Re: [Linux-HA] Failover for multiple xDSL/FW

Mon, 30 Jul 2007 10:08:20 -0700 

On Mon, 30 Jul 2007, Sim wrote:


Hi to All!

If I have this example configuration....:

ROUTER1------- FW1--------
                                     ----- LAN/Client
ROUTER2-------FW2 --------


ROUTER1 = 80.0.0.0/29
ROUTER2 = 90.0.0.0/29

FW = Linux
FW1 (LAN) = 192.168.0.253
FW2 (LAN) = 192.168.0.252

GW Client LAN = 192.168.0.254 (HA)

....can I use LinuxHA for this solution?


probably, but the question is what you are trying to do with linux-ha
linux-ha can make it so that your firewalls can be redundant (i.e. if you loose one you can still access things), but if you are looking for linux-ha to choose which router to send things through it's not the tool for the job. 

the first thing you need to do is to change your basic config to (logicly)

 ROUTER1-----|
             |--FW----- LAN/Client
 ROUTER2-----|
and make sure that this works for you (see the conmark option within iptables for how to handle the routeing, assuming that you can get to the same networks through both routers) 

then after you get that setup working Linux-HA can help by changing this to

 ROUTER1----|-FW1-|
            |     |----- LAN/Client
 ROUTER2----|-FW2-|
so that if one firewall fails the other can pick up traffic. the most trivial way to do this is to just have linux-ha move an IP address on each interface from one box to the other, but this has the problem that when a failover takes place all connections will get cut and have to be re-established (this really isn't a big problem, failovers are pretty rare), the more complex answer is to configure conntrack-tools to replicate the connection state from one box to the other, version 0.95 was released over the weekend (http://www.netfilter.org/projects/conntrack-tools/downloads.html)
personally I don't bother with the conntrack replication yet (once I get a chance to experiment with it I may find it's trivial to setup and start useing it everywhere, but it hasn't been important enough for me to do so yet) 

David Lang
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

Reply via email to