=== Here comes a past work from me done on the 23 november 2006 === In the original paper, ADSL lines had dynamic IP, removed for the sake of simplicity Please just consider that we use NAT on the Linksys modem because the IP is dynamic, so it's more easy to hide this by NATing on the gate-megabit side, and because this make us able to have the ADSL lines plugged on a switch In aim to protect the enterprise using this scheme, IPs and names are falsified At the time of writing, OpenBSD 3.8 was used, but it can be upgraded to a 4.1 or CURRENT The goal of the game is to multiplex 2 or more adsl link into one, between two sides owned by me. Because i own the two side, theorically i can load-balance outgoing packets on the ADSL side by spoofing myself, and load-balance the IP destination header for outgoing packets on the gigabit side. Theorically... So far, i have succesfully implemented the load-balancing between the two endpoints, saying that each stream (keep stated by pf) will always use the same ADSL for the entire session. So again, the very last goal of the game is, saying that an ADSL can download at 500kB/s rate and upload at 100kB/s rate, is to establish a TCP connection between the two endpoints, by using 2 ADSLs, at a speed of 1000kB/s for download and 200kB/s for upload. I, and some other colleagues and friends of a computer engineering school, have tried different solutions for solving this problem during one week, and the following method appeared as the best we had found (No topics on the net for "ADSL Aggregation"), without filling entirely our needs. I would like to say to all potential readers that at the time of studying this problem, we have tried to use trunk(4), but unsuccessfully. I cannot remember exactly why, but i think it was because we could not use trunk(4) with gif interfaces. However, i have seen updates to trunk(4) on OpenBSD since the 3.8 release, and maybe that now, on the middle-year of 2007, it can. I would have appreciated to try some tricks by trunk(4)'ing ipsec interfaces to do the job, but the person who gave me it forbade me to use ipsec. Please Don't ask me why. Please notice that, as humans, we are maybe totaly stupid and there is a simple, easy-to-setup-with-one-click solution of our problem. If there is, I apologize you to have made you read all the following stuff for a stupid thing. === Traducted from french, i hope you will understood it === >>>CUT HERE<<< FR: Voici la procedure pour installer une aggregation de lignes ADSL gerees via des Linksys AM200 IP Statique, entre 2 OpenBSD (>=3.8), la gate-gigabit HYRULE/88.191.22.243 et la gate-megabit FOLAYS/82.229.223.{133,134}: EN: Here is the procedure for installing an aggregation of ADSL lines handled by Linksys AM200 IP Static, between 2 OpenBSD on both sides, the gate-gigabit HYRULE/88.191.22.243 on the first side and the gate-megabit FOLAYS/82.229.223.{133,134} on the second side: FR: Une fois loggue en root, desactivez 2 peripheriques mal supportes par OpenBSD: EN: Once logged in as root, please disable 2 devices badly supported by your favorite OpenBSD kernel (Thanks to Intel and theirs closed documentations). # config -e -f /bsd OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC Enter 'help' for information ukc> disable uhub 294 uhub* disabled 294 uhub* disabled ukc> disable auvia 70 auvia* disable ukc> q Saving modified kernel. FR: Les 2 Linksys devront etre confes en mode router, avec NAT active & DMZ. EN: The 2 Linksys devices will be set in router/NAT operating mode, with a DMZ FR: Nous choisissons un sous-reseau pour les Linksys, ici 172.16.253/24 FR: L'interface externe (bge0) de la gate-megabit a 2 IPs (celles du DMZ): EN: I choose to use the 127.16.253/24 subnetwork for the linksys LAN-side EN: The external interface (bge0) of the gate-megabit will have 2 IPs (DMZ ones): === FR: Cette partie ci-dessous concerne la gate-megabit/FOLAYS. === === EN: This following part concerns the gate-megabit/FOLAYS endpoint. === # cat > /etc/hostname.bge0 inet 172.16.253.100 0xffffff00 NONE media 100baseTX mediaopt full-duplex inet alias 172.16.253.101 0xffffff00 NONE ^D # sh /etc/netstart bge0 FR: On configure les Linksys ainsi: EN: We configure each Linksys with the following informartion: - 172.16.253.200/24, NAT & DMZ => 172.16.253.100 (Freebox ADSL) - 172.16.253.201/24, NAT & DMZ => 172.16.253.101 (Livebox ADSL) FR: Rajoutez une route en 192.168/16 sur chaque Linksys vers la DMZ correspondante. EN: Add a route for 192.168/16 on each Linksys, the DMZ being the next node. FR: On rajoute la route par default de la machine (la 1ere ADSL): EN: We set the default route on the router (the first ADSL): # echo "172.16.253.200" > /etc/mygate # sh /etc/netstart FR: On configure les intefaces de tunneling (gif) de la gate-megabit: EN: We set the (gif) tunneling interfaces on the gate-megabit: # cat > /etc/hostname.gif0 tunnel 172.16.253.100 88.191.22.243 mtu 1480 !ifconfig \$if 172.16.251.0 172.16.251.50 netmask 0xffffff00 ^D # cat > /etc/hostname.gif1 tunnel 172.16.253.101 88.191.22.243 mtu 1480 !ifconfig \$if 172.16.251.1 172.16.251.51 netmask 0xffffff00 ^D # sh /etc/netstart gif0 gif1 === FR: Cette partie ci-dessous concerne la gate-gigabit/HYRULE. === === EN: This following part concerns the gate-gigabit/HYRULE endpoint. === FR: Maintenant, sur la gate-gigabit/HYRULE, on configure les gif: EN: Now on the gate-gigabit/HYRULE, we set the gif: # cat > /etc/hostname.gif0 tunnel 88.191.22.243 82.229.223.133 mtu 1480 !ifconfig \$if 172.16.251.50 172.16.251.0 netmask 0xffffff00 ^D # cat > /etc/hostname.gif1 tunnel 88.191.22.243 82.229.223.134 mtu 1480 !ifconfig \$if 172.16.251.51 172.16.251.1 netmask 0xffffff00 ^D # sh /etc/netstart gif0 gif1 EN: A ce moment, vous devriez etre capable de pouvoir pinger: FR: From now, you should be able to ping: - 172.16.251.0 & 172.16.251.1 depuis (from) gate-gigabit HYRULE - 172.16.251.50 & 172.16.251.51 depuis (from) gate-megabit FOLAYS # tcpdump -n -v -i bge0 "proto ipencap" FR: Un tcpdump montrera que les paquets encapsules(ipencap) envoyes depuis: FR: - gate-gigabit/FOLAYS sortent toujours par la Freebox FR: - gate-gigabit/HYRULE ont comme IP de destination l'ADSL correspondant au gif associe EN: A tcpdump will show that encapsulated packets(ipencap) sent from: EN: - Outgoing gate-megabit/FOLAYS packets always pass throught the first ADSL line (named the Freebox one) EN: - Outgoing gate-gigabit/HYRULE packets always have as the IP destination header the value of the matching gif === FR: Cette partie ci-dessous concerne la gate-megabit/FOLAYS. === === EN: This following part concerns the gate-megabit/FOLAYS endpoint. === FR: Configurons pf (Packet Filter, le firewall d'OpenBSD) pour le load-balancing sur gate-megabit/FOLAYS: EN: It's time to tell pf (Packet Filter, the OpenBSD firewall) to do load-balancing on the gate-megabit/FOLAYS # cat > /etc/pf.conf set state-policy