Introduo

Tenho uma rede com aproximadamente 20 computadores, todos as estaes Windows XP, cada estao tem o Radmin 3 instalado para acesso remoto. Partirei do princpio que a instalao e configurao das ferramentas foram bem sucedidas, pois existe muita informao na internet de como proceder, ento no vejo por que explicar aqui. Vou apenas colocar as modificaes que achei necessrio para funcionar de acordo com as minhas necessidades. Para esta implementao foram usados:

Iptables v. 1.4.2 Kernel v. 2.6.24-etchnhalf.1-486 Distro. Debian 4.0

Caracterstica da rede:

Link 1 = ETH1 = IP 192.168.1.10 GVT Link 2 = ETH2 = IP 192.168.2.10 BRT Link 3 = ETH0 = IP 192.168.0.1 (rede interna)

Cada estao possui ip fixo e dispe de uma porta para conexo remota, ex.: 192.168.0.3 porta de acesso do radmin 4893. O programa cliente Radmin 3 possibilita escanear todas as estaes cadastradas, necessrio apenas configurar o ip e porta da estao, no caso o acesso externo feito por meio do servio de DNS dinmico.

Ferramentas
Utilizei o mtodo de balanceamento retirado do site abaixo, que explica como instalar o balanceamento e redundncia.

How To: Load Balancing & Failover With Dual/ Multi WAN / ADSL / Cable Connections on Linux Script Gwping para redundncia Radmin 3 - Servidor e cliente para acesso remoto de estaes Windows.

Criei as tabelas no arquivo /etc/iproute2/rt_tables: # rt_tables 1 gvt 2 brt Adicionei as rotas padro para balancear a carga de sada do trfego, no meu caso utilizei os links da GVT e BRT, abaixo incluo as regras no arquivo rc.local: # rc.local # Variveis ROTABRT="192.168.2.1" ROTAGVT="192.168.1.1" IPBRT="192.168.2.10" IPGVT="192.168.1.10" ETHB="eth2" ETHG="eth1" ROTADEL="route del default gw" echo "Deleta rotas padro" $ROTADEL $ROTAGVT $ROTADEL $ROTABRT echo "OK" ip route flush table gvt #Limpa as rotas no cache da tabela gvt ip route flush table brt #Limpa as rotas no cache da tabela brt ip route add 192.168.1.0/24 dev eth1 src 192.168.1.10 table gvt ip route add default via 192.168.1.1 table gvt ip route add 192.168.2.0/24 dev eth2 src 192.168.2.10 table brt ip route add default via 192.168.2.1 table brt ip rule add from 192.168.1.10 table gvt ip rule add from 192.168.2.10 table brt #A regra abaixo responsvel pelo balanceamento com peso 2:1, porque a gvt 2x mais rpida que o link da brt ip route add default scope global nexthop via 192.168.1.1 dev eth1 weight 2 nexthop via 192.168.2.1 dev eth2 weight 1 ip route flush cache #Limpa as rotas no cache # Firewall # Fundamental estar desabilitado para funcionar o roteamento com 2 links echo "0" > /proc/sys/net/ipv4/conf/default/rp_filter

Agora vou criar a chamada do script "gwping", que responsvel pela redundncia. Optei em coloc-lo na pasta /etc/link e alterar as permisses do arquivo usando o comando: # chmod 755 /etc/link/gwping Adicione o comando no arquivo rc.local: nohup /etc/link/gwping & No script "gwping" fiz algumas alteraes conforme minha necessidade. # gwping #IP Address or domain name to ping. The script relies on the domain being #pingable and always available ##Modifique para um endereo mais perto, ou seja mais rpido, neste caso usei o IP da GVT TESTIP=200.139.127.26 # Relative weights of routes. Keep this to a low integer value. I am using 4 # for TATA connection because it is 4 times faster ## Peso das rotas, como o link da Gvt 2x mais rpido que a BRT, deixei a proporo 2:1 W1=2 W2=1 # Broadband providers name; use your own names here. ## Mudei para o nome das minhas tabelas NAME1=GVT NAME2=BRT # No of repeats of success or failure before changing status of connection. ## No meu caso se houver 4 tentativas sem resposta o link desabilitado, uma tentativa com sucesso ele reabilida o link. Assim o script no vai trocar a rota padro e achar que o link caiu quando houver sobrecarga. SUCCESSREPEATCOUNT=1 FAILUREREPEATCOUNT=4 # Abaixo acrescentei as regras para desmarcar os pacotes caso um link caia, # assim os pacotes marcados no retornaram sem resposta. echo Switching to $NAME2 ip route replace default scope global via $GW2 dev $EXTIF2 ip rule del fwmark 0x10 lookup gvt prio 3 ##Deleta a marcao de pacotes ip rule del fwmark 0x20 lookup brt prio 3 ##Deleta a marcao de pacotes ip route flush cache #Limpa as rotas no cache elif [[ $LLS1 -eq 0 && $LLS2 -eq 1 ]]; then echo Switching to $NAME1 ip route replace default scope global via $GW1 dev $EXTIF1 ip rule del fwmark 0x10 lookup gvt prio 3 ##Deleta a marcao de pacotes ip rule del fwmark 0x20 lookup brt prio 3 ##Deleta a marcao de pacotes ip route flush cache #Limpa as rotas no cache

elif [[ $LLS1 -eq 0 && $LLS2 -eq 0 ]]; then echo Restoring default load balancing ip rule add fwmark 0x10 lookup gvt prio 3 ##Adiciona a marcao de pacotes quando voltar o link que caiu ip rule add fwmark 0x20 lookup brt prio 3 ##Adiciona a marcao de pacotes quando voltar o link que caiu ip route replace default scope global nexthop via $GW1 dev $EXTIF1 weight $W1 nexthop via $GW2 dev $EXTIF2 weight $W2 ip route flush cache ##Limpa as rotas no cache

Configurando portas para acesso remoto e sites de bancos

Configurando portas da conexo interna para acesso remoto e conexo segura aos bancos. Ex.: Acesso ao servidor remoto do IP 192.168.0.3 porta 4893. # Firewall #Carregar mdulos modprobe ipt_mark modprobe ipt_MARK #Adiciona a marcao nos links ip rule add fwmark 0x10 lookup gvt prio 3 ip rule add fwmark 0x20 lookup brt prio 3 #Marcando a sada das portas 110 (POP3), 25 (SMTP) pelo link da BRT e 80, 443 (bancos), 4893 (acesso_remoto), 53 (DNS) pelo link da GVT iptables -I PREROUTING -t mangle -i eth0 -s 192.168.0.0/24 -d 0/0 -p tcp -m multiport --dports 110,23,25 -j MARK --set-mark 0x20 iptables -I PREROUTING -t mangle -i eth0 -s 192.168.0.0/24 -d 0/0 -p tcp -m multiport --dports 80,443,4093,53 -j MARK --set-mark 0x10 #Permite o acesso a porta 4893 na estao Windows da rede interna, marca a entrada e sada do link, nesse caso usei o link da Gvt iptables -I FORWARD -p tcp --dport 4893 -j ACCEPT iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 4893 -j DNAT --to-dest 192.168.0.3 iptables -t mangle -A PREROUTING -p tcp -s 192.168.0.3 --sport 4893 -j MARK --set-mark gvt Obs.: Para acessar o site Banrisul necessrio acrescentar a rota no arquivo rc.local, como a porta 80 e 443 utilizada para sair pelo link da GVT, vamos configurar a rota para sair por este link: # rc.local route add -host www.banrisul.com.br gw 192.168.1.1 dev eth1

http://www.linux.org/docs/ldp/howto/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.html
#!/bin/bash >> >> GW2=192.168.1.1 # gateway >> EXTIF2=eth1

.2. Routing for multiple uplinks/providers

A common configuration is the following, in which there are two providers that connect a local network (or even a single machine) to the big Internet.
________ +------------+ / | | | +-------------+ Provider 1 +------__ | | | / ___/ \_ +------+-------+ +------------+ | _/ \__ | if1 | / / \ | | | | Local network -----+ Linux router | | Internet \_ __/ | | | \__ __/ | if2 | \ \___/ +------+-------+ +------------+ | | | | \ +-------------+ Provider 2 +------| | | +------------+ \________

There are usually two questions given this setup.

4.2.1. Split access

The first is how to route answers to packets coming in over a particular provider, say Provider 1, back out again over that same provider. Let us first set some symbolical names. Let $IF1 be the name of the first interface (if1 in the picture above) and $IF2 the name of the second interface. Then let $IP1 be the IP address associated with $IF1 and $IP2 the IP address associated with $IF2. Next, let $P1 be the IP address of the gateway at Provider 1, and $P2 the IP address of the gateway at provider 2. Finally, let $P1_NET be the IP network $P1 is in, and $P2_NET the IP network $P2 is in. One creates two additional routing tables, say T1 and T2. These are added in /etc/iproute2/rt_tables. Then you set up routing in these tables as follows:
ip ip ip ip route route route route add add add add $P1_NET default $P2_NET default dev via dev via $IF1 src $IP1 table T1 $P1 table T1 $IF2 src $IP2 table T2 $P2 table T2

Nothing spectacular, just build a route to the gateway and build a default route via that gateway, as you would do in the case of a single upstream provider, but put the routes in a separate table per provider. Note that the network route suffices, as it tells you how to find any host in that network, which includes the gateway, as specified above. Next you set up the main routing table. It is a good idea to route things to the direct neighbour through the interface connected to that neighbour. Note the `src' arguments, they make sure the right outgoing IP address is chosen.
ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2

Then, your preference for default route:

ip route add default via $P1

Next, you set up the routing rules. These actually choose what routing table to route with. You want to make sure that you route out a given interface if you already have the corresponding source address:
ip rule add from $IP1 table T1 ip rule add from $IP2 table T2

This set of commands makes sure all answers to traffic coming in on a particular interface get answered from that interface. Now, this is just the very basic setup. It will work for all processes running on the router itself, and for the local network, if it is masqueraded. If it is not, then you either have IP space from both providers or you are going to want to masquerade to one of the two providers. In both cases you will want to add rules selecting which provider to route out from based on the IP address of the machine in the local network.

4.2.2. Load balancing

The second question is how to balance traffic going out over the two providers. This is actually not hard if you already have set up split access as above. Instead of choosing one of the two providers as your default route, you now set up the default route to be a multipath route. In the default kernel this will balance routes over the two providers. It is done as follows (once more building on the example in the section on splitaccess):
ip route add default scope global nexthop via $P1 dev $IF1 weight 1 nexthop via $P2 dev $IF2 weight 1

This will balance the routes over both providers. The weight parameters can be tweaked to favor one provider over the other.

Note that balancing will not be perfect, as it is route based, and routes are cached. This means that routes to often-used sites will always be over the same provider. Furthermore, if you really want to do this, you probably also want to look at Julian Anastasov's patches at http://www.linuxvirtualserver.org/~julian/#routes , Julian's route patch page. They will make things nicer to work with.