H/A

H/A

[g_netfilter]

Hi friends, I have some boxes running iptables and i works well. But now I
need to configure a failover solution, please could you give me some links
to start reading? I need to consider Netfilter/Iptables and FreeSwan in the
same box and with a failover configuration.

Thanks in advance.

Geffrey.

RE: H/A

[George Vieira]

High Availability linux

http://www.linux-ha.org/

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: g_netfilter@netfids.com [mailto:g_netfilter@netfids.com]
Sent: Monday, May 26, 2003 12:45 PM
To: netfilter@lists.netfilter.org
Subject: H/A


Hi friends, I have some boxes running iptables and i works well. But now I
need to configure a failover solution, please could you give me some links
to start reading? I need to consider Netfilter/Iptables and FreeSwan in the
same box and with a failover configuration.

Thanks in advance.

Geffrey.

RE: H/A

[g_netfilter]

And.. what about:

http://www.keepalived.org/

Im getting confused...

George, please if you are running a H/A cluster, please could you give me
more information about your configuration? or recomended configuration?

Thanks in advance.

Geffrey


> High Availability linux
>
> http://www.linux-ha.org/
>
> Thanks,
> ____________________________________________
> George Vieira
> Systems Manager
> georgev@citadelcomputer.com.au
>
> Citadel Computer Systems Pty Ltd
> http://www.citadelcomputer.com.au
>
> Phone   : +61 2 9955 2644
> HelpDesk: +61 2 9955 2698
>
>
> -----Original Message-----
> From: g_netfilter@netfids.com [mailto:g_netfilter@netfids.com]
> Sent: Monday, May 26, 2003 12:45 PM
> To: netfilter@lists.netfilter.org
> Subject: H/A
>
>
> Hi friends, I have some boxes running iptables and i works well. But
> now I need to configure a failover solution, please could you give me
> some links to start reading? I need to consider Netfilter/Iptables and
> FreeSwan in the same box and with a failover configuration.
>
> Thanks in advance.
>
> Geffrey.

Re: H/A

[Julian Gomez]

On Sun, May 25, 2003 at 09:45:12PM -0500, g_netfilter@netfids.com spoke thusly:

>Hi friends, I have some boxes running iptables and i works well. But now I
>need to configure a failover solution, please could you give me some links
>to start reading? I need to consider Netfilter/Iptables and FreeSwan in
>the same box and with a failover configuration.

A few things you need to clarify :

	a) What are the failover criteria ? Does the other box need to
	   maintain full state, or can you accept that all connections will
	   die for the moment, and can be re-established with the new
	   master server ?

           If state is required, iptables2 should contain failover
	   capability according to some previous posts by Harald. There was
	   some experimental work being done by someone, in regards to
	   exporting the entries out (you'll have to check the archives for
	   details). I'm not sure how you'll get freeswan to play nice
	   though.

	b) If you merely want dumb failover, then google around for VRRP.
	   But understand the drawbacks in each circumstance.

RE: H/A

[George Vieira]

iptables isn't a problem as I solved this using a special script and a special way of assigning the IPs.

    LIVE IP=203.x.x.x
FW1=10.1.1.1    FW2=10.1.1.1

using iproute2 I add the live IP to FW1 which is the Master FW.

ip add addr 203.x.x.x/28 dev eth0

Then my firewall scripts find the dev IP using "ip addr show $EXTDEV" add then "tail -1" for so it grabs the last line of the list otherwise it finds 2 IP bounded to the 1 network card and the scripts go nuts.. See snippet of my iptables script below.

getipfromdevice()
{
        DEV="$1"
        DEVIP=`ip addr show dev $DEV | grep "inet" |tail -1 |awk {'print $2'} | cut -f1 -d "/"`
        echo "$DEVIP"
}
EXTDEV="eth0"
EXTIP=getipfromdevice $EXTDEV


The problem is more with VPNs like PPTP/IPSEC as they won't pass the session over. But if they are company to company tunnels and they automatically reconnect, how it is a problem. a bit of packet loss for a few seconds and it's back up.. that's the internet for ya. ;)

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

-----Original Message-----
From: Julian Gomez [mailto:kluivert@tm.net.my]
Sent: Monday, May 26, 2003 7:59 PM
To: netfilter@lists.netfilter.org
Subject: Re: H/A


On Sun, May 25, 2003 at 09:45:12PM -0500, g_netfilter@netfids.com spoke thusly:

>Hi friends, I have some boxes running iptables and i works well. But now I
>need to configure a failover solution, please could you give me some links
>to start reading? I need to consider Netfilter/Iptables and FreeSwan in
>the same box and with a failover configuration.

A few things you need to clarify :

	a) What are the failover criteria ? Does the other box need to
	   maintain full state, or can you accept that all connections will
	   die for the moment, and can be re-established with the new
	   master server ?

           If state is required, iptables2 should contain failover
	   capability according to some previous posts by Harald. There was
	   some experimental work being done by someone, in regards to
	   exporting the entries out (you'll have to check the archives for
	   details). I'm not sure how you'll get freeswan to play nice
	   though.

	b) If you merely want dumb failover, then google around for VRRP.
	   But understand the drawbacks in each circumstance.

Re: H/A

[Julian Gomez]

On Tue, May 27, 2003 at 07:47:31AM +1000, George Vieira spoke thusly:
>LIVE IP=203.x.x.x
>FW1=10.1.1.1    FW2=10.1.1.1
>
>using iproute2 I add the live IP to FW1 which is the Master FW.
>
>ip add addr 203.x.x.x/28 dev eth0
>
>Then my firewall scripts find the dev IP using "ip addr show $EXTDEV" add
>then "tail -1" for so it grabs the last line of the list otherwise it
>finds 2 IP bounded to the 1 network card and the scripts go nuts.. See
>snippet of my iptables script below.

George,

You have not stated, exactly what failover scenarios does your setup work
for ? Ie,

[ internet link #1 ] +- [ firewall #1 ] -- +-------+
                     |                     | LAN1  |
	             |                     | LAN2  | 
[ internet link #2 ] +- [ firewall #2 ] -- +-------+

I was addressing something like the above. If firewall #1 goes down,
firewall #2 can take over, but it still requires that all state information
from firewall #1; be propogated to firewall #2. I am not taking into
account any load balancing requirements, pure failover. State info for both
iptables + their VPN setup. [*]

I don't understand how your unique IP addressing method will solve the
above, though your setup itself isn't very clear to me.

That said, the original poster didn't exactly state (IIRC) what sort of VPN
setup he is using (office <-> office), what exactly does he want
fail-over'ed, does he have dual Internet links and many many other bits of
information.

Take note, that even my ascii diagran above only caters for certain
failover scenarios.

RE: H/A

[George Vieira]

I have 2 LANS on different NICs behind the firewall. both are connected to both firewalls. I have only 1 internet link that they both share.

State info is hard.. not without special hardware or software. netfilter doesn't do any of this that I know of.

I hate to see it done with software as a very busy site with huge traffic (ie. we run 20+ websites) and the amount of /proc/net/ipt_* stuff that would need to be transferred continously would be a nightmare.. not to mention the VPN stuff..

company to company isn't hard, even if the link drops between fallover, the sessions aren't lost.. unless the fallover takes too long to shutdown FW1 and startup FW2 and bring the VPN up..

Yes, more info would be needed but I doubt there would be 100% state transfer...

-----Original Message-----
From: Julian Gomez [mailto:kluivert@tm.net.my]
Sent: Tuesday, May 27, 2003 8:09 PM
To: netfilter@lists.netfilter.org
Subject: Re: H/A


On Tue, May 27, 2003 at 07:47:31AM +1000, George Vieira spoke thusly:
>LIVE IP=203.x.x.x
>FW1=10.1.1.1    FW2=10.1.1.1
>
>using iproute2 I add the live IP to FW1 which is the Master FW.
>
>ip add addr 203.x.x.x/28 dev eth0
>
>Then my firewall scripts find the dev IP using "ip addr show $EXTDEV" add
>then "tail -1" for so it grabs the last line of the list otherwise it
>finds 2 IP bounded to the 1 network card and the scripts go nuts.. See
>snippet of my iptables script below.

George,

You have not stated, exactly what failover scenarios does your setup work
for ? Ie,

[ internet link #1 ] +- [ firewall #1 ] -- +-------+
                     |                     | LAN1  |
	             |                     | LAN2  | 
[ internet link #2 ] +- [ firewall #2 ] -- +-------+

I was addressing something like the above. If firewall #1 goes down,
firewall #2 can take over, but it still requires that all state information
from firewall #1; be propogated to firewall #2. I am not taking into
account any load balancing requirements, pure failover. State info for both
iptables + their VPN setup. [*]

I don't understand how your unique IP addressing method will solve the
above, though your setup itself isn't very clear to me.

That said, the original poster didn't exactly state (IIRC) what sort of VPN
setup he is using (office <-> office), what exactly does he want
fail-over'ed, does he have dual Internet links and many many other bits of
information.

Take note, that even my ascii diagran above only caters for certain
failover scenarios.