ISP Load Balancing

[Windows7ge]

In a recent LTT video (The Video) Linus mentioned configuring his new static IP around the 5:00 minute mark. I'm confused. I get that the installers claimed it wouldn't work but with two lines wouldn't that result in two static public IP addresses? If he were to open ports to access his back-up server how would he configure two static IP's to access the network in load balancing? On an internal network I understand how link aggregation works (not the same as load balancing I know but it operates on a similar principal) What I'm asking is if he connects to one of his public IPs to access his network how does iTel link the independent IP's to allow the simultaneous transmission between the one static IP being used and the other one that's not specified.

 

Ex: I have two ISP links. One has a public static IP of 45.89.133.113 and the other 45.89.133.114

If I'm outside the network and I connect to .113 or .114 how does iTel start the link to the other public static IP and initialize the parallel simultaneous communication?

[ionbasa]

Here's how it works, its not just a 'dumb box'. Its basically an end to end tunnel split up over two connections. The static IP is assigned to the tunnel at the server location.

EDIT:

4 minutes ago, Windows7ge said:

 

Ex: I have two ISP links. One has a public static IP of 45.89.133.113 and the other 45.89.133.114

If I'm outside the network and I connect to .113 or .114 how does iTel start the link to the other public static IP and initialize the parallel simultaneous communication?

You see neither IP address, you see a static IP assigned by iTel at their tunnel point. I believe iTel is just doing link aggregation over two tunnel.

[leadeater]

The two connections are from the same ISP and the device that is balancing the traffic is doing it at layer 1/2 of the ISO model, IP addresses are layer 3. To get this to work both ends of the connection need the aggregation device, that means at the customer premises and at the ISP node.

 

The public IP address is set on the device that plugs in to the WAN port of the aggregation device and as far as this device (router/firewall) is concerned there is nothing between it and the ISP router, the aggregation is transparent and it has no idea this is happening. 

[Windows7ge]

5 hours ago, leadeater said:

The public IP address is set on the device that plugs in to the WAN port of the aggregation device

The router would hold the public IP address. But their's two. Unless you negotiated with the ISP to have two routers share one public IP. Alternatively the iTel box is sending broadcast messages out the WAN ports with its own unique IP waiting for an incoming connection.

[Windows7ge]

11 hours ago, ionbasa said:

Here's how it works, its not just a 'dumb box'. Its basically an end to end tunnel split up over two connections. The static IP is assigned to the tunnel at the server location.

EDIT:

You see neither IP address, you see a static IP assigned by iTel at their tunnel point. I believe iTel is just doing link aggregation over two tunnel.

So what you propose is something similar to this diagram:

I would connect to 96.200.19.8 and iTel would establish the link to both of my routers in some type of link aggregation.

[ionbasa]

2 hours ago, Windows7ge said:

So what you propose is something similar to this diagram:

I would connect to 96.200.19.8 and iTel would establish the link to both of my routers in some type of link aggregation.

Yes, that's how I understand that this works. I don't really see any other solution, but someone else may chime in here.  

[leadeater]

5 hours ago, Windows7ge said:

So what you propose is something similar to this diagram:

I would connect to 96.200.19.8 and iTel would establish the link to both of my routers in some type of link aggregation.

There would be a device in front of Home Router 1 and Home Router 2 and another device at the ISP Node (Cloud-PT). Either The aggregation device would need multiple WAN/Router connection ports or you just put a switch between it and the routers.

 

If you want IP Address failover between your two routers you could use VRRP or HSRP. This would work for both your public IPs and for the internal gateway address set on client PCs.

[ionbasa]

2 hours ago, leadeater said:

There would be a device in front of Home Router 1 and Home Router 2 and another device at the ISP Node (Cloud-PT). Either The aggregation device would need multiple WAN/Router connection ports or you just put a switch between it and the routers.

 

If you want IP Address failover between your two routers you could use VRRP or HSRP. This would work for both your public IPs and for the internal gateway address set on client PCs.

He's referring to iTel's implementation that Linus recently showed off:

 

No device in front of the home routers. Its just a 'black box' that goes after the home routers. Effectively its tunneling over two network connections with either link aggregation or failover, or a combination of both. OP never asked about IP Address failover. The IP the external world sees would be a statically assigned IP by iTel. That iTel connection is then tunneled to the black box using (using two tunnels) which are then link aggregated. At least that's how I understand it.

[leadeater]

1 hour ago, ionbasa said:

He's referring to iTel's implementation that Linus recently showed off:

 

No device in front of the home routers. Its just a 'black box' that goes after the home routers. Effectively its tunneling over two network connections with either link aggregation or failover, or a combination of both. OP never asked about IP Address failover. The IP the external world sees would be a statically assigned IP by iTel. That iTel connection is then tunneled to the black box using (using two tunnels) which are then link aggregated. At least that's how I understand it.

Before or in front of that is the same thing, behind a router is the internal network and in front of is WAN. That black box is exactly what I'm talking about . Networking people look at it the opposite to how you are, hence the confusion. Also it's not 802.3ad Link Aggregation, it's actually smarter than that.

 

I just added the IP address failover in case OP wanted that and wasn't aware they could do it. The public IP Address is statically assigned to the router that plugs in to the aggregator, as stated in the video.

 

We're all victims of too little information not enough shown in @LinusTech's video. It looks to me there are two cable modems (Only Use PTY) setup in bridge mode to the aggregator then out of the aggregator is the router with the public static IP address.

[Windows7ge]

15 hours ago, leadeater said:

Before or in front of that is the same thing, behind a router is the internal network and in front of is WAN. That black box is exactly what I'm talking about . Networking people look at it the opposite to how you are, hence the confusion. Also it's not 802.3ad Link Aggregation, it's actually smarter than that.

 

I just added the IP address failover in case OP wanted that and wasn't aware they could do it. The public IP Address is statically assigned to the router that plugs in to the aggregator, as stated in the video.

 

We're all victims of too little information not enough shown in @LinusTech's video. It looks to me there are two cable modems (Only Use PTY) setup in bridge mode to the aggregator then out of the aggregator is the router with the public static IP address.

If I'm understanding what you're saying then you believe the "black box" has a globally unique public IP address assigned to it and that it is the IP you connect to when accessing the private network?

[ionbasa]

2 hours ago, Windows7ge said:

If I'm understanding what you're saying then you believe the "black box" has a globally unique public IP address assigned to it and that it is the IP you connect to when accessing the private network?

Yes.

[leadeater]

4 hours ago, Windows7ge said:

If I'm understanding what you're saying then you believe the "black box" has a globally unique public IP address assigned to it and that it is the IP you connect to when accessing the private network?

No, it does not have an IP address at all. You can do all of the aggregation at Layer 1 and 2 of the OSI model which has nothing to do with Layer 3 (IP Addressing). Your router sends out frames from it's WAN port, the black box then splits them then sends them down each WAN connection to the ISP node where the other aggregator re-combines them and forwards them on, your router and the rest of the internet has no idea that this is happening.

 

The public IP addresses would still be on your Cisco 1941 router. There are also different models of the aggregator which Linus mentioned in the video, likely one that has more than a single port for a router.

 

Tunnels don't have to have IP addresses, GRE tunnels and Layer 2 VPNs for example don't have or don't need to have IP addresses at all. Different thing to what this is but just another example of a similar thing that does not have IP Addresses.

 

ISP's make use of MPLS to route traffic across the internet which is a Layer 2 protocol and has no IP Addresses, this is why when you run a trace route across the internet there are so few hops. There are great spans across many hops that are transparent to trace route because of MPLS.

[Windows7ge]

On 9/19/2016 at 6:36 PM, leadeater said:

No, it does not have an IP address at all. You can do all of the aggregation at Layer 1 and 2 of the OSI model which has nothing to do with Layer 3 (IP Addressing). Your router sends out frames from it's WAN port, the black box then splits them then sends them down each WAN connection to the ISP node where the other aggregator re-combines them and forwards them on, your router and the rest of the internet has no idea that this is happening.

 

The public IP addresses would still be on your Cisco 1941 router. There are also different models of the aggregator which Linus mentioned in the video, likely one that has more than a single port for a router.

 

Tunnels don't have to have IP addresses, GRE tunnels and Layer 2 VPNs for example don't have or don't need to have IP addresses at all. Different thing to what this is but just another example of a similar thing that does not have IP Addresses.

 

ISP's make use of MPLS to route traffic across the internet which is a Layer 2 protocol and has no IP Addresses, this is why when you run a trace route across the internet there are so few hops. There are great spans across many hops that are transparent to trace route because of MPLS.

I understand what you're saying for the most part. It's just that the two routers have their own public IP addresses. If you are attempting to establish a link from the inside to an outside source then what you say makes perfect sense. However what if I want to establish a link from the outside/in? Is it possible to just pick one of the two public IP addresses on the remote network to start the link and the iTel box establish the aggregation on it's own? It's the only way that makes sense to me.

[leadeater]

2 hours ago, Windows7ge said:

I understand what you're saying for the most part. It's just that the two routers have their own public IP addresses. If you are attempting to establish a link from the inside to an outside source then what you say makes perfect sense. However what if I want to establish a link from the outside/in? Is it possible to just pick one of the two public IP addresses on the remote network to start the link and the iTel box establish the aggregation on it's own? It's the only way that makes sense to me.

Yea, how you would remotely access your network doesn't change. iTel does all it's magic for you so realistically you don't have to worry about the aggregation at all. That's the nice thing about it, it just works.

[brwainer]

This is how the traffic flow and IP addresses would work, for data coming from "the internet", to your computer behind iTel service:

 

1. "The Internet" sends a reply to the static IP that iTel assigned you. As far as anyone other than you or iTel know, this IP address exists at iTel's datacenter, and so "the internet" routes the packets to iTel
2. the packets arrive at iTel, addressed to your static IP. iTel's hardware recognizes your IP and looks up which links it has between the datacenter and you. For every link it finds in its records and knows that is up, it splits the data up. If you have two modems, that would be 2 links.
3. iTel sends half the data to the box at your location via modem #1, and the other half via modem #2
   • it's important to note that the iTel box acts as two separate devices as far as the ISP(s) are concerned. It establishes a separate connection with each modem, and therefore has separate IPs on each link. It then sends the information about the IPs that it has to the datacenter. I assume they also do some connectivity testing over each link.
4. the iTel box receives the two halves of the data, combines it, and sends it to your router.

To summarize:

• The internet thinks your IP is located at the iTel datacenter
• The iTel datacenter knows that your IP is actually whatever device is connected to the box at your location, and sends it to the box via all available links
• the iTel box knows that your IP is the device connected to it
• your router (or whatever you connect to the iTel box) has to be told what it's IP is, otherwise it won't know the data being delivered to it by the iTel box is actually meant for it. As far as connection goes, your router thinks that it is connected directly to the internet as if it were connected to a single modem.

[Windows7ge]

5 hours ago, brwainer said:

This is how the traffic flow and IP addresses would work, for data coming from "the internet", to your computer behind iTel service:

 

1. "The Internet" sends a reply to the static IP that iTel assigned you. As far as anyone other than you or iTel know, this IP address exists at iTel's datacenter, and so "the internet" routes the packets to iTel
2. the packets arrive at iTel, addressed to your static IP. iTel's hardware recognizes your IP and looks up which links it has between the datacenter and you. For every link it finds in its records and knows that is up, it splits the data up. If you have two modems, that would be 2 links.
3. iTel sends half the data to the box at your location via modem #1, and the other half via modem #2
   • it's important to note that the iTel box acts as two separate devices as far as the ISP(s) are concerned. It establishes a separate connection with each modem, and therefore has separate IPs on each link. It then sends the information about the IPs that it has to the datacenter. I assume they also do some connectivity testing over each link.
4. the iTel box receives the two halves of the data, combines it, and sends it to your router.

To summarize:

• The internet thinks your IP is located at the iTel datacenter
• The iTel datacenter knows that your IP is actually whatever device is connected to the box at your location, and sends it to the box via all available links
• the iTel box knows that your IP is the device connected to it
• your router (or whatever you connect to the iTel box) has to be told what it's IP is, otherwise it won't know the data being delivered to it by the iTel box is actually meant for it. As far as connection goes, your router thinks that it is connected directly to the internet as if it were connected to a single modem.

Your explanation goes hand in hand with ionbasa's. Now I wonder though. Linus explains that the Itel box actually cuts the packets in half and sends them down both links. If this is true how does it prevent runt frames/packets from automatically forming? I would imagine it has to fill in the gap with leading 0's.

[Windows7ge]

13 hours ago, leadeater said:

Yea, how you would remotely access your network doesn't change. iTel does all it's magic for you so realistically you don't have to worry about the aggregation at all. That's the nice thing about it, it just works.

It seems the other two people in this conversation believe that iTel sets up an IP for you to use that they connect to your aggregated links. Do you think this is possible? Sounds just like a proxy server.

[leadeater]

26 minutes ago, Windows7ge said:

It seems the other two people in this conversation believe that iTel sets up an IP for you to use that they connect to your aggregated links. Do you think this is possible? Sounds just like a proxy server.

Well realistically only iTel would know the exact specifics of how they configure it, problem is there is likely more than one way to do it like most things in networking. Since this is targeted more at businesses who need control over their public IP space I very much doubt it's anything like a proxy or SNAT.

 

It should be very much (in principal) like how I setup my ADSL connection with my FortiGate firewall. I have a Draytek Vigor 120 ADSL router configured in PPPoE pass-through which converts the PPPoE WAN connection on my firewall to PPPoA. In this configuration the Draytek is modem only and has no IP address at all, all it does is connect the ADSL line and modulates Ethernet frames in to ATM voice data, the firewall has the public IP address on it's WAN interface. The Draytek is invisible to the firewall and it has no idea that it exists and other than my ISP the rest of the internet has no idea it exists either.

 

I couldn't see any business using the aggregator service if it interferes with their ability to control their public IP addresses and the only way that is possible is if it is done transparently, 

 

There are many things in networking that have nothing to do with IP addressing/Layer 3 of the OSI model, 802.3ad Link Aggregation being one of them. That is also a Layer 2 protocol, but there are enhancements which allows it to operate up to Layer 4 (TCP/UDP).

[Windows7ge]

On 9/21/2016 at 11:18 AM, leadeater said:

Well realistically only iTel would know the exact specifics of how they configure it, problem is there is likely more than one way to do it like most things in networking. Since this is targeted more at businesses who need control over their public IP space I very much doubt it's anything like a proxy or SNAT.

 

It should be very much (in principal) like how I setup my ADSL connection with my FortiGate firewall. I have a Draytek Vigor 120 ADSL router configured in PPPoE pass-through which converts the PPPoE WAN connection on my firewall to PPPoA. In this configuration the Draytek is modem only and has no IP address at all, all it does is connect the ADSL line and modulates Ethernet frames in to ATM voice data, the firewall has the public IP address on it's WAN interface. The Draytek is invisible to the firewall and it has no idea that it exists and other than my ISP the rest of the internet has no idea it exists either.

 

I couldn't see any business using the aggregator service if it interferes with their ability to control their public IP addresses and the only way that is possible is if it is done transparently, 

 

There are many things in networking that have nothing to do with IP addressing/Layer 3 of the OSI model, 802.3ad Link Aggregation being one of them. That is also a Layer 2 protocol, but there are enhancements which allows it to operate up to Layer 4 (TCP/UDP).

Linus mentioned that it can be used as fail over instead of aggregation so the idea that you use the public IPs on the WAN ports to access the internal network from the outside does seem like the more likely of the two possibilities. Including your for-mentioned IP control. Most businesses probably wouldn't want their internet IP address access controlled by an entity that isn't their direct provider.

[brwainer]

5 hours ago, Windows7ge said:

Linus mentioned that it can be used as fail over instead of aggregation so the idea that you use the public IPs on the WAN ports to access the internal network from the outside does seem like the more likely of the two possibilities. Including your for-mentioned IP control. Most businesses probably wouldn't want their internet IP address access controlled by an entity that isn't their direct provider.

The iTel Bonding product (which is actually what they call it on their website) will fail over to just one link if the other fails. 

 

As for businesses, as an IT business person myself, I would actually trust iTel more than my local ISP. iTel is not the only people who do bonding services, they are just the one that contacted Linus. So that means there is competition, but my local ISP has no competition.

[Windows7ge]

On 9/23/2016 at 0:03 AM, brwainer said:

The iTel Bonding product (which is actually what they call it on their website) will fail over to just one link if the other fails. 

 

As for businesses, as an IT business person myself, I would actually trust iTel more than my local ISP. iTel is not the only people who do bonding services, they are just the one that contacted Linus. So that means there is competition, but my local ISP has no competition.

Linus mentioned in the video that iTel had to configure things on their end so perhaps they do supply you with an IP that isn't either of your immediate IP's.