Hi, I hope this is not OT. I searched through the archives but didn''t find anything really answering my question. I want to create a cluster of two firewalls with Linux-HA so that if the primary fail, the secondary firewall will take over. Note that I don''t care about syncing states between firewalls, they will just have to reconnect :) It''s a typical configuration: _______FW1_______ / | \ INTERNET--ROUTER--< |HB >--SERVER \_______ | _______/ FW2 HB is the heartbeat between the two firewalls. The default gateway of SERVER will be the IP address of the cluster of firewall. So SERVER->INTERNET will always go through the right FW. But I''m concerned about INTERNET->SERVER (public IP). My question is: will enabling proxy_arp on the active firewall and disabling it on the inactive be enough to route the traffic through the correct(active) firewall? Thanks Sébastien --
Sebastien Guay wrote:> My question is: will enabling proxy_arp on the active firewall and > disabling it on the inactive be enough to route the traffic through the > correct(active) firewall?You use heartbeat and fake for that - It will update the ARP tables with the new firewall MAC when failover occurs. David
Le mer 12 oct 2005 13:37:55 EDT, David Coulson <david@davidcoulson.net> à écrit :> Sebastien Guay wrote: > > My question is: will enabling proxy_arp on the active firewall and > > disabling it on the inactive be enough to route the traffic through the > > correct(active) firewall? > > You use heartbeat and fake for that - It will update the ARP tables with > the new firewall MAC when failover occurs.Maybe I understand it the wrong way (in that case it will be more a Linux-HA question) but I will have two fully functionnal firewall. From the ROUTER pov, a packet destined to SERVER can pass through FW1 as well as FW2. But it should only through FW1 OR FW2 (whichever is active). Am I wrong in assuming this? Sébastien --
Sebastien Guay wrote:> Maybe I understand it the wrong way (in that case it will be more a > Linux-HA question) but I will have two fully functionnal firewall. From > the ROUTER pov, a packet destined to SERVER can pass through FW1 as well > as FW2. But it should only through FW1 OR FW2 (whichever is active).Well, you have a VIP which is on either firewall (actually two VIPs, one for the inside interface, one for the outside). Packets to your inside network are routed to that VIP, rather than to a specific firewall. The router has no comprehension of fw1 or fw2 - Only that there is an IP it sends packets for your subnet to. David
Sorry David for the offlist reply. Le mer 12 oct 2005 14:26:01 EDT, David Coulson <david@davidcoulson.net> à écrit :> Sebastien Guay wrote: > > Maybe I understand it the wrong way (in that case it will be more a > > Linux-HA question) but I will have two fully functionnal firewall. From > > the ROUTER pov, a packet destined to SERVER can pass through FW1 as well > > as FW2. But it should only through FW1 OR FW2 (whichever is active). > > Well, you have a VIP which is on either firewall (actually two VIPs, one > for the inside interface, one for the outside).I think it would have been better if I had given more details in the first place. Sorry about that :( Say x.x.x.141 is the public IP address of FW1 (same IP for eth0 and eth1) and x.x.x.140 of FW2 (eth0 and eth1). Heartbeat will be configured to create the VIP x.x.x.129 on both interfaces (you raised this point but it''s more for the Linux-HA mailing list). So 141, 140, 129 and the server''s IP are all on the same subnet. Packets from the router may go through 141, 140 or 129. But they should only go through 129.> Packets to your inside > network are routed to that VIP, rather than to a specific firewall.Yes but they can also be routed to the real IP of FW1 and FW2. And that''s what I try to avoid.> The router has no comprehension of fw1 or fw2 - Only that there is an IP > it sends packets for your subnet to.My bad. I should have said "IP of FW1 or IP of FW2". Thanks for the help so far David. I really appreciate it. Sébastien --
Le mer 12 oct 2005 16:20:02 EDT, David Coulson <david@davidcoulson.net> à écrit :> Sebastien Guay wrote: > > So 141, 140, 129 and the server''s IP are all on the same subnet. > > Packets from the router may go through 141, 140 or 129. But they should > > only go through 129. > > Configure the router to only send packets to .129 then :-)Believe me, if it was my router, we wouldn''t have had this discussion :) It''s my ISP''s router. I will ask them. They are generally very helpful. However I''m still curious if the proxy_arp trick (1 on the active one and 0 on the other) would do (although probably longer for the other to take over in case of a failover)? Sébastien --
Possibly Parallel Threads
- hardware needed for OCFS
- two firewall and shorewall
- Simple question about zones (haven''t found in FAQ)
- Terrible, horrible firewall issues in * to * setup
- Getting ERROR: parsing the volfile failed (No such file or directory) when starting glusterd on Fedora 19