OK ... what about syncing connection tracking state tables between the two routers/fw's, is the ct_sync code from netfilter stable .. has any one used it on a production environment .. the netfilter-failover mailing list is pretty dead ! On Thu, 06 Jan 2005 22:16:42 +0000, Jose Luis Araujo <jlaraujo@xxxxxxxxxxxxxxxx> wrote: > Hi. > > Sorry for the delay. Hope you are still interested in the idea. > > Kelly Jeglum wrote: > > >I'd like to setup a box with 2 NICs as a firewall which will also rate > >limits outbound traffic. What happens when/if that box hangs or is > >rebooted? > > > > > If you are doing NAT or routing, the you need to use VRRPD with two > machines. > > >I'd like a solution that when there is a failure, traffic can still go > >through the box even though the firewall and rate limiting functions will no > >longer be in effect. > > > > > If on the other hand you want just the rate limiting, then you can try > something. It only has a drawback, the switch that you will use must > have Vlan and STP. > > The trick is this, you choose three ports, and assign those to, say vlan > 2, then choose another 3 ports and assign those to vlan 3. > > Enable STP on both Vlan's, increase the portcost on one port on each > Vlan, and use a crossed cable to link them. > Connect a port from each Vlan to the bridge/rate limiter. > Connect the remaining port to your inner router, and to your outer router. > > Now, the idea is, the Vlan will divide the switch virtually, traffic > from vlan 2 won't go to vlan 3, only if they are physically connected, > they behave like two switches (witch will also work, provided that the > switches permit VTP). When everything is working properly, the switch > will see two links from vlan 2 to vlan 3 and will disable the one with > the higher cost (the cross cable), then all your traffic will flow > thought the bridge. > If the bridge stops,hangs is disconnected, the switch will only see one > link (the cross cable) and will enable it, bypassing the bridge. > > I have this setup in operation now, and it works great. > > For those wondering, it is using a cisco 2900XL and the fallback time is > from 30 to 50 seconds. > > Hope it helps > > José Araújo > > _______________________________________________ > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- abulyomon www.KiLLTHeUPLiNK.com _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
