two internet interfaces - trying to make it work

dspender · #1 (**permalink**) 07-08-2009, 04:10 PM

I have my main Astaro with Internet 1 working fine

I have a trial Astaro with Internet 2 working fine

After a few days testing Internet 2 I'm ready to merge it into my main Astaro and setup link balancing.

I configure an additional interface in my main Astaro and plug in Internet 2...

However I can't ping it. I can ping Internet 1 fine (I have check the appropriate boxes under ICMP to allow ping). I plug Internet 2 back into my trial Astaro and can ping it fine.

Why is Internet 2 not available on my main Astaro? I feel like I should be able to ping it externally before I proceed any further, yes?

Like I said, I simply dropped another NIC in, configured it with the assigned IP for Internet 2 ISP and that's all I've done. It seems like that's all I would need to do to get this far at least.

EDIT: Nothing appears in the Packet Filter Log - I searched on the IP of Internet 2 and the IP of the external machine I'm pinging from....

dspender · #2 (**permalink**) 07-08-2009, 04:55 PM

I didn't do anything!! I *maybe* enabled and disabled linkbalancing and it started responding to pings on its own. I know, hard to believe...

But one other issue - while I enabled link balancing, I was trying to access our web site from the outside and it timed out. But only certain sites timed out. Some work consistently and others don't work.

So simply enabling multipath uplink balancing with the two WAN interfaces configured, clobbered outside accessto certain sites?? Very strange.

I'm struggling to find a reason for this. The NAT rules are very basic...

ANY>> HTTP Traffic >> WEB-PUB IP translate to WEB-PRV IP

That's it. same as the ones that work.

dspender · #3 (**permalink**) 07-08-2009, 05:45 PM

When I enable Uplink Balancing the same two servers go dark each time.

I try to find a trace of activity in the Packet Filter log - there is nothing there indicating traffic is blocked. This seems to me like a routing issue then.

But why would simply enabling uplink balancing cause these servers to be unavailable to the outside world - especially when other servers on the same internal subnet with very similar nat rules are working fine???

dspender · #4 (**permalink**) 07-08-2009, 07:38 PM

Maybe I should have made a blog instead of a ticket but hopefully my trials will be of help to someone in the future!

I just thought I'd post that I've made progress with the second connection in that is accepting and routing incoming connections correctly now.

IE. inbound connections from either Internet 1 or Internet 2 to my web server are getting a response! This is great! Now I can setup DNS failover and my main goal of having redundant lines for my website is reached.

HOWEVER!

I would really like to get uplink balancing working and as of now, outside requests to two of my webservers FAIL when uplink balancing is enabled. I've been poking around all day and cannot figure out what could possibly be causing this.

UPDATE:

Added a NAT rule for my one non-working server so that it has an Internet 2 public address.

Turned on Uplink Balancing and the Internet 2 Public NAT address works but the Internet 1 link does not.

Turn off Uplink Balancing and they both work.

dspender · #5 (**permalink**) 07-09-2009, 02:50 PM

A new day! A new observation!

When I enable Uplink Balancing, it seems the servers that go dark are in fact random each time - but persistant.

So if server A goes down, even though I disable Uplink Balancing and Server A is accessible again across the Astaro, when I enable UB again, it will be Server A that is unavailable.

This seems to reset after a number of hours -- all of sudden Server A will work fine when UB in enabled and Server C will be unavailable.

If this was happening the other way around it would be an easy guess. I know that UB causes connections to be persistantly chosen using round-robin. If one interface was having issues then random websites would appear to be persistantly unavailable until it reset. However what's happening here is the reverse of that.... which makes absolutely no sense.

Ok if I had to completely hypothesize the ONLY explanation would be:

Uplink Balancing Multipath is applying its persistant round-robin choice to the RETURN traffic of a website request from the Public WAN. This sounds completely off the wall but it would explain why sometimes servers are available and sometimes they are not.

I'm sure there's another reason for it, but I cannot figure this out.

I think its ticket time.

dspender · #6 (**permalink**) 07-10-2009, 06:41 PM

At first Astaro support told they couldn't find anything wrong and told me to update my firmware to the newest version.

I did so last night. Still same issue.

After a second look I was told that the server IP addresses I had been assigned by my ISP were outside of the subnet range of public IP given to me which is assigned to the Astaro External WAN Interface.

I was told that I would need to create 'Additional Addresses' entries for each of the server IP addresses that I used on that interface in order to enable Uplink Balancing....

"[The Server IPs] will only be available to traffic which happens to traverse eth3 (the external WAN interface), and then it may not be
reliable."

sounds odd, but I'm trying it now and I'll report back. But one thing I know is that this Uplink Balancing deal needs a bit better explanation and documentation. There's clearly some stuff going on behind the scenes that us little people are not privy to.

dspender · #7 (**permalink**) 07-11-2009, 01:33 AM

Ok that did it I think!!

MORAL:

If you have assigned IPs on your WAN interface outside of the subnet for the WAN IP itself, enter them as Additional Interfaces.

ISSUE:

After activating uplink balancing, its not working

All I've done is set to multipathing and enter the two WAN interfaces... is there some other trick to this? Of course the docs mention no additional steps ^.-
I should probably create another post for this.... or another ticket

Thanks everyone for your input! haha.

BAlfson · #8 (**permalink**) 07-11-2009, 07:06 PM

Dspender, I hate to ruin the purity of your thread that has only posts by you.

Between posts #1 and #2, the ARP table in your ISP's router was updated with the "new" (to it) MAC address of the card in your main Astaro. Post #2 implies that you need a multipathing rule to make connections persistant.

Astaro Support should be able to fix this if you can't solve it with a persistance rule. I wish I knew more about this, but I've only played with it a bit.

Cheers - Bob