Now only to clarify that I understand it correctly: Asymmetric setup: Any router receives any of packets. All routers have the same information about all connections in cluster, so it doesn't matter which of them handles which connection. Symmetric setup: Once the connection is setup on RouterX, the whole connection should be handled by that very same router. Is this correct? On Wed, Sep 17, 2008 at 12:34 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > The way to go is a symmetric setup where all nodes receives the packets > and only one firewall node handles them. This can be achieved by means > of hash-based load-sharing. There's some works on that direction. How is it possible to have only one firewall to handle packets in cluster? Is it like in the setup in the testcase (http://conntrack-tools.netfilter.org/testcase.html)? If I understand it correctly, it means to have only one active firewall/router and one passive waiting for failure. How is ti possible to scale to higher loads? Can you point me also to some info about hash-based load-sharing? >> With how many routers? > > Limit? I don't know yet, I'm still testing with only two nodes, but I > expect to do it with up to four. Moreover, the replication approaches > still require a small change in the code to cleanly support more than > two nodes. If the load-sharing works (with more than two nodes maybe) I'd like to test it. If it proves to work I can test it in real world scenario with real ISP traffic. We are currently moving to new office so I can post some results from testing in few weeks. >> I know that you can do Active / Standby with conntrackd and I believe >> that you can do Active / Active as well. It is my understanding that >> conntrackd broadcasts connection state on a separate network connection. >> I believe that the routers participating in the conntrackd failover >> usually have three (or more) network cards on them, one internal and one Yes, active/active is what I want. > This is asymmetric multipath, it is not really a good idea and also > you'll waste lots of resources in the replication. Therefore, if your > intention is to improve scalability, this won't help. The way to go is > the symmetric setup. Can you write more about this? I'd like to test this setup. >> routing) but is not required to. With this in mind I'd recommend >> something like VRRP for the internal and external interfaces where one >> router is primary for the internal and outgoing interface and the other >> router is primary for the external and incoming interface. Using VRRP Hm this is interresting - split incoming/outgoing traffic to separate routers. Maybe the conntrackd can be used in this scenario. I would test it. ico -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html