Hi Michael,
Again off the top of my head (needs testing), this would be more general...
-- /mnt/kd/wan-failover.script snippet --
SECONDARY)
...
## Disable outbound-snat plugin in iptables
if iptables -t nat -nL OUTBOUND_SNAT >/dev/null 2>&1; then
iptables -t nat -D POSTROUTING -j OUTBOUND_SNAT
fi
;;
PRIMARY)
...
## Re-Enable outbound-snat plugin
if iptables -t nat -nL OUTBOUND_SNAT >/dev/null 2>&1; then
iptables -t nat -I POSTROUTING -j OUTBOUND_SNAT
fi
;;
--
I'm having second thoughts about editing the ENABLED variable ... what if the
box was rebooted while on failover, with ENABLED set to 0 on SECONDARY you
would have effectively disabled the outbound-snat plugin after reboot.
But, the above snippet should work whether the outbound-snat plugin is enabled
or not.
But still not perfect.
> PS. Would this be worth doing as part of the standard failover as I cant
> think of any instance where we would not want to disable SNAT when it fails
> over to another WAN interface.
Yes, but I doubt the outbound-snat plugin is enabled very commonly, implying
multiple IPv4 WAN addresses. My first though is to do as above in the
wan-failover.script.
Lonnie
> On Mar 19, 2021, at 4:05 PM, Michael Knill
> <michael.kn...@ipcsolutions.com.au> wrote:
>
> Thanks Lonnie
>
> Sorry for the late reply. Yes I'm using the outbound-snat plugin.
> So just to confirm:
> SECONDARY)
> ....
> ## Disable outbound-snat plugin in both iptables and config file in case
> of reboot
> iptables -t nat -D POSTROUTING -j OUTBOUND_SNAT
> sed -i 's/^ENABLED=.*$/ENABLED=0/'
> /etc/arno-iptables-firewall/plugins/outbound-snat.conf
> ;;
>
> PRIMARY)
> ...
> ## Re-Enable outbound-snat plugin and config file
> iptables -t nat -I POSTROUTING -j OUTBOUND_SNAT
> sed -i 's/^ENABLED=.*$/ENABLED=1/'
> /etc/arno-iptables-firewall/plugins/outbound-snat.conf
> ;;
>
> I'm thinking that I might look at OUTBOUND_SNAT_NET_HOST to see if something
> is set to make the decision on whether I disable and re-enable so it can be a
> generic script.
>
> PS. Would this be worth doing as part of the standard failover as I cant
> think of any instance where we would not want to disable SNAT when it fails
> over to another WAN interface.
>
> Regards
> Michael Knill
>
> On 18/3/21, 1:49 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
>
> Hi Michael,
>
> When you say you have SNAT configured, are you using the nat-loopback
> plugin or the outbound-snat plugin ?
>
> Either of those require obtaining the WAN IPv4 address to attach iptables
> "-j SNAT --to-source $ip" rules, and as written only look at the primary
> external address. Even if the Failover interface was looked at, the firewall
> would have to be rebuilt for the failover context switch with the
> /mnt/kd/wan-failover.script .
>
> Question, does either of these plugins make sense for a failover situation
> ?
>
> Possibly you want to disable the outbound-snat plugin on failover and
> re-enable it on return to primary ?
>
> If you have the special case of the outbound-snat plugin enabled, you
> could (untested code):
>
> -- /mnt/kd/wan-failover.script snippet --
>
> SECONDARY)
> ## Switched to Failover using secondary WAN link
>
> ## Disable outbound-snat plugin
> iptables -t nat -D POSTROUTING -j OUTBOUND_SNAT
> ;;
>
> PRIMARY)
> ## Switched back to normal using primary WAN link
>
> ## Re-Enable outbound-snat plugin
> iptables -t nat -I POSTROUTING -j OUTBOUND_SNAT
> ;;
>
> --
> but this is somewhat fragile, such that if the firewall was restarted
> during failover it would revert to the PRIMARY setting. To be less fragile,
> you could also add:
> --
> sed -i 's/^ENABLED=.*$/ENABLED=0/'
> /etc/arno-iptables-firewall/plugins/outbound-snat.conf"
> --
> and ENABLED=1 on return to PRIMARY.
>
>
> Lonnie
>
>
>
>> On Mar 17, 2021, at 1:16 AM, Michael Knill
>> <michael.kn...@ipcsolutions.com.au> wrote:
>>
>> Grr problem now found. I had SNAT configured which didn't work on the second
>> WAN connection.
>> Any way I can fix this e.g. don't do SNAT on the failover WAN?
>>
>> Regards
>> Michael Knill
>>
>> From: Michael Knill <michael.kn...@ipcsolutions.com.au>
>> Reply to: AstLinux List <astlinux-users@lists.sourceforge.net>
>> Date: Wednesday, 17 March 2021 at 4:27 pm
>> To: AstLinux List <astlinux-users@lists.sourceforge.net>
>> Subject: [Astlinux-users] Weird routing problem
>>
>> Hi Group
>>
>> I'm currently at a site that has a primary and failover WAN connection and a
>> two LAN connections. The primary WAN connection has failed over to the
>> secondary WAN connection however it is only working on one of the LAN
>> interfaces and not the other. I can ping the interface address fine so its
>> not an interface problem.
>>
>> Does anyone have any idea why this would be happenning?
>>
>> Regards
>> Michael Knill
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
>> pay...@krisk.org.
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
