted regardless of external interface they appear on.

Roaming

Softphones have been configured on laptop computers and at least one IP phone is sometimes moved offsite. Support for these roaming phones is required. Based on external DNS lookups they may register with Asterisk through either public interface or through the LAN interface.

VPN

VPN access to servers on LAN must be provided. This could be via IPSEC pass through to existing Cisco PIX located on DMZ or by OpenVPN/other VPN termination on Astlinux box itself.