Re: ifstated.conf for multiple links with failover

2012-01-26 Thread Justin Jereza 
>> [demime 1.01d removed an attachment of type application/octet-stream which
>> had a name of ifstated.conf]
>>
>> [demime 1.01d removed an attachment of type application/x-sh which had a
>> name of manage-routes.sh]
>>

Since I have been receiving requests for the files, I am pasting them
here in full.


dns = '"host google.com > /dev/null" every 10'
icap = '"ping -q -c 1 -w 3 icap.example.com > /dev/null" every 10'
wan1 = '"ping -q -c 1 -w 3 -I 74.125.71.2 74.125.71.1 > /dev/null" every 10'
wan2 = '"ping -q -c 1 -w 3 -I 75.125.71.66 75.125.71.65 > /dev/null" every 10'

state all {
init {
run "manage-routes.sh ALL"
run "pf-create-nat.sh ALL"
run "pf-create-route.sh LAN WAN-ALL"
}
if $dns
run "/etc/rc.d/squid start"
if ! $dns
run "/etc/rc.d/squid stop"
if $icap && $dns
run "/etc/rc.d/dansguardian start"
if ! $icap
run "/etc/rc.d/dansguardian stop"
if $wan1 && ! $wan2
set-state wan1
if $wan2 && ! $wan1
set-state wan2
if ! $wan1 && ! $wan2
set-state none
}

state wan1 {
init {
run "manage-routes.sh WAN1"
run "pf-create-nat.sh WAN1"
run "pf-create-route.sh LAN WAN1"
}
if $dns
run "/etc/rc.d/squid start"
if ! $dns
run "/etc/rc.d/squid stop"
if $icap && $dns
run "/etc/rc.d/dansguardian start"
if ! $icap
run "/etc/rc.d/dansguardian stop"
if $wan1 && $wan2
set-state all
if $wan2 && ! $wan1
set-state wan2
if ! $wan1 && ! $wan2
set-state none
}

state wan2 {
init {
run "manage-routes.sh WAN2"
run "pf-create-nat.sh WAN2"
run "pf-create-route.sh LAN WAN2"
}
if $dns
run "/etc/rc.d/squid start"
if ! $dns
run "/etc/rc.d/squid stop"
if $icap && $dns
run "/etc/rc.d/dansguardian start"
if ! $icap
run "/etc/rc.d/dansguardian stop"
if $wan1 && $wan2
set-state all
if $wan1 && ! $wan2
set-state wan1
if ! $wan1 && ! $wan2
set-state none
}

state none {
init {
run "manage-routes.sh NONE"
run "pfctl -a LAN -F all"
run "pfctl -a NAT -F all"
run "/etc/rc.d/squid stop"
run "/etc/rc.d/dansguardian stop"
}
if $wan1 && $wan2
set-state all
if $wan1 && ! $wan2
set-state wan1
if $wan2 && ! $wan1
set-state wan2
}



#!/bin/sh

SCRIPT="$0";

function help {
echo "Usage: $SCRIPT ALL | WAN1 | WAN2 | NONE";
}

function in_table {
GW="$1";

route -n show | grep '^default' | awk '{ print $2 }' | grep $GW
2>&1 > /dev/null;
}

function add_route {
GW="$1";
route add -mpath default $GW 2>&1 > /dev/null;
}

function delete_route {
GW="$1";
route delete default $GW 2>&1 > /dev/null;
}

if [ $# -ne 1 ]; then
help;
exit 1;
fi

STATE="$1";
WAN1_GW="74.125.71.1";
WAN2_GW="75.125.71.65";

case "$STATE" in
ALL)
if ! in_table $WAN1_GW; then
add_route $WAN1_GW;
fi
if ! in_table $WAN2_GW; then
add_route $WAN2_GW;
fi
;;
WAN1)
if ! in_table $WAN1_GW; then
add_route $WAN1_GW;
fi
if in_table $WAN2_GW; then
delete_route $WAN2_GW;
fi
;;
WAN2)
if in_table $WAN1_GW; then
delete_route $WAN1_GW;
fi
if ! in_table $WAN2_GW; then
add_route $WAN2_GW;
fi
;;
NONE)
if in_table $WAN1_GW; then
delete_route $WAN1_GW;
fi
if in_table $WAN2_GW; then
delete_route $WAN2_GW;
fi
;;
*)
help;
exit 1;
;;
esac


Regards,

-- 
Justin Jereza
LPIC-2

Re: ifstated.conf for multiple links with failover

2012-01-26 Thread Justin Jereza 
> anyway, I came across this below URL ( it is for Linux with fail over)
>
> http://tech.gaeatimes.com/index.php/archive/how-to-load-balancing-failover-with-dual-multi-wan-adsl-cable-connections-on-linux/
>
>
> They are doing it. Your comments?
>
> Can I apply this to OpenBSD 5 ?

1. As far as I know, only equal cost multipath routing works on
OpenBSD. There is no support for weighted multipath routing. This can
conceivably be simulated by using probability in pf but I have not
tested it and I do not know how performance will be affected by the
dropped packets.

2. A modern Linux distro should have dead gateway detection built-in
so compiling a custom kernel should not be necessary.

3. That page shows RFC 1918 addresses being used in between the CPEs
(Which act as NATs.) and the load balancing gateway. I would use a
public IP address instead because I would rather implement the NAT in
OpenBSD. This reduces the number of hops required to reach any
external address by one (assuming the CPE is configured for bridging)
as well as reduce the possibility of a double NAT being implemented
while giving me the capability to use other OpenBSD features like
altq.

4. I do not see how the alternate script provided by that page can
automatically recover from a situation where both WAN links are down
since a multistage ping check is not being employed either.

