LARTC - Dec 2004 - failover strategies - failing open vs. failing closed.

I''d like to setup a box with 2 NICs as a firewall which will also rate
limits outbound traffic.  What happens when/if that box hangs or is
rebooted?

I''d like a solution that when there is a failure, traffic can still go
through the box even though the firewall and rate limiting functions will no
longer be in effect.  

I believe that this is "failing closed" but have yet to find an
intuitive
definition - "closed" to traffic going through or (the opposite of an
"open"
circuit) a "closed" circuit which would allow traffic?

Kelly J. Jeglum
jeglum@aux.uwm.edu
W (414) 229-5431, C (414) 750-2376
LAN Manager Auxiliary Services
University of Wisconsin - Milwaukee 
UWM Union room 312
2200 E. Kenwood Blvd.
Milwaukee, WI  53211


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi All,

I want to setup a machine to connect to internet at a limited rate of 64 
kbps.
That machine is connected to a switch. so my LAN and Internet both comes 
from the same eth0.
How can I limit only the internet access from this machine to 64kbps and 
still using 100mbps for LAN

I am trying to implement this Please guide me If i am wrong.
I mark all the packets going out to LAN.
Then I can setup a root qdisc to classify packets based on that mark. If 
match  then I can setup a class to accept those setup a fifo for those 
packets. but if the packets are not for the LAN then i can pass them to 
other class which is tbf shaping at rate 64kbps.

Am i right on these lines.
This is the setup

+------------+   eth0        +-----------+   internet
| machine   |---------------|   Switch  |-------------
+------------+                  +-----------+

trying to get some thing like this
  
                          root qdisc  (CBQ or something)
                             /     \
                           /         \
                         /             \
                       /                 \
                 class              class
Internal LAN Pcakets        Any other unclassified Packets
                   |                      |
                   |                      |
                FIFO             TBF (rate 64kbps)

Please Help me out with marking the packets and to classify them.
Just started off with Traffic Shaping.  gigles...... : )

It is alos possible to alternatively to mark internet traffic as it 
would be less in comparison to LAN and thus processor friendly.

Amit Vyas





_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Mensaje citado por Kelly Jeglum
<Jeglum@AUX.UWM.EDU>:
> I''d like to setup a box with 2 NICs as a firewall which will also
rate
> limits outbound traffic.  What happens when/if that box hangs or is
> rebooted?
> 
> I''d like a solution that when there is a failure, traffic can
still go
> through the box even though the firewall and rate limiting functions will
no
> longer be in effect.  
> 
Maybe it is more than what you need, but did you know Virtual Router Redundancy
Protocol?
http://ftp.ietf.org/rfc/rfc2338.txt

There are several linux implementations.
> I believe that this is "failing closed" but have yet to find an
intuitive
> definition - "closed" to traffic going through or (the opposite
of an "open"
> circuit) a "closed" circuit which would allow traffic?
> 

-------------------------------------------------------------
La Tienda del Portal esta de fiesta!
http://tienda.montevideo.com.uy
-------------------------------------------------------------

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Tuesday 28 December 2004 14:29, Kelly Jeglum wrote:
> I''d like to setup a box with 2 NICs as a firewall which will also
rate
> limits outbound traffic.  What happens when/if that box hangs or is
> rebooted?
>
> I''d like a solution that when there is a failure, traffic can
still go
> through the box even though the firewall and rate limiting functions will
> no longer be in effect.
I''m afraid that''s not possible if the box is also doing NAT. 
What you can do
is use 2 boxes and only 1 of them is active.  If it fails, the other takes 
over.
Take a look at http://www.linuxvirtualserver.org/.  You need the loadbalancer 
part of it.


Stef
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi.

Sorry for the delay. Hope you are still interested in the idea.

Kelly Jeglum wrote:
>I''d like to setup a box with 2 NICs as a firewall which will also
rate
>limits outbound traffic.  What happens when/if that box hangs or is
>rebooted?
>  
>
If you are doing NAT or routing, the you need to use VRRPD with two 
machines.
>I''d like a solution that when there is a failure, traffic can still
go
>through the box even though the firewall and rate limiting functions will no
>longer be in effect.  
>  
>
If on the other hand you want just the rate limiting, then you can try 
something. It only has a drawback, the switch that you will use must 
have Vlan and STP.

The trick is this, you choose three ports, and assign those to, say vlan 
2, then choose another 3 ports and assign those to vlan 3.

Enable STP on both Vlan''s, increase the portcost on one port on each 
Vlan, and use a crossed cable to link them.
Connect a port from each Vlan to the bridge/rate limiter.
Connect the remaining port to your inner router, and to your outer router.

Now, the idea is, the Vlan will divide the switch virtually, traffic 
from vlan 2 won''t go to vlan 3, only if they are physically connected, 
they behave like two switches (witch will also work, provided that the 
switches permit VTP). When everything is working properly, the switch 
will see two links from vlan 2 to vlan 3 and will disable the one with 
the higher cost (the cross cable), then all your traffic will flow 
thought the bridge.
If the bridge stops,hangs is disconnected, the switch will only see one 
link (the cross cable) and will enable it, bypassing the bridge.

I have this setup in operation now, and it works great.

For those wondering, it is using a cisco 2900XL and the fallback time is 
from 30 to 50 seconds.

Hope it helps

José Araújo


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

OK ... what about syncing connection tracking state tables between the
two routers/fw''s, is the ct_sync code from netfilter stable .. has any
one used it on a production environment .. the netfilter-failover
mailing list is pretty dead !


On Thu, 06 Jan 2005 22:16:42 +0000, Jose Luis Araujo
<jlaraujo@mercs.homeip.net> wrote:
> Hi.
> 
> Sorry for the delay. Hope you are still interested in the idea.
> 
> Kelly Jeglum wrote:
> 
> >I''d like to setup a box with 2 NICs as a firewall which will
also rate
> >limits outbound traffic.  What happens when/if that box hangs or is
> >rebooted?
> >
> >
> If you are doing NAT or routing, the you need to use VRRPD with two
> machines.
> 
> >I''d like a solution that when there is a failure, traffic can
still go
> >through the box even though the firewall and rate limiting functions
will no
> >longer be in effect.
> >
> >
> If on the other hand you want just the rate limiting, then you can try
> something. It only has a drawback, the switch that you will use must
> have Vlan and STP.
> 
> The trick is this, you choose three ports, and assign those to, say vlan
> 2, then choose another 3 ports and assign those to vlan 3.
> 
> Enable STP on both Vlan''s, increase the portcost on one port on
each
> Vlan, and use a crossed cable to link them.
> Connect a port from each Vlan to the bridge/rate limiter.
> Connect the remaining port to your inner router, and to your outer router.
> 
> Now, the idea is, the Vlan will divide the switch virtually, traffic
> from vlan 2 won''t go to vlan 3, only if they are physically
connected,
> they behave like two switches (witch will also work, provided that the
> switches permit VTP). When everything is working properly, the switch
> will see two links from vlan 2 to vlan 3 and will disable the one with
> the higher cost (the cross cable), then all your traffic will flow
> thought the bridge.
> If the bridge stops,hangs is disconnected, the switch will only see one
> link (the cross cable) and will enable it, bypassing the bridge.
> 
> I have this setup in operation now, and it works great.
> 
> For those wondering, it is using a cisco 2900XL and the fallback time is
> from 30 to 50 seconds.
> 
> Hope it helps
> 
> José Araújo
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 

-- 
abulyomon

www.KiLLTHeUPLiNK.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/