nanog mailing list archives
Re: Question about migrating to IPv6 with multiple upstreams.
From: Joel Maslak <jmaslak () antelope net>
Date: Mon, 13 Jun 2011 20:04:41 -0600
On Mon, Jun 13, 2011 at 6:59 PM, Randy Carpenter <rcarpen () network1 net>wrote: This is precisely what we are doing on the main network. We just want to
keep the general browsing traffic separated.
If you're worried about browsing traffic and not worried about occasional other things slipping through, set up Squid and WPAD on your network. Direct all general internet stuff (via WPAD) out the cheap connection, the business-critical traffic through the other traffic. Now things that don't listen to the WPAD configuration (basically anything but PC and Mac browsers) will go out your expensive connection. But it sounds like a little bit of leakage wouldn't be a huge problem. You could get a bit fancier and run DNS on the proxy server, so that the proxy uses itself for DNS resolution rather than the corporate DNS. That would let you do basic browsing while the corporate WAN is down. The proxy would be the only box on the cable modem segment. It would also need an interface on some internal LAN segment. Default route on it would be via the cable modem, with routes to everything internal on the internal interface. Make sure you set the cable modem IP as Squid's outbound IP, and make sure your WPAD file doesn't use this proxy for anything internal. Everything else inside the network would have a default route pointing at the corporate WAN and wouldn't know anything about the cable segment. The nice thing about this setup is that you don't have any address translation going on and only one IP per host. You can replace Squid with the proxy of your choice, doing as much or as little caching as you want to do (and other things if desired, like virus scanning, deep packet inspection, or content filtering - if your policy requires it). Make sure you talk to your legal and/or HR about what logs should be kept or removed from the proxy. You may also want to repress X-Forwarded-For headers to keep your internal network addressing hidden while browsing. Also remember to make sure the proxy is secure enough to trust as a firewall for your corporation - or put it behind a firewall that is secure enough.
Current thread:
- Re: Question about migrating to IPv6 with multiple upstreams., (continued)
- Re: Question about migrating to IPv6 with multiple upstreams. Matthew Reath (Jun 11)
- RE: Question about migrating to IPv6 with multiple upstreams. Rob V (Jun 11)
- RE: Question about migrating to IPv6 with multiple upstreams. Matthew Reath (Jun 11)
- Re: Question about migrating to IPv6 with multiple upstreams. Randy Carpenter (Jun 11)
- RE: Question about migrating to IPv6 with multiple upstreams. Matthew Reath (Jun 11)
- RE: Question about migrating to IPv6 with multiple upstreams. Rob V (Jun 11)
- Re: Question about migrating to IPv6 with multiple upstreams. Matthew Reath (Jun 11)
- RE: Question about migrating to IPv6 with multiple upstreams. Frank Bulk (Jun 11)
- Re: Question about migrating to IPv6 with multiple upstreams. Seth Mos (Jun 11)
- Re: Question about migrating to IPv6 with multiple upstreams. Randy Carpenter (Jun 12)
- Re: Question about migrating to IPv6 with multiple upstreams. Owen DeLong (Jun 13)
- Re: Question about migrating to IPv6 with multiple upstreams. Randy Carpenter (Jun 13)
- Re: Question about migrating to IPv6 with multiple upstreams. Joel Maslak (Jun 13)
- Re: Question about migrating to IPv6 with multiple upstreams. William Herrin (Jun 13)
- Re: Question about migrating to IPv6 with multiple upstreams. Owen DeLong (Jun 14)
- Re: Question about migrating to IPv6 with multiple upstreams. Randy Carpenter (Jun 12)
- Re: Question about migrating to IPv6 with multiple upstreams. Ray Soucy (Jun 14)
- Re: Question about migrating to IPv6 with multiple upstreams. William Herrin (Jun 14)
- Re: Question about migrating to IPv6 with multiple upstreams. Ray Soucy (Jun 14)
- Re: Question about migrating to IPv6 with multiple upstreams. Randy Carpenter (Jun 14)
- Re: Question about migrating to IPv6 with multiple upstreams. Owen DeLong (Jun 14)
- Re: Question about migrating to IPv6 with multiple upstreams. Valdis . Kletnieks (Jun 14)
- Re: Question about migrating to IPv6 with multiple upstreams. Randy Carpenter (Jun 14)
- Re: Question about migrating to IPv6 with multiple upstreams. Ray Soucy (Jun 14)