Question about migrating to IPv6 with multiple upstreams.

Joel Maslak jmaslak at
Tue Jun 14 02:04:41 UTC 2011

On Mon, Jun 13, 2011 at 6:59 PM, Randy Carpenter <rcarpen at>wrote:

This is precisely what we are doing on the main network. We just want to
> keep the general browsing traffic separated.

If you're worried about browsing traffic and not worried about occasional
other things slipping through, set up Squid and WPAD on your network.
Direct all general internet stuff (via WPAD) out the cheap connection, the
business-critical traffic through the other traffic.

Now things that don't listen to the WPAD configuration (basically anything
but PC and Mac browsers) will go out your expensive connection.   But it
sounds like a little bit of leakage wouldn't be a huge problem.  You could
get a bit fancier and run DNS on the proxy server, so that the proxy uses
itself for DNS resolution rather than the corporate DNS.  That would let you
do basic browsing while the corporate WAN is down.

The proxy would be the only box on the cable modem segment.  It would also
need an interface on some internal LAN segment.  Default route on it would
be via the cable modem, with routes to everything internal on the internal
interface.  Make sure you set the cable modem IP as Squid's outbound IP, and
make sure your WPAD file doesn't use this proxy for anything internal.

Everything else inside the network would have a default route pointing at
the corporate WAN and wouldn't know anything about the cable segment.

The nice thing about this setup is that you don't have any address
translation going on and only one IP per host.  You can replace Squid with
the proxy of your choice, doing as much or as little caching as you want to
do (and other things if desired, like virus scanning, deep packet
inspection, or content filtering - if your policy requires it).  Make sure
you talk to your legal and/or HR about what logs should be kept or removed
from the proxy.  You may also want to repress X-Forwarded-For headers to
keep your internal network addressing hidden while browsing.  Also remember
to make sure the proxy is secure enough to trust as a firewall for your
corporation - or put it behind a firewall that is secure enough.

More information about the NANOG mailing list