if-bound set skip on lo block drop pass on em0 pass on bge0 inet proto ipencap pass in on bge0 inet proto icmp icmp-type echoreq code 0 keep state pass in on bge0 inet proto tcp to (bge0) port ssh keep state pass out on bge0 route-to { (bge0 172.16.253.200), (bge0 172.16.253.201) } inet keep state pass out on bge0 route-to (bge0 172.16.253.200) proto ipencap from 172.16.253.100 pass out on bge0 route-to (bge0 172.16.253.201) proto ipencap from 172.16.253.101 pass in on gif pass out on gif pass out on gif0 route-to { (gif0 172.16.251.50), (gif1 172.16.251.51) } to !(gif:network) ^D === FR: Cette partie ci-dessous concerne la gate-gigabit/HYRULE. === === EN: This following part concerns the gate-gigabit/HYRULE endpoint. === FR: Configurons pf sur gate-gigabit/HYRULE: EN: We set pf on the gate-gibabit/HYRULE: # cat > /etc/pf.conf set state-policy if-bound nat on bge0 inet from !(bge0) -> (bge0) block drop pass on em0 pass on bge0 inet proto ipencap pass in on bge0 inet proto icmp icmp-type echoreq code 0 keep state pass in on bge0 inet proto tcp to (bge0) port ssh keep state #pass out on bge0 inet keep state pass on bge0 pass in on gif pass out on gif pass out on gif0 route-to { (gif0 172.16.251.0), (gif1 172.16.251.1) } to !(gif:network) pass out on gif route-to (gif0 172.16.251.0) from (gif0) pass out on gif route-to (gif1 172.16.251.1) from (gif1) ^D FR: Activez pf sur les 2 gate-gigabit EN: Enable pf on the two routers # echo pf=YES >> /etc/rc.conf.local # pfctl -e FR: Rechargez les rules EN: Reload the rules # pfctl -f /etc/pf.conf FR: Killez toute les states EN: Kill all states # pfctl -k 0.0.0.0/0 FR: A ce moment, vous devriez etre encore capable de pinger les endpoints des gif: EN: From now, you shouldn't have broken previously ping test, and should be able to repeat it: - 172.16.251.0 & 172.16.251.1 depuis (from) gate-gigabit HYRULE - 172.16.251.50 & 172.16.251.51 depuis (from) gate-megabit FOLAYS # tcpdump -n -v -i bge0 "proto ipencap" FR: Un tcpdump montrera que les paquets encapsules(ipencap) passent par l'ADSL associe au gif. EN: A tcpdump will show that encapsulated packets(ipencap) pass throught the ADSL of the correct matching gif. === FR: gate-megabit/FOLAYS lan-side utilise le sous-reseau prive 192.168/16 (RFC1918) === === FR: gate-gigabit/HYRULE lan-side utilise le sous-reseau prive 10/8 (RFC1918) === === EN: gate-megabit/FOLAYS lan-side use the 192.168/16 private RFC1918 subnetwork === === EN: gate-gigabit/HYRULE lan-side use the 10/8 private RFC1918 subnetwork === FR: Ajoutez une route sur gate-megabit/FOLAYS EN: Add a route on the gate-megabit/FOLAYS # cat >> /etc/hostname.tun0 !route -q add 10/8 172.16.251.50 ^D # sh /etc/netstart gif0 FR: Ajoutez une route sur gate-gigabit/HYRULE: EN: Add a route on the gate-gigabit/HYRULE # cat >> /etc/hostname.tun0 !route -q add 192.168/16 172.16.251.0 ^D # sh /etc/netstart gif0 FR: Ajoutez l'interface interne de gate-megabit/FOLAYS avec le reseau interne EN: Set the internal interface of gate-megabit/FOLAYS with the internal network # cat >> /etc/hostname.em0 inet 192.168.252.254 0xffffff00 NONE media 100baseTX mediaopt full-duplex ^D # sh /etc/netstart em0 FR: Ajoutez l'interface interne de gate-gigabit/HYRULE avec le reseau interne EN: Set the internal interface of gate-gigabit/HYRULE with the internal network # cat >> /etc/hostname.em0 inet 10.254.254.254 0xffffff00 NONE media 100baseTX mediaopt full-duplex ^D # sh /etc/netstart em0