On Wed, 04 Jan 2012 12:00:53 -0600, Gáspár Lajos <swifty@xxxxxxxxxxx> wrote:
I think that both of these approaches has pros and cons.
Maybe you also know that (in Linux) the kernel chooses the output interface depending on the routing table and not the source IP...
So if the ping is not bound to a specific interface then it is "useless"...
(There is an oping utility that can be set up to use a specific interface.)
I do not know LSM but I hope that it is also aware of this.
lsm ("link status monitor") does direct its pings through the interface specified in the config file, to a "ping IP." However, to make sure this happens I use a unique ping IP for each interface, with policy routing rules like this:
ip rule add to <pingIP> table T<n> (where T<n> is the name of a table that routes through a particular interface.)
lsm can of course monitor several interfaces at once. I am using multiple uplinks to give both Internet connection redundancy and increased total bandwidth for a firewalled LAN. I have 5 uplinks of 5 Mbit each, throttled to 4 Mbit to prevent queuing at the ISP. I use a separate routing table for each interface, and handle routing by fw-marking packets with iptables rules, and routing with rules like "ip rule add fwmark <n>..."
Besides this, pinging is not always accurate and may lead the application think that link quality is dropping down...
Just imagine that the pinged host(s) can be under a DOS attack and the reply times can go high...
True. If the "ping IP" can't be pinged or if the ping statistics are poor enough, the interface will be removed from routing. If the ping IP host fails for any reason, that will give a "false positive." However, since we have 5 interfaces, it would not be a serious problem for us.
(Not to mention that the pinging generates traffic and that requires resources. Probably not too much resources at all :D)
Other question is that how often/rarely do you ping? If often then it is too much traffic. If rarely then do you REALLY KNOW that the interface was all the time up?
I have configured lsm to ping the test IPs every second. In my configuration, a response is considered "timed out" or "lost" if it takes more than 1000ms to get a reply to a ping. The system determines that the link quality is too low if there are 7 consecutive lost packets, or 15 lost packets in a 60 second interval.
To consider that a "down" interface should come back up, it looks for 5 or less "lost" (timed out) packets in a 60 second interval. All these parameters are configurable. I left the default settings for most things.
To repeat myself: I do not know LSM
It seems to me that LSM is some kind of line quality checking software...
Right.
OTOH my match checks the interface state when the packet is in the queue...
With that info you can mark the packets and let the kernel decide about the routing depending on the mark..
But my match does not know anything about the "quality" of the connection just about the state of the interface...
Returning to the main question:
If an interface goes down then the associated connections will most likely break down...
Without knowing the required "high-availability" services, for example you can use "fallback_relay" in postfix; multiple remote lines in openvpn, etc. etc. etc.
So maybe the redundancy is not the right word for the main requirement...
I would ask myself: Do I really need redundancy or do I need alternativity?
Again, in our case the primary service is Internet connectivity for an internal LAN, with no services running on any of the outward-facing interfaces. lsm is perfect for our situation, but it may not be best for others.
--
Lloyd Standish
Tropical Health Foods LLC
information on carao for blood health: http://www.bloodhealth.net
Use Suggetions: http://www.bloodhealth.net/files/use-suggestions.htm
selling website: http://www.tropicalhealthfoods.com
order form: https://www.tropicalhealthfoods.com/order.shtml.
New York, USA: 347 352 0058
other countries: +506 8816 1658
time zone CST (GMT-6)
--
Carao fruit is a food product intended to help support blood health. It is not intended to treat any disease. Furthermore, statements in this email should not be interpreted as medical advice or counsel. All statements regarding carao fruit are the responsibility of Tropical Health Foods LLC.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
