> So