LARTC - Oct 2005 - Redundant firewall

Hi,

I hope this is not OT.  I searched through the archives but didn''t find
anything really answering my question.

I want to create a cluster of two firewalls with Linux-HA so that if 
the primary fail, the secondary firewall will take over.  Note that I 
don''t care about syncing states between firewalls, they will just have 
to reconnect :)

It''s a typical configuration:

                    _______FW1_______
                   /        |        \
INTERNET--ROUTER--<         |HB       >--SERVER
                   \_______ | _______/
                           FW2

HB is the heartbeat between the two firewalls.

The default gateway of SERVER will be the IP address of the cluster of 
firewall.  So SERVER->INTERNET will always go through the right FW.

But I''m concerned about INTERNET->SERVER (public IP).

My question is: will enabling proxy_arp on the active firewall and 
disabling it on the inactive be enough to route the traffic through the 
correct(active) firewall?

Thanks

Sébastien
--

Sebastien Guay wrote:
> My question is: will enabling proxy_arp on the active firewall and
> disabling it on the inactive be enough to route the traffic through the
> correct(active) firewall?
You use heartbeat and fake for that - It will update the ARP tables with
the new firewall MAC when failover occurs.

David

Le mer 12 oct 2005 13:37:55 EDT, David Coulson <david@davidcoulson.net> 
à écrit :
> Sebastien Guay wrote:
> > My question is: will enabling proxy_arp on the active firewall and
> > disabling it on the inactive be enough to route the traffic through
the
> > correct(active) firewall?
>
> You use heartbeat and fake for that - It will update the ARP tables with
> the new firewall MAC when failover occurs.
Maybe I understand it the wrong way (in that case it will be more a 
Linux-HA question) but I will have two fully functionnal firewall.  
 From the ROUTER pov, a packet destined to SERVER can pass through FW1 
as well as FW2.  But it should only through FW1 OR FW2 (whichever is 
active).

Am I wrong in assuming this?

Sébastien
--

Sebastien Guay wrote:
> Maybe I understand it the wrong way (in that case it will be more a
> Linux-HA question) but I will have two fully functionnal firewall.  From
> the ROUTER pov, a packet destined to SERVER can pass through FW1 as well
> as FW2.  But it should only through FW1 OR FW2 (whichever is active).
Well, you have a VIP which is on either firewall (actually two VIPs, one
for the inside interface, one for the outside). Packets to your inside
network are routed to that VIP, rather than to a specific firewall.

The router has no comprehension of fw1 or fw2 - Only that there is an IP
it sends packets for your subnet to.

David

Sorry David for the offlist reply.

Le mer 12 oct 2005 14:26:01 EDT, David Coulson <david@davidcoulson.net> 
à écrit :
> Sebastien Guay wrote:
> > Maybe I understand it the wrong way (in that case it will be more a
> > Linux-HA question) but I will have two fully functionnal firewall. 
From
> > the ROUTER pov, a packet destined to SERVER can pass through FW1 as
well
> > as FW2.  But it should only through FW1 OR FW2 (whichever is active).
>
> Well, you have a VIP which is on either firewall (actually two VIPs, one
> for the inside interface, one for the outside).
I think it would have been better if I had given more details in the 
first place.  Sorry about that :(

Say x.x.x.141 is the public IP address of FW1 (same IP for eth0 and 
eth1) and x.x.x.140 of FW2 (eth0 and eth1).  Heartbeat will be 
configured to create the VIP x.x.x.129 on both interfaces (you raised 
this point but it''s more for the Linux-HA mailing list).

So 141, 140, 129 and the server''s IP are all on the same subnet.  
Packets from the router may go through 141, 140 or 129.  But they 
should only go through 129.
> Packets to your inside
> network are routed to that VIP, rather than to a specific firewall.
Yes but they can also be routed to the real IP of FW1 and FW2.  And 
that''s what I try to avoid.
> The router has no comprehension of fw1 or fw2 - Only that there is an IP
> it sends packets for your subnet to.
My bad.  I should have said "IP of FW1 or IP of FW2".

Thanks for the help so far David.  I really appreciate it.

Sébastien
--

Le mer 12 oct 2005 16:20:02 EDT, David Coulson <david@davidcoulson.net> 
à écrit :
> Sebastien Guay wrote:
> > So 141, 140, 129 and the server''s IP are all on the same
subnet.
> > Packets from the router may go through 141, 140 or 129.  But they
should
> > only go through 129.
>
> Configure the router to only send packets to .129 then :-)
Believe me, if it was my router, we wouldn''t have had this discussion
:)

It''s my ISP''s router.  I will ask them.  They are generally
very helpful.

However I''m still curious if the proxy_arp trick (1 on the active one 
and 0 on the other) would do (although probably longer for the other to 
take over in case of a failover)?  Sébastien
--