I've actually been doing this successfully with conntrakd, keepalived, and quagga Essentially I'm using quaga for OSPF and BGP externally with equal cost paths. For conntrackd with FTFW and "DisableExternalCache On" Do NOT use the howto's on the web or the examples that come with conntrakd or keepalived for configuring keepalived they are outdated and can cause major problems. right now the only reliable documentation on keepalived is here https://github.com/acassen/keepalived/blob/master/doc/keepalived.conf.SYNOPSIS ignore any other docs you find on the web Set both the instances in keepalived to "state BACKUP" and allow the priority numbers to do ellections. I do all of my VRRP heartbeats and syncing over dedicated bonded interfaces. Short cables are better but a pair of fiber dedicated cables to different rack rooms is acceptable. make sure you configure keepalived not to monitor the croosover link or keepalived will thing there is a FAULT when its peer is offline for say a reboot. do not make the typical mistake of creating a new VRRP instance for every vlan and connecting them in a sync group. that configuration can have strange side effects. instead use one instance and specifiy the the device the IP applies too under the hood keepalived is using iproute2 and you can use its full add syntax. just truncate the "ip addr add" portion of the command. Also attached are two file which is a modified version oth the script packaged in the examples which has been modified to work with contrackd with "DisableExternalCache On" and a nice little upstream router check script you can use in keepalived that uses fping. I am planning to write a full howto on this in the near future as part of HadrianWall project on git hub On Wed, Nov 5, 2014 at 4:45 PM, shawn wilson <ag4ve.us@xxxxxxxxx> wrote: > So I was thinking to use tc on the second box to delay the second > packet and it should be dropped by the destination (really bad way to > do it) but a quick google gives this: > http://parkersamp.com/2010/03/howto-using-linux-as-a-simple-load-balancer-nat-router-firewall/#more-123 > > That said, idk you can actually do what you want within linux (I'm > pretty sure firewall vendors that support this either do it very badly > or have custom code) > > On Wed, Nov 5, 2014 at 3:40 PM, Arturo Borrero Gonzalez > <arturo.borrero.glez@xxxxxxxxx> wrote: >> On 5 November 2014 20:15, Ricardo Klein <klein.rfk@xxxxxxxxx> wrote: >>> Hi there, >>> >>> I need to build a scenario with 2 linux servers (probably CentOS7) >>> acting as active/active firewall servers. What tools should I use? >>> I saw some articles with: >>> - conntrackd + keepalived >>> - conntrackd + corosync + pacemaker >>> >>> But, what is the most used/stable? >>> >> >> I would recommend Debian, corosync + pacemaker. >> >> I guess an active-passive cluster will do the job. >> >> Setting up an active-active firewall cluster is very difficult and >> presents some challenges hard to face (like proper statefull filtering >> in two nodes simultaneously, and a consistent ruleset management >> between nodes of the cluster). >> >> -- >> Arturo Borrero González >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html
Attachment:
keepalived-conntrack-manager.sh
Description: Bourne shell script
Attachment:
fpingvrrpcheck.sh
Description: Bourne shell script
