2 NICs, same subnet for a 'gateway' that won't block traffic from 'outside' NIC

Here's my problem,

I need to implement QoS for our servers so that the office can handle
video conferencing (currently video conferencing locks up when
replications start, etc). QoS will work wonderfully for this, but the
issue is that we've invested in hardware firewalls / VPN and these
need to handle the external connection. If I simply put in a linux
router behind the VPN appliance, then I'm preventing VPN access to all
the machines on the network behind the linux router.

One option I was thinking, is if the linux box could have 2 NICs and
function as a gateway then I could point everyone at the gateway to
get out, and it would then talk to the VPN appliance. Let's try a
diagram:

Internet
|
|
-----
|VPN|
-----
|
--------
PC------|SWITCH|-------PC
--------
||
---------
|LINUX |
|QoS |
---------

Another thought... can the router be configured to let traffic through
to the other side? Would strange routes have to be set up for people
coming in from the VPN, or just on the VPN box? This would be ideal as
anything coming in would have to go through the QoS box, so the
outgoing traffic would then be shaped.

Something like this:

Internet
|
|
-----
|VPN|
-----
|
---------
|LINUX |
|QoS |
---------
|
--------
PC------|SWITCH|-------PC
--------


I hope these diagrams help. I hope I don't get too many responses like
"MAKE YOUR FIREWALL LINUX!!" and the like... it simply is not an
option. ;)

TIA! -Ron

freat <rsenykoff@harrislogic.com> wrote:

> Something like this:
>
> Internet
> |
> |
> -----
> |VPN|
> -----
> |
> ---------
> |LINUX |
> |QoS |
> ---------
> |
> --------
> PC------|SWITCH|-------PC
> --------

This would be the best way. I think you would also need to do some
traffic shaping on the Linux-QoS box, because (as the Advanced Routing
and Traffic Control HOWTO tells us), we need to "own" the queue (be the
slowest link, so we're the one shaping the traffic.

What would your Linux box be doing exactly?

--
Cameron Kerr
cameron.kerr@paradise.net.nz : http://nzgeeks.org/cameron/
Empowered by Perl!

The purpose of this gateway is to use QoS for traffic shaping. We've
started installing video conferencing equipment at all our sites and
these packets need to be given high priority so that email, server
replication, etc don't chop up the connection.

I'm thinking that I would basically be making a bi-directional
gateway. It's just that most of the configurations I've seen have been
firewalls, and I'm not sure where to look to build a linux based
gateway that essentially connects two subnets. Once that is done, I
could install QoS for traffic shaping for the outside facing NIC.
Would I be able to configure Shorewall
(http://shorewall.sourceforge.net/) to do this, or would I be over
complicating things?

After doing some more research, it seems that I should be able to set
up this gateway between the two subnets using IPAliasing. Does that
make sense? Am I heading down the right path?

TIA!

After digging and digging... I think I've found the solution. I need
to make a Linux network bridge. A bridge has no ip and simply passes
traffic through. This is beautiful as it does not change the topology
of our network and therefore doesn't require changing routes on PCs
etc.

Here are some links for those interested:

Linux Advanced Routing & Traffic Control
http://lartc.org/

http://www.docum.org/

Dante - Traffic control and QoS with Linux
http://www.compsci.lyon.edu/mcritch/dante/