Regards,

-- 
Justin Jereza
LPIC-2

Re: ifstated.conf for multiple links with failover

2012-01-26 Thread Indunil Jayasooriya 
Thanks for your reply. I am still studying your scripts.

anyway, I came across this below URL ( it is for Linux with fail over)

http://tech.gaeatimes.com/index.php/archive/how-to-load-balancing-failover-with-dual-multi-wan-adsl-cable-connections-on-linux/


They are doing it. Your comments?

Can I apply this to OpenBSD 5 ?

Re: ifstated.conf for multiple links with failover

2012-01-25 Thread Justin Jereza 
On Thu, Jan 26, 2012 at 11:54 AM, Indunil Jayasooriya
 wrote:
>>> I am wrinting /etc/ifstated.conf file.
>>>
>>> But , I still haven't achieved it. Could you pls help me to solve this.
>>>

I've attached two files, my ifstated.conf and manage-routes.sh, a
script I wrote for adding and removing routes based on the current
state from ifstated.

>From your example, you cannot ping google to check if a specified WAN
link is up while the gateway for that specific link is not in the
routing table because it will be unreachable (Especially when both
links are down, ifstated will have no way of pinging google and they
will remain down.) That is why I have chosen to ping the gateways of
my WAN links instead. I have been toying around with the idea of a
multistage check that first pings the gateway, then google but I have
not tested it yet.

Hope this helps.

-- 
Justin Jereza
LPIC-2

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of ifstated.conf]

[demime 1.01d removed an attachment of type application/x-sh which had a name 
of manage-routes.sh]

Re: ifstated.conf for multiple links with failover

2012-01-25 Thread Indunil Jayasooriya 
>> I am wrinting /etc/ifstated.conf file.
>>
>> But , I still haven't achieved it. Could you pls help me to solve this.
>>
>
> www.openbsd.org/faq/pf/pools.html
>

Hi, I have already gone to it. Does automatic fail over happens, when
one link goes down?

I have Not tried it.

Do yo have any experience in regard to it.


I am using squid as transparent proxy on my PF box. So I think I only
need pass out traffic.

So , I am trying the below URL.

http://www.openbsd.org/faq/faq6.html#Multipath

That's why I try to configure ifstated..

any comments?




-- 
Thank you
Indunil Jayasooriya

Re: ifstated.conf for multiple links with failover

2012-01-25 Thread Muhammad Muntaza 
On Jan 25, 2012 5:39 PM, "Indunil Jayasooriya"  wrote:
>
> Hi,
>
>
> I want to setup ifstated  for multiple links.
>
>
> My requirement is very simple.
>
> I have 2 links. one is ADSL and the other is leased-line.
>
> When both links are up, outgoing traffic should be balanced via both
links.
>
> When ADSL is DOWN, outgoing traffic  should go via Leased line
>
> When Leased line is DOWN, outgoing traffic should go via ADSL line.
>
> I am wrinting /etc/ifstated.conf file.
>
> But , I still haven't achieved it. Could you pls help me to solve this.
>

www.openbsd.org/faq/pf/pools.html

ifstated.conf for multiple links with failover

2012-01-25 Thread Indunil Jayasooriya 
Hi,


I want to setup ifstated  for multiple links.


My requirement is very simple.

I have 2 links. one is ADSL and the other is leased-line.

When both links are up, outgoing traffic should be balanced via both links.

When ADSL is DOWN, outgoing traffic  should go via Leased line

When Leased line is DOWN, outgoing traffic should go via ADSL line.

I am wrinting /etc/ifstated.conf file.

But , I still haven't achieved it. Could you pls help me to solve this.

These are the urls I refer.

http://gouloum.fr/doc/multilink.html

http://www.suborbital.org.uk/canofworms/index.php?/archives/2-Failover-routing-with-OpenBSD-and-ifstated.html


And, here's my /etc/ifstated.conf file


pingVIAbothlinks = '( "ping -c 1 -I 192.168.1.253 www.google.lk
>/dev/null" every 10 && "ping -c 1 -I 172.16.10.253 www.google.lk
>/dev/null" every 10)'
pingVIAadsl = '( "ping -c 1 -I 192.168.1.253 www.google.lk >/dev/null"
every 10)'
pingVIAleasedline  = '( "ping -c 1 -I 172.16.10.253 www.google.lk
>/dev/null" every 10)'

#init-state zero

state zero {
init {
run "route add -mpath default 192.168.1.1"
run "route add -mpath default 172.16.10.254"
}
if ! $pingVIAadsl {
set-state one
}

}

state one {
init {
run "route delete -mpath default 192.168.1.1"
run "route add -mpath default 172.16.10.254"
}
if ! $pingVIAleasedline {
set-state two
}
}

state two {
init {
run "route delete -mpath default 172.16.10.254"
run "route add -mpath default 192.168.1.1"
}
if  $pingVIAbothlinks {
set-state zero
}
}



Pls note:

192.168.1.253 is the ip of the PF box that connects to ADSL side.

172.16.10.253 is the leased line ip of the PF box that connects to
Leased line side.


here are my configuration details of the PX box ( OpenBSD - 5 - 64 bit )


# cat /etc/hostname.ne1
inet 172.16.10.253 255.255.255.0
!route add -mpath default 172.16.10.254


# cat /etc/hostname.ne2
inet 192.168.1.253 255.255.255.0
!route add -mpath default 192.168.1.1


# netstat -r |grep default
default192.168.1.1UGSP   0 2274 - 8 ne2
default172.16.10.254  UGSP   1  280 - 8 ne1

I have enabled below values in /etc/sysctl.conf file.


net.inet.ip.forwarding=1

net.inet.ip.multipath=1



hope to hear from you.







-- 
Thank you
Indunil Jayasooriya