Options
Best way to "load balance" multiple internet connections
Not really a CCNP topic, but figured I would see if anyone had any ideas.
I have a router which I use multiple PPPoE DSL connections on. The idea is that you have an inside user using the LAN IP of the router as its gateway, and then the user is NAT'd to one of the WAN dialers. The config works, and uses route-maps to allow the multiple NAT statements.
For the most part...this work, and connections work fine. However some things seem to not work, like VPN connections. Not all, but some VPN clients get randomly dropped or have tunnel communication errors, which I assume is due to the user getting NAT'd to different WAN IPs and something somewhere get confused.
So is there another/better way to do this? I thought about multiple routers and breaking up the scoop and to get a bit of balance (theres an easy 250 users), but its going through a WLC that Im not sure I can do this.
I have a spare CSS I could use to load balance to the different routers, but again, not sure if I will run into the same problem.
Any ideas? The end goal is to take users on our guest wireless connection, and allow them to use one of the multiple DSL connections we have (I think its 3x10mb connections), without causing connection problems. Something that keeps one LAN IP on the same WAN IP would be best, and the load balancing done on per IP, rather than a per packet.
I have a router which I use multiple PPPoE DSL connections on. The idea is that you have an inside user using the LAN IP of the router as its gateway, and then the user is NAT'd to one of the WAN dialers. The config works, and uses route-maps to allow the multiple NAT statements.
For the most part...this work, and connections work fine. However some things seem to not work, like VPN connections. Not all, but some VPN clients get randomly dropped or have tunnel communication errors, which I assume is due to the user getting NAT'd to different WAN IPs and something somewhere get confused.
So is there another/better way to do this? I thought about multiple routers and breaking up the scoop and to get a bit of balance (theres an easy 250 users), but its going through a WLC that Im not sure I can do this.
I have a spare CSS I could use to load balance to the different routers, but again, not sure if I will run into the same problem.
Any ideas? The end goal is to take users on our guest wireless connection, and allow them to use one of the multiple DSL connections we have (I think its 3x10mb connections), without causing connection problems. Something that keeps one LAN IP on the same WAN IP would be best, and the load balancing done on per IP, rather than a per packet.
Comments
-
Options
jason_lunde
Member Posts: 567
sounds like you need a way to identify your vpn clients before the nat route map, and then do your exempt statements for them pointing them to a next hop of the interface you bring them in on. can you give a peek of your route-map? -
OptionsGT-Rob
Member Posts: 1,090
The route-map is really for matching the interface.
If you try and put in multiple NAT statements, they actually replace each other (so you really can only define one outside).
however, if you use a route-map to match the interface (dialer), then it lets you put in multiple, and its seems to just 'round-robin' through.
Anyway, this is how its configured:
ip nat inside source route-map dialer1 interface Dialer1 overload
ip nat inside source route-map dialer6 interface Dialer6 overload
route-map dialer1
match ip address forInet
match interface Dialer1
route-map dialer6
match ip address forInet
match interface Dialer6
ip access-list extended forInet
permit ip (lists our internal networks).
So I agree that yes, to solve the VPN users they need to not hit this NAT config, and need them to use a single outside interface, as from what I can tell they get bounced between Dialer1 and Dialer6, and this causes problems.
However, this is just a guest internet, and technically everyone is a VPN user lol.
If there was a NAT option that basically said: "once your IP is NAT'd to an outside interface, you stay on that same interface", that would be nice
-
Optionsjason_lunde
Member Posts: 567
ah dude, now I see your dilemma...your guest users inside ARE your vpn users initiating connections to outside...is that right? If so, ouch. I dont know a good way to do this other than giving your users separate subnets and just natting a particular subnet to 1 interface for load balancing. Someone else who is more nat'tastic might have a way to stretch the ios a bit more in this regard than I can though.
-
OptionsGT-Rob
Member Posts: 1,090
ah yes, sorry for the confusion. Its people on the network trying to VPN out. It seems that you occasionally get issues with the tunnel (even our own) and I think it has something to do with the NAT bouncing between the two WAN IPs. Its not a problem when I drop down to 1 DSL anyway.