On Wed, 2004-09-08 at 15:16, Bill Hayes wrote: > I have a problem trying to create a high availability firewall/router setup. Multiple servers on the internal network should be masqueraded to appear as a single server on the external network. > > The simplest case that fails for me looks like this... > > > Configuration: SuSE 9.1 (linux 2.6.5, iptables 1.2.9, heartbeat 1.2.0) i'm not familiar with heartbeat--so excuse my ignorance if i display it prominently... > firewall-1: eth0 = 192.168.1.1, eth1 = 10.1.1.1 > firewall-2: eth0 = 192.168.1.2, eth1 = 10.1.1.2 > > +--------+ > | server | > +----+---+ > | > +---------+---------+ > | hub | > +-+---------------+-+ > | | > +-----+------+ +------+-----+ > | firewall-1 | | firewall-2 | > +-----+------+ +------+-----+ > | | > +-+---------------+-+ > | hub | > +---------+---------+ > | > +---+----+ > | router | > +---+----+ > | > > If I configure my servers to use 192.168.1.1 as their gateway, and tell all my clients that 10.1.1.1 is my server, then everything works as desired. you already lost me. why would you tell all your clients that the IP address of your server is the same IP as your firewall? shouldn't the server be 10.1.1.[4-254]? are your clients on the 10.1.1.x network, or beyond the router? > On to high availability, I configure my servers to use 192.168.1.3 as their gateway, and tell all my clients that 10.1.1.3 is my server. I start heartbeat and soon my firewalls now look like... > > firewall-1: eth0 = 192.168.1.1, eth0:1 = 192.168.1.3, eth1 = 10.1.1.1, eth1:1 = 10.1.1.3 > firewall-2: eth0 = 192.168.1.2, eth1 = 10.1.1.2 > > Now, all my outgoing connections are established as before, but all the incoming connections fail with... > > SFW2-INext-DROP-DEFLT is this the string of your "--log-prefix" or is this something that's meaningful to people that are familiar with heartbeat? if it's the former--please provide us with the actual log entry. > instead of succeeding with... > > SFW2-FWDext-ACC-REVMASQ ditto... > I know that iptables treats virtual interfaces as if they are the underlying physical interface, thus eth1:1 should be eth1, and outgoing connections work, thus I have proof that eth0:1 is eth0, so what is happening? Why are the packets being dropped? it sounds like your filter rules are not taking into account the new "virtual" IP address, and therefore your firewall is dropping the traffic. posting your rules would probably help someone answer your question: iptables -vnL && iptables -t nat -vnL && iptables -t mangle -vnL -j -- Jason Opperisano <opie@xxxxxxxxxxx>