[TriLUG] BSD/Linux firewall with multiple ISP and failover?
Jon Carnes
jonc at nc.rr.com
Mon Jan 30 22:28:36 EST 2006
On Mon, 2006-01-30 at 10:24, Aaron S. Joyner wrote:
> Jon Carnes wrote:
>
> >I like this because the Fail-over server does all the checking. It uses a secondary network (192.168.10.0) that is shared with the Primary Firewall. All testing is done across the secondary network. This lets you manipulate the primary network (192.168.1.0) and move the gateway for that network anytime you want, while still letting you test to see if the Primary Firewall comes back up.
> >
> >It's elegant and it works great.
> >Good Luck - Jon Carnes
> >
> >
> I don't disagree that your solution is elegant and effective, Jon. It
> just solves a different problem. :) You're solving the problem of
> firewall redundancy, and getting multiple internet paths as a sort of
> bonus. In the scenario you describe, consider what happens if the
> internet connection of the first server fails, but the internal
> interface of the server is quite happy and responding to pings.
Yes, I know. We are on exactly the same page.
I cut out the second script which runs on the primary firewall and pings
its main router and then shuts down the internal interface if it loses
connectivity - then brings it back up once connectivity is
re-established.
My email was just too long. Plus it was pretty much the same script but
run on the Primary.
I love doing things that way.
BTW Ryan: I bow to the Monkey! There is much love here for the Monkey.
LVS is a wonderful thing.
Ken: I like your simpler version of just using one firewall and three
NIC's (and then just executing routing rules on the fly when
connectivity goes down). Very simple. Me... I'm stuck in "fully
redundant" mode, which means two firewalls as a minimum.
Jon Carnes
More information about the TriLUG
mailing list