hi all,
i''ve been following the discussions on multiple providers and
configuring
shorewall. before going into this path, i wanted to ask in general for
advice or pointers to good documentation on setting this up "right"
the
first time. URLs, FAQs, HOW-TO guides, general observations, anything
would be very much appreciated...
currently, i''ve got a setup running shorewall quite nicely on a single
ISP (3 T1''s) connection. for redundancy, because MCI went
"out" for
about 6 critical business hours recently, we''ve installed from another
provider a second main connection (2 T1s).
what i''m looking for is any recommendations or pointers for managing
the
firewalls, possibly setting up a redundant firewall, managing DNS for
two IP blocks, that sort of thing. the network sketch is below. i''ve
been doing a good bit of google work to try and read up, but the info
seems to be fairly scattered and not really coherent. i''d really like
to do all of this with shorewall, since it works so well for our current
setup. if people strongly recommend something else, though, i''m open
to suggestions.
network sketch:
65.199.241.64/26
ISP 1: (3 T1s) --- Cisco .65
|
|
+ eth0: .66
| Internal LAN Switch
FW + eth2: 10.100.1.1 --------------- 10.100.0.0/16
| | | |
+ eth1: .2 | | |
| office net | unix servers
| 10.100.100.0/24 | 10.100.1.0/24
ISP 2: (2 T1s) --- Cisco .1 |
citrix servers
66.194.149.0/26 10.100.10.0/24
ideally, i''d like to load balance the network connections, but in the
event of one line going down, switch everything to the only remaining
provider.
the servers are visible via DNS entries on the 65.199.241.64/26 network,
where the exported servers are "smtp", "ssh",
"imap", "citrix", "www",
"dns1", "dns2", and "ftp".
some of the questions i''ve got are about the proper setup of:
- load balancing
- lost provider elimination from the proivder pool
- DNS setup to export multiple IPs for one server such that
reverse DNS doesn''t fail (ie, for mail services and anti-spam
policies at places like AOL)
- adding a recovered provider link back into the working
provider pool
- setting up a redundant firewall and automatically switching
over if the the primary FW fails -- loss of state in existing
connections is okay
i tend to think of it as having N providers, even though i''m only using
two right now -- later we may add others for more tolerance or better
latency results to different parts of the internet.
thanks,
josh
ps> i''d be happy to summarize results if people reply off line. i
think
that either way i''ll write up a short "how to" guide and
offer it
as another FAQ/guide for everyone...
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
Josh Fryman wrote:>hi all, > >i''ve been following the discussions on multiple providers and configuring >shorewall. before going into this path, i wanted to ask in general for >advice or pointers to good documentation on setting this up "right" the >first time. URLs, FAQs, HOW-TO guides, general observations, anything >would be very much appreciated... > >currently, i''ve got a setup running shorewall quite nicely on a single >ISP (3 T1''s) connection. for redundancy, because MCI went "out" for >about 6 critical business hours recently, we''ve installed from another >provider a second main connection (2 T1s). > >what i''m looking for is any recommendations or pointers for managing the >firewalls, possibly setting up a redundant firewall, managing DNS for >two IP blocks, that sort of thing. the network sketch is below. i''ve >been doing a good bit of google work to try and read up, but the info >seems to be fairly scattered and not really coherent. i''d really like >to do all of this with shorewall, since it works so well for our current >setup. if people strongly recommend something else, though, i''m open >to suggestions. > >network sketch: > > 65.199.241.64/26 > > ISP 1: (3 T1s) --- Cisco .65 > | > | > + eth0: .66 > | Internal LAN Switch > FW + eth2: 10.100.1.1 --------------- 10.100.0.0/16 > | | | | > + eth1: .2 | | | > | office net | unix servers > | 10.100.100.0/24 | 10.100.1.0/24 > ISP 2: (2 T1s) --- Cisco .1 | > citrix servers > 66.194.149.0/26 10.100.10.0/24 > >ideally, i''d like to load balance the network connections, but in the >event of one line going down, switch everything to the only remaining >provider. > >the servers are visible via DNS entries on the 65.199.241.64/26 network, >where the exported servers are "smtp", "ssh", "imap", "citrix", "www", >"dns1", "dns2", and "ftp". > >some of the questions i''ve got are about the proper setup of: > > - load balancing > - lost provider elimination from the proivder pool > - DNS setup to export multiple IPs for one server such that > reverse DNS doesn''t fail (ie, for mail services and anti-spam > policies at places like AOL) > - adding a recovered provider link back into the working > provider pool > - setting up a redundant firewall and automatically switching > over if the the primary FW fails -- loss of state in existing > connections is okay > >i tend to think of it as having N providers, even though i''m only using >two right now -- later we may add others for more tolerance or better >latency results to different parts of the internet. > >thanks, > >josh > >ps> i''d be happy to summarize results if people reply off line. i think > that either way i''ll write up a short "how to" guide and offer it > as another FAQ/guide for everyone... > > >------------------------------------------------------- >This SF.Net email is sponsored by: >Power Architecture Resource Center: Free content, downloads, discussions, >and more. http://solutions.newsforge.com/ibmarch.tmpl >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users > >Hi My advice to u is to start using pf on openbsd/freebsd/netbsd it gives most these features . thanks ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Josh Fryman escribió:> - load balancing> - adding a recovered provider link back into the working > provider pool> - lost provider elimination from the proivder poola BGP daemon> - DNS setup to export multiple IPs for one server such that > reverse DNS doesn''t fail (ie, for mail services and anti-spam > policies at places like AOL)multiple mx records, a load balancing dns setup ( read my lips, NO round robin DNS )> - setting up a redundant firewall and automatically switching > over if the the primary FW fails -- loss of state in existing > connections is okay >You need a pretty expensive HA system. BTW... none of this problems are shorewall specific. -- Cristian Rodriguez R. perl -e ''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;''
>> - setting up a redundant firewall and automatically switching >> over if the the primary FW fails -- loss of state in existing >> connections is okay >> > > You need a pretty expensive HA system.The Linux HighAvailability project might be able to do this, and for free too, http://www.linux-ha.org/ -- Tim Edwards Systems Administrator REGISTRIES LTD ABN 14 003 209 836 Phone: 92909610 IMPORTANT INFORMATION This email may contain privileged or confidential information. If you are not the intended recipient, or a person responsible for delivering this email to the intended recipient, you should not disseminate, review, disclose, distribute or copy the contents of this email or any attachments. In this case, please immediately notify the sender by reply email, then delete this message and any attachments from your system. Unencrypted emails transmitted over public networks are not private communications, and therefore content integrity and confidentiality cannot be guaranteed. Emails may also be lost, destroyed, or arrive late. It is understood that opinions, conclusions and other information in this message that do not relate to the official business of Registries Limited, are neither given nor endorsed. ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Tim Edwards wrote:> >>> - setting up a redundant firewall and automatically switching >>> over if the the primary FW fails -- loss of state in existing >>> connections is okay >>> >> >> You need a pretty expensive HA system. > > The Linux HighAvailability project might be able to do this, and for > free too, http://www.linux-ha.org/ > >To the OP (Josh): Open Source works best when people who have a need (which you apparently do) and who have the talent (jury still out) contribute their time and talent to produce new Open Source products (documentation included). People who stand on the sideline and ask "where is the *good* documentation?" and "what step-by-step instructions do I follow so that I don''t have to do any real work?" get no respect from me. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
To the various people that contributed comments, I appreciate the pointers.> People who stand on the sideline and ask "where is the *good* > documentation?" and "what step-by-step instructions do I follow so that > I don''t have to do any real work?" get no respect from me.Perhaps I conveyed the wrong message? I was asking for pointers and advice on solutions to this problem. OpenBSD and pf is one solution I hadn''t considered, for example. I wasn''t particularly asking for someone to hand me a solution, I apologize is that''s what people were thinking. I was asking for info or pointers to people that had ideas or solutions to parts of the problem. This is also why I was offering to put together a How-To in my original post and make the solution public to others -- because I haven''t been able to _find_ a solution that "does it all" ... ergo, my request for pointers to bits of solution. Thanks anyway. I didn''t realize so many people would find my OP so offensive. Re-reading the OP, if you just read the first paragraph, I guess it could be interpreted such that I was asking for hand-fed instructions. Josh ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Josh Fryman wrote:> Perhaps I conveyed the wrong message? I was asking for pointers and > advice on solutions to this problem. OpenBSD and pf is one solution > I hadn''t considered, for example. I wasn''t particularly asking for > someone to hand me a solution, I apologize is that''s what people were > thinking. I was asking for info or pointers to people that had > ideas or solutions to parts of the problem. > > This is also why I was offering to put together a How-To in my original > post and make the solution public to others -- because I haven''t been > able to _find_ a solution that "does it all" ... ergo, my request for > pointers to bits of solution.I realize that you offered to write a HOWTO and I hope that my post doesn''t discourage you from doing so. A meaningful HOWTO can only be written by someone who has "been through the war" and is willing to share their scars with others. Unfortunately, I think that all you will find to go by is "bits of the solution" but it would be a real contribution to put those bits together into a set of coherent and tested instructions.> > Thanks anyway. I didn''t realize so many people would find my OP so > offensive. Re-reading the OP, if you just read the first paragraph, I > guess it could be interpreted such that I was asking for hand-fed > instructions. >And I probably overreacted to it and I apologize. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thu, 2005-10-13 at 09:21 +1000, Tim Edwards wrote:> >> - setting up a redundant firewall and automatically switching > >> over if the the primary FW fails -- loss of state in existing > >> connections is okay > >> > > > > You need a pretty expensive HA system. > > The Linux HighAvailability project might be able to do this, and for > free too, http://www.linux-ha.org/ > >I use keepalived (http://www.keepalived.org) for a similar setup. 2 Upstreams and 2 machines. They use vrrp to handle the failover to the internal network (i use only the vrrp part of keepalived), the internal traffic route is manipulated using bgp (http://www.quagga.net), so we can define which way the traffic comes in (this is automatically changed when a failover situation takes place). But any routing protocol talked to your provider should make it possible to recongnize when the link goes down (and add the routes back if they come up again). If you cannot do this, things will be more difficult, but could be done by a script or something like that... --arne -- Arne Bernin <arne@alamut.de> http://www.ucBering.de ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Tom Eastep wrote:> ... >>This is also why I was offering to put together a How-To in my original >>post and make the solution public to others -- because I haven''t been >>able to _find_ a solution that "does it all" ... ergo, my request for >>pointers to bits of solution. > ... >>Thanks anyway. I didn''t realize so many people would find my OP so >>offensive. Re-reading the OP, if you just read the first paragraph, I >>guess it could be interpreted such that I was asking for hand-fed >>instructions.FWIW, Josh, i didn''t read it that way. I''ve been meaning to write up a HOWTO for my cluster for some time and haven''t had a chance yet, work being what it is. What i might do is put what i''ve got so far on a wiki, and we can work on it together, then bring it all together again for publishing on the shorewall site once we''re done. I''m probably not going to get a chance to work on it before December, but you and Christian Lox might be able to improve on what i''ve got. If that sounds reasonable to you, let me know and i''ll set it up in my wiki space.> And I probably overreacted to it and I apologize.Time for another coffee, Tom. :-) Paul ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
> If that sounds reasonable to you, let me know and i''ll set it up in my > wiki space.Sure, that sounds good. What I''m doing in the short term is to manually set up some scripts and to not load balance. For now, I''m splitting "server" traffic (citrix) from "everything else" and the manual scripts will do the conversion in case of catastrophic failure on one of the ISP links. I''m planning to slowly work my way into a fully automated setup. Thanks, Josh ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl