On 07/19/07 20:20, Abhijit Menon-Sen wrote:
I just want a hot standby for a single Linux firewall, such that
clients behind it are not affected by a hardware failure on the
firewall. If my configuration would allow me to someday promote the
backup and run both firewall machines in a load-balancing
configuration, so much the better.
Ok, to pull this off I would use a pair of Linux boxen with vrrpd and
conntrackd with almost identical configurations on each system (save for
host name and management IPs).
For the sake of discussion I'll presume that you are using a cable modem
or adsl connection to the internet with a static IP address. PPPoE /
DHCP should be possible, but it will get much nastier. You will really
want a minimum of two static IP addresses, three if possible, on each
side of the firewall. One IP address will be for the routing of traffic
and the other two will be for management. The one routing IP address
will be the virtual IP that is passed back and forth between the systems
and also the IP address that it looks like all your traffic passes
through. Use VRRP to make sure that one of the systems will always have
the routing IP up and functional.
The following example looks very much like what I want:
http://people.netfilter.org/pablo/conntrack-tools/testcase.html
*nod* This is very much what you are wanting to do.
However I'm not sure that the direct connection between the two systems
is absolutely required. However having not done this my self I can not
say for sure. The last time I looked at this I was going to be trying
to make redundant routers for a 1 - 3 Mbps connection and thus was
planing on using VLANs to do Router-on-a-stick across two bonded 100
BaseT connections. So, if I needed to I could create a new VLAN for the
router to router communications.
(Can anyone comment on whether I should stick with keepalived as
described above, or try out ucarp?)
I would use vrrpd over keepalived. As far as ucarp, I'm not familiar
with it so I can't comment. I can say that keepalived is much more
complex and can do a lot more than what you need to do. Now if you were
running a load balancing cluster of servers behind it, keepalived is the
proper answer. However for just making sure that a router is available,
vrrpd is much closer to what you need with out overkilling. In fact, I
believe vrrpd only needs command line options and no config file where
as, last I looked, keepalived has a very complex config file for all
that it could do.
With regards to "... run both firewall machines in a load-balancing
configuration ..." I think that conntrackd will allow you to do this.
At the very least, you can have inbound traffic use one firewall as its
primary and outbound use the other firewall as its primary where each is
a failover for the other. If you want inbound and / or outbound to use
both routers at the same time, it gets very trick to have the layer 2
ethernet network know which router to use to send the traffic to.
A quick run down of how VRRP (and Cisco's proprietary HSRP) works for
those that may not know or want a refresher. VRRP uses a management IP
and a virtual routing (that may or may not be one of the management
IPs). The virtual routing IP uses a special MAC address
(00-00-5E-00-01-<virtual router ID>). This special MAC address allows
all client workstations using the virtual routing IP to be able to cache
the MAC address and not have to re-arp for the system that currently has
the IP. In the event that the backup router detects that the primary
router is down, the backup router will claim to be the virtual IP on the
virtual router MAC address, usually GARPing so that switches now see the
virtual router MAC address on the new switch port. Thus when clients
try to send traffic out through the virtual router, the layer 2 traffic
will be to the virtual MAC address which the switches now know to be
elsewhere on the functioning router. The net result is a very brief
down time while the backup router is detecting that the primary is not
functioning and switches over.
(Note: This is a very far fetch problem, but is possible.) The only
real problem with this scenario is if for some reason both routers are
up and functioning, but for some reason they can not see each other,
thus they both think the other node is down. In this case, you may have
a battle for who is up. If you want to know what to do in this
situation read about SONITH (Shoot Other Node In The Head) to make sure
that there is only one active node at a time.
You can configure VRRP to automatically switch back from the backup to
the primary when the primary comes back on line, or let the backup
remain the primary until it fails and then the real primary that is
acting as the backup will resume its role as the primary.
Thanks, I'd appreciate any advice you can give me.
Having a functioning understanding of what is going on will help make
this a success. What you are wanting to do is completely possible and
should be able to be achieved with out a lot of problems, but it is out
side of the scope of any point and click GUI that I have seen for Linux.
Good luck and let me know if there is any thing else that I can do to help.
Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
