As I mentioned in a earlier post, I have two connections from Virgin Media at home and I wanted to use them both to grab content from usenet.
Supernews only actually allow you to connect to their servers from one IP per account, so even if I had set up load balancing to split connections over both my connections, it would not have worked very well for usenet as I will be going out via two IP addresses! So for this reason I decided to take another route.
I have a dedicated server with OVH which has a 100mbit line, my two lines with Virgin Media are 60mbit and 30mbit, so I figured if I route my traffic out via my dedicated server, I should be able to saturate my line when usenetting. 🙂
So the way I done this was to create two tunnels on my Cisco 2821 Integrated Services Router going to my dedicated server, one tunnel per WAN connection and basically “port forwarding” port 119 and 443 coming over the tunnels to go to Supernews. It’s working great so far and saturating both lines fully!
So the way I done this was as follows. First I setup the tunnels on my trusty Cisco 2821 ISR:
interface Tunnel1 description Tunnel to Dedi via WAN1 ip address 10.42.42.1 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ip tcp adjust-mss 1420 tunnel source GigabitEthernet0/0.10 tunnel mode ipip tunnel destination 184.108.40.206 interface Tunnel2 description Tunnel to Dedi via WAN2 ip address 10.42.42.5 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ip tcp adjust-mss 1420 tunnel source GigabitEthernet0/1.11 tunnel mode ipip tunnel destination 220.127.116.11
That isn’t the complete configuration, I also decided to NAT my home network to the IPs of the two tunnels. This was just in order to do it quickly. If I had not used NAT on the two tunnels, I would have to put a route on my dedicated server for my home network’s private IP range. Although this is easy, I was mainly doing this out of curiosity to see if it would work, and to do it without NAT on the tunnels I would have had to figure out how to do policy based routing in order to overcome asymmetric routing on Linux. That can be a project for another day. 🙂
My dedicated is running RHEL6, so to set up the tunnel on the dedicated server I created the relevant ifcfg-tunl* files:
[root@moka ~]# cat /etc/sysconfig/network-scripts/ifcfg-tunl1 DEVICE="tunl1" BOOTPROTO="none" ONBOOT="yes" TYPE="IPIP" PEER_OUTER_IPADDR="IP_OF_WAN_1" PEER_INNER_IPADDR="10.42.42.1" MY_OUTER_IPADDR="18.104.22.168" MY_INNER_IPADDR="10.42.42.2" [root@moka ~]# cat /etc/sysconfig/network-scripts/ifcfg-tunl2 DEVICE="tunl2" BOOTPROTO="none" ONBOOT="yes" TYPE="IPIP" PEER_OUTER_IPADDR="IP_OF_WAN_2" PEER_INNER_IPADDR="10.42.42.5" MY_OUTER_IPADDR="22.214.171.124" MY_INNER_IPADDR="10.42.42.6"
I don’t really want to go into detail on how configure netfilter rules using IPtables, so I will only paste the relevant lines of my firewall script:
# This rule masquerades all packets going out of eth0 to the IP of eth0 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Forward packets coming in from tunl1 with the destination IP of 10.42.42.2 and a source port of either 119 or 443 (Supernews use 443 for NNTP SSL port) to Supernews' server IP iptables -t nat -A PREROUTING -p tcp -i tunl1 -d 10.42.42.2 --dport 119 -j DNAT --to 126.96.36.199 iptables -t nat -A PREROUTING -p tcp -i tunl1 -d 10.42.42.2 --dport 443 -j DNAT --to 188.8.131.52 # Forward packets coming in from tunl2 with the destination IP of 10.42.42.6 and a source port of either 119 or 443 (Supernews use 443 for NNTP SSL port) to Supernews' server IP iptables -t nat -A PREROUTING -p tcp -i tunl2 -d 10.42.42.6 --dport 119 -j DNAT --to 184.108.40.206 iptables -t nat -A PREROUTING -p tcp -i tunl2 -d 10.42.42.6 --dport 443 -j DNAT --to 220.127.116.11
That’s all there is to it really! Of course I have a more complete rule set, but I don’t really want to go into that in this post!
Next, I just added two servers in my usenet client, one pointing at 10.42.42.2 and the other at 10.42.42.6. And magic! Now both lines will be used when my usenet client is doing its thing!
Note: If you got to the end of this post, I apologize if I make no sense, I was pretty tired while writing this post, and really just wanted to go to sleep. If you have any questions or suggestions on how to do this better, I’d be very interested in hearing them. :~)