RE: H/A

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have 2 LANS on different NICs behind the firewall. both are connected to both firewalls. I have only 1 internet link that they both share.

State info is hard.. not without special hardware or software. netfilter doesn't do any of this that I know of.

I hate to see it done with software as a very busy site with huge traffic (ie. we run 20+ websites) and the amount of /proc/net/ipt_* stuff that would need to be transferred continously would be a nightmare.. not to mention the VPN stuff..

company to company isn't hard, even if the link drops between fallover, the sessions aren't lost.. unless the fallover takes too long to shutdown FW1 and startup FW2 and bring the VPN up..

Yes, more info would be needed but I doubt there would be 100% state transfer...

-----Original Message-----
From: Julian Gomez [mailto:kluivert@xxxxxxxxx]
Sent: Tuesday, May 27, 2003 8:09 PM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: H/A


On Tue, May 27, 2003 at 07:47:31AM +1000, George Vieira spoke thusly:
>LIVE IP=203.x.x.x
>FW1=10.1.1.1    FW2=10.1.1.1
>
>using iproute2 I add the live IP to FW1 which is the Master FW.
>
>ip add addr 203.x.x.x/28 dev eth0
>
>Then my firewall scripts find the dev IP using "ip addr show $EXTDEV" add
>then "tail -1" for so it grabs the last line of the list otherwise it
>finds 2 IP bounded to the 1 network card and the scripts go nuts.. See
>snippet of my iptables script below.

George,

You have not stated, exactly what failover scenarios does your setup work
for ? Ie,

[ internet link #1 ] +- [ firewall #1 ] -- +-------+
                     |                     | LAN1  |
	             |                     | LAN2  | 
[ internet link #2 ] +- [ firewall #2 ] -- +-------+

I was addressing something like the above. If firewall #1 goes down,
firewall #2 can take over, but it still requires that all state information
from firewall #1; be propogated to firewall #2. I am not taking into
account any load balancing requirements, pure failover. State info for both
iptables + their VPN setup. [*]

I don't understand how your unique IP addressing method will solve the
above, though your setup itself isn't very clear to me.

That said, the original poster didn't exactly state (IIRC) what sort of VPN
setup he is using (office <-> office), what exactly does he want
fail-over'ed, does he have dual Internet links and many many other bits of
information.

Take note, that even my ascii diagran above only caters for certain
failover scenarios.




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux