Re: T1 and DSL failover? redundancy?
Giancarlo: I was following the mailist and found your mail. I have a similar scenary with OpenBSD 3.8-stable. Two ADSL links with two ADSL modems working as bridge (not as router) with 3 interfaces, two external interfaces (one for each modem) and one for my internal net. Until today I can do load balancing (outgoing) but without a failover system. I manually reload pf.conf every times I need. I think that my knowledge of OBSD it's not enough. It's possible for your give a hand with this issue? I can send you any conf you need (pf.conf, ppp.conf, etc) Thank you for your time. Marcos Marconcini Date: Fri, 23 Jun 2006 09:35:37 -0300 From: Giancarlo Razzolini [EMAIL PROTECTED] To: misc@openbsd.org Subject: Re: T1 and DSL failover? redundancy? Message-ID: [EMAIL PROTECTED] I do have a similar setup, but in my case, i have two ADSL routers, from 2 different ISP's. And each router is on a separate interface, and i do have one internal network and 2 dmz's. Both the routers support snmp queries. I do use one pf.conf file, with one anchor for the balancing. Then, to detect the link state, i use ifstated with some scripts that check the WAN link and the interface that connect with the router link. If the WAN link fall, then i use pfctl to load rules in my anchor directing traffic to the other link, and vice-versa, and i do reboot my router (many of them works better after rebooting). If the link come back, the ifstated daemon detects it, and load rules again for doing load balancing. This setup works great. I do incoming routing too. My 2 cents, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: T1 and DSL failover? redundancy?
John Brahy wrote: I was hoping to get some suggestions on the best way to handle this. We just put a DSL line for inet backup and I'd like to have it automagically failover. We are running OpenBSD 3.9 -stable on a box with four interfaces. Currently we have one interface connected to our private network and one interface connected to our router. I could connect the DSL router and the t-1 router directly to my firewall on two seperate interfaces and maintain two seperate pf.conf files and manually change the active interface. this isn't what I want to do but I know it will work. What are my other options? I'd like to have it automatically fail over but I'm not sure what is required to do that. Thanks, John I do have a similar setup, but in my case, i have two ADSL routers, from 2 different ISP's. And each router is on a separate interface, and i do have one internal network and 2 dmz's. Both the routers support snmp queries. I do use one pf.conf file, with one anchor for the balancing. Then, to detect the link state, i use ifstated with some scripts that check the WAN link and the interface that connect with the router link. If the WAN link fall, then i use pfctl to load rules in my anchor directing traffic to the other link, and vice-versa, and i do reboot my router (many of them works better after rebooting). If the link come back, the ifstated daemon detects it, and load rules again for doing load balancing. This setup works great. I do incoming routing too. My 2 cents, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: T1 and DSL failover? redundancy?
You can use SNMP to monitor the wan interface on almost all routers, (I know personally about the cisco), so you might set something up that monitors taht, or you could using a dynamic routing protcocal, even rip would do, just something interactive between OBSD firewall and the router, the router would update the firewall via the routing protocal if the line was down and use a higher admin distance on the DSL link. On 6/21/06, NetNeanderthal [EMAIL PROTECTED] wrote: On 6/21/06, John Brahy [EMAIL PROTECTED] wrote: What are my other options? I'd like to have it automatically fail over but I'm not sure what is required to do that. Have you considered using a WAN card for your T1 natively on OpenBSD? As well, you might have a look at ifstated(8) if that's the case -- this would be a cinch to configure with PF. I believe there are several manufacturers of WAN cards, including art(4), lmc(4) and san(4). I have used the Sangoma cards before with good luck. Otherwise, depending on the router (Cisco?), you might be able to setup tracking on the T1 WAN interface to bring down the ethernet interface (assumption?) that points towards your OpenBSD firewall. This in turn would trigger an ifstated event that manages your pf.conf configuration(s). Or... routing metrics. There are so many ways to solve this with OpenBSD. Good luck! -- -Lawrence
Re: T1 and DSL failover? redundancy?
At 11:13 PM 6/21/2006 -0700, Lawrence Horvath wrote: You can use SNMP to monitor the wan interface on almost all routers, (I know personally about the cisco), so you might set something up that monitors taht, or you could using a dynamic routing protcocal, even rip would do, just something interactive between OBSD firewall and the router, the router would update the firewall via the routing protocal if the line was down and use a higher admin distance on the DSL link. Keep in mind also that redundancy is fine for outgoing traffic, but to actually route incoming traffic you must also have an upstream ISP(s) that can handle redundant links, or you will have to obtain your own ASN and manage your own BGP. Lee
Re: T1 and DSL failover? redundancy?
On 6/22/06, L. V. Lammert [EMAIL PROTECTED] wrote: At 11:13 PM 6/21/2006 -0700, Lawrence Horvath wrote: You can use SNMP to monitor the wan interface on almost all routers, (I know personally about the cisco), so you might set something up that monitors taht, or you could using a dynamic routing protcocal, even rip would do, just something interactive between OBSD firewall and the router, the router would update the firewall via the routing protocal if the line was down and use a higher admin distance on the DSL link. Keep in mind also that redundancy is fine for outgoing traffic, but to actually route incoming traffic you must also have an upstream ISP(s) that can handle redundant links, or you will have to obtain your own ASN and manage your own BGP. Lee there are only two ways i know to maintain routing on incomming traffic, first being to have your DSL and T1 from the same company and they can set up your links with routing on there side that will reflect your fail over situation, the second way is to multihome with and AS and run BGP, so if you have any sort of IP specific traffic such as running servers at your location you will have to do one of the above option, however if this is just for a office connection to allow your employees to check myspace and play poker, then you can do it much easier, would be as simple as running and internal routing protocal -- -Lawrence
Re: T1 and DSL failover? redundancy?
Lawrence Horvath wrote: On 6/22/06, L. V. Lammert [EMAIL PROTECTED] wrote: At 11:13 PM 6/21/2006 -0700, Lawrence Horvath wrote: ... Keep in mind also that redundancy is fine for outgoing traffic, but to actually route incoming traffic you must also have an upstream ISP(s) that can handle redundant links, or you will have to obtain your own ASN and manage your own BGP. Lee there are only two ways i know to maintain routing on incomming traffic, first being to have your DSL and T1 from the same company and they can set up your links with routing on there side that will reflect your fail over situation, the second way is to multihome with and AS and run BGP, ... There are also DNS games. Multiple MX records, multiple nameservers in the different ISP's IP space, DNS load balancing for http[s] (e.g. 'nslookup www.yahoo.com')... These work suffuciently well for applications that understand multiple Ips for a given name, or applications that understand the concept of if IP address A times-out, try IP address B. OpenVPN understands this, for example. -Steve S.
Re: T1 and DSL failover? redundancy?
On 6/21/06, John Brahy [EMAIL PROTECTED] wrote: What are my other options? I'd like to have it automatically fail over but I'm not sure what is required to do that. Have you considered using a WAN card for your T1 natively on OpenBSD? As well, you might have a look at ifstated(8) if that's the case -- this would be a cinch to configure with PF. I believe there are several manufacturers of WAN cards, including art(4), lmc(4) and san(4). I have used the Sangoma cards before with good luck. Otherwise, depending on the router (Cisco?), you might be able to setup tracking on the T1 WAN interface to bring down the ethernet interface (assumption?) that points towards your OpenBSD firewall. This in turn would trigger an ifstated event that manages your pf.conf configuration(s). Or... routing metrics. There are so many ways to solve this with OpenBSD. Good luck!
