how to assign 2 IPs to server + using 2 isp ?

[scott]

Hi,

I im installing a backup ISP in order to make sure my ftp service is
available 24 7.

Do i just add two network cards to the FTP server to get this to work ?

example below hopefully explains the setup.

Thanks
Scott



ISP1
ISP2

|
|

|
|

|
|

(public ip)
(public ip)

Router/modem/firewall (NO NAT)
Modem/Router (NAT 20/21)

99.99.2.1 (public ip)
192.168.1.1

|
|

|
|

|
|

|
192.168.0.50

|
Firewall (NAT 20/21)

|
192.168.2.1

|
|

|______________________________________________________|

|

|

SWITCH

|

____________________________ ____________________________

| |
|

|
192.168.2.4------ 99.99.2.3 (public ip)

|
FTP server

|
IIS6




firewall

|

|

|

LAN

 

[scott]

sorry - diagarm kind of went arse over foot there.......

the idea was....

ISP1 ISP2
| |
| |
| |
pub IP pub IP
firewall firewall
99.99.99.1 192.168.1.1
| |
| |
|________________|
|
|
switch________________firewall (LAN)
|
|
|____________
| |
99.99.99.2 192.168.1.2
ftp server on 2003
has 2 x NIC

Thanks
Scott

 

[Phillip Windell]

You can't have a "backup" ISP to keep an FTP Server up.

You can have a backup link to the *same* ISP if you make such arrangements
with that ISP and use the equipment and methods they want you to use.

--------------------------
One other "kludge" would be to run two separate FTP machines (one on each
link) that both point back to the same "third" machine as the source
location for the Sites or Virtual Folder. The third machine doesn't have to
be anything other than a fileserver to store the files.

You could do something similar by having the second FTP Server use a folder
location on the main FTP machine as the "source of the Site or Virtual
Folder.

 

[scott]

Hi Phil,

Thanks for reply. I dont understand why this would not work ?

The ftp server has two NICs:
NIC 1: 192.168.1.2, gateway = 192.168.1.1, subnet 255.255.255.0
NIC 2: 99.99.99.2, gateway = 99.99.99.1, subnet: 255.255.248.0

Does this not work because of the routing or because of the way the FTP
server listens ? (or both)

Thanks for your advice.
Scott.

 

[scott]

Hi,

Think i understand now, ftp can only listed on 1 port at a time and one
connection.

The problem with running two FTP front end servers is that i would need to
duplicate user names unless i used AD. I guess i could setup the back end
data server as a DC with AD.

There must be a way of doing this using 2 nics and virtual ftp servers on
the one machine.....

one machine
ftp site 1 - listen on 20/21 on NIC1 - 192.168.1.2
ftp site 2 - listen on 20/21 on NIC 2 - 99.99.99.2

both sites use same home dir ?

Would this not work ?

Scott

 

[Phillip Windell]

The problem with running two FTP front end servers is that i would need to
duplicate user names unless i used AD.

Don't need duplicate usernames if a DC is used for authentication.

I guess i could setup the back end data server as a DC with AD.

You mean there is no DC already around there to begin with?

There must be a way of doing this using 2 nics and virtual ftp servers on
the one machine.....
one machine
ftp site 1 - listen on 20/21 on NIC1 - 192.168.1.2
ftp site 2 - listen on 20/21 on NIC 2 - 99.99.99.2
both sites use same home dir ?
Would this not work ?

No. The "outbound" packet would always go out the Nic associated with the
Default Gateway and not the Nic it originally came in on. So if the line
went down that is associated with the Default Gateway, then the other link
would be "helpless",...that is, the packet would get to the server from the
second link, but the server could not "acknowledge" the packets because the
Default Gateway would be "dead". ...And before you ask *no* you cannot have
more than one Default Gateway,...yes you can add multiple gateways to the
list in the settings but those are for "Dead Gateway Detection" and all the
gateways on the list must be in the same subnet,...which *won't* be the case
with you due to using two ISPs.

Now there might be possibilities if your Router comming in could be setup to
have both ISP links comming into it (3 interfaces total with the FTP on the
3rd) and then the FTP Server would only have to worry about the one link
between it and the Router. Then your Router would be the device to handle
and make decisions on what route to take and the FTP Server would be
isolated from all that. But to do this you would have to be "straight up"
with both ISPs about doing this and may require their help and cooperation
to make it work. They would be able to verify if it is possible to do or
not,...remember that your network isn't the only one involved, ...it
includes both ISP's networks as well. The FTP server is only going to have
an IP# from one ISP or the other (not both due to different subnets) so one
ISP would have to be willing to route packets belonging to the other ISP if
the link of that particular ISP went down. The success of this is very
unlikely, but i thought I'd throw it out there.

 

[Phillip Windell]

ISP would have to be willing to route packets belonging to the other ISP if
the link of that particular ISP went down. The success of this is very
unlikely, but i thought I'd throw it out there.

I should make this a little clearer. Like I said there are three networks
involved, not just yours (2 ISPs plus you). There are three "end points" to
this setup (like a triangle). One is at your place and one at each ISP. All
three of these endpoints must have "fail-over" routes rigged up to send
traffic over the other "leg" of the triangle in a failure. Do you really
expect the ISPs to work together for this to work?...I really doubt it.
This is why I think the multiple FTP server model where they both use a
common source location for the files is the way to go. You will have to
advertise the second FTP as a "mirror" site and it will be up to the user to
connect to the second one if they can not get to the first one.

 

[scott]

Hi,

Thanks for the replies and sorry for all the post.

So you are suggesting the following using the mirror method:

ISP1 ISP2
| |
| |
| |
ftp server1 ftp server 2
| |
|____dir server___|

Then AD would authenticate for both.

No DC at moment as its just the DMZ segemnt of the network and only host a
couple of machines. I thought it would be too much of an overhead. There is
a DC on the LAN.

Thanks again for your time.
Scott.

 

[Phillip Windell]

Yes, although it could be done without a DC. You'd have to study to right
way to get the authentication to work, but it is the most "doable" way.