Using OpenWrt as colocation router

Hi! I run 2 servers at home for running a rendering service for my app, which was easy to configure since I'm on a single static IP from the ISP. I'm moving to a place where I can't get a wired internet connection and the 4G internet is flaky so I'm bringing 2 servers to the nearest colocation. I'm getting a /29 block with a single ethernet 1gbit symmetrical drop in a 12U rack (need 8U for the servers).

Now I'm planning to use a Sitecom WLR-8100 with OpenWrt/LEDE 19.07 to do the routing & firewall. I've already been playing with it and like it very much so far, however I have little understanding of how I need to correctly route the IP addresses.

I'm also looking to use the device to connect the 2 IPMI controllers of the servers and make those accessible via VPN. I think I can just run an openvpn server for free since I've got static IP's?

Could someone point me in the direction of what I need to do/learn to make this possible?
Is my router up for the task? I could run a firewall VM on one of the servers if needed but would still need access via IPMI in case the server gets stuck so would prefer a dedicated router. VPN bandwidth is not very important, bandwidth to the server would ideally be the full 1gbit symmetrical.

Thanks!

It takes some significant oomph to route a gigabit. if your application requires some sort of interactivity, then even more so as you'll possibly want SQM.

The lowest end thing I'd consider would be the RPi 4 which I benchmarked recently. But I'd have concerns about that setup in a remote location mainly regarding the usb ethernet dongle, and the tendency for people to not take this seriously as an important piece of hardware (so maybe to drop it on the floor or etc). If you feel like you're going to have good "remote hands" who could reset things without dropping them off the rack or whatever, then it could work ok. You could probably do it as a 1U tray, and some velcro tape to keep it in place, along with a switch that you'll want to have, and maybe even have a second unit in there that could be swapped in if there's a failure (cheap enough). I've been running it as my main router for a symmetric gigabit GPON link, and have never needed to restart it or touch it in any way, but then I don't need to drive an hour and key-card into a locked cabinet in order to restart it if I do have a problem.

You might think about just running the router in a VM on one of your existing machines, and maybe look at using keepalived to fail-over to other VMs... Basically all your servers could have OpenWrt running in a VM but only one of them would be active at any time. Any server that dies, the next highest priority machine takes over routing. I think that's what I'd look at, since it sounds like you have plenty of hardware on these machines.

You'll want to budget space for a decent rack mounted switch. Something like the TP-Link jetstream T-2600G maybe? In fact, that device can do the routing itself for ipv4.

A bandwidth of 100 mbps or more would be adequate to get started actually. I would first want to check how the current router performs. The datacenter is only 15 minutes away so I won't need remote hands for the foreseeable future. I'll get the switch you recommend if it turns out too slow.

Any pointers to where I can learn how to setup the routing and firewall correctly and setup the vpn for IPMI access?

you're talking about setting up a real internet site, so instead of all the NAT garbage you just put a static IP on the LAN and set your individual machines to have static DHCP leases.

you need a static route to your upstream router, and WAN probably is "unmanaged" without any IP, as your routers public IP is on its LAN interface

you should check out wireguard as your VPN and put the IPMI ports on a separate VLAN. I'd classify all this as medium advanced setup.

1 Like

Thanks, that's the kind of advice I was looking for.
The servers are only available through an app, they don't get other traffic for now.

Another (stupid) question; If my /29 block would be for example 90.210.50.88/29, will my router automatically receive 90.210.50.88?

I'm taking some CCNA courses soon so I hope this will become child's play in time.

88 is the first address of the subnet, hence it is the network address, which along with the last, broadcast address, are not used for the hosts. So this /29 gives you 6 useable addresses, which is practically 5 because one will belong to the upstream router.

1 Like

Do your machines respond to HTTP requests or do you have some kind of custom protocol? There isn't necessarily any reason to have the machines have their own ipv4s rather than say a single ipv4 on a load balancing proxy machine (the router) which then sends the request through to a different internal machine each time. This would give you fault tolerance as well... if you have each machine has its own ipv4 and one machine has to be taken offline, then whatever app tries to connect to that machine has its packets go into a black hole... The load balancer instead would just load balance to a separate machine.

In fact, with the proxy in place, you could run the internal network as ipv6 only, and avoid the headache of ipv4 /29 subnets etc :wink:

https://nginx.org/en/docs/http/load_balancing.html

There's a server in the middle that currently does the loadbalancing, the servers announce their existence to that server and communicate via a websocket.
After moving I will probably look into switching it all to ipv6 and run the loadbalancer on a PFSense router.

I managed to configure it, just having some issues with setting up wireguard but I'll figure it out.
The router maxes out at ~300 mbit in both directions which is enough while I wait for a beefier setup.

1 Like

The wireguard speed is about 50-70 mbit symmetrical.
I'm getting a Qotom box with i7-5200u & 8 gb RAM to replace it but performance is surprisingly good!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.