D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Two DrayTek Vigor modems on the same LAN

 
You are of course correct, Gordon - and we've encountered that issue with banks especially.Â

But.. many other things don't use IPs as identifiers, sessions and cookies are less transient and even with a single line and budget ISPs changing your IP if your connection drops (and the newer ISP-NAT option also queer the pitch in the other direction!), it's only a very few sites that now rely on originating IP as an identifier. Â

In fact, I'd wager pretty much the vast majority of websites are IP agnostic, apart from logging.Â

I've lived with this exact solution using drayteks and three work sites and at home for several years and any issues reduce over time as more and more sites move onto sessions. At home, I have two ISPs and my online banking doesn't barf (Natwest) because of my IP, even when it changes mid session. What you say most definitely was the case - and widely - but in my experience (which is not scientific nor even representative), not so much now.Â

But one unexpected gotcha was that one of my ISPs has blocked certain websites deemed to be in breach of copyright (p2p, typically), and if access to those happens to route through one, I get the page blocked message.Â

Another proplem scenario is one I've created - where a public facing website has a .htaccess rule restricting access by IP (because it contains admin-only functions that I don't want the world to access). But even there, a static route to that IP in draytek's web interface fixes it.

I remember who easy it was once to ban dodgy players from gaming servers back in the day, and then DHCP at ISPs started and things got a whole lot more difficult!

And as for IPV6... Â:)

On 14 September 2014 11:22, Gordon Henderson <gordon+lug@xxxxxxxxxx> wrote:
On Sun, 14 Sep 2014, Simon Avery wrote:

Also - why not take benefit from load balancing and effectively doubling
your downstream (in multi-fetch uses like webpages) if it's easy?

 It's not always that easy )-:

An issue you'll find - and I've had it in the past - is that you go to a web site, the load balancer sends the first request via the first ISP connection, then you login in/authenticate, then the next request you send goes via the 2nd ISP - and then the remote site goes: "woa, you changed IP addresses, login again".

This happens especially with banks and some other ecommerce sites.

There are ways to make is such that all data to a site is kept to one ISPs connection, but even then I've had issues when the remote sites use different servers to serve content - and if each of those servers use the same authentication, then that fails too. Again banks seem to be the worst for this sort of thing.

That's not perfect as then all accesses to that particular remote site will be cached into that one ISPs connection - so when everyone in the office accesses Dilbert, it all uses one ISP connection with the other sitting idle...

What you can do is arrange for the load balancing to work based on the source IP address - ie. the PC on the inside connecting to the outside, so that all transactions from that PC go via one ISP - until there have been no data transfered for some time then that PCs internal IP can go back into the balancing pool to work out which ISP connection to use for the next transaction - that's not perfect though and you still end up with situations like the above -either one ISPs line being saturated, or your time-out not being long enough so the remote site sees an IP address change and wants you to re-authenticate with it.

But apart from sites which authenticate on every transaction that sort of load balancing works relatively OK and is a cheap solution.

Gordon


--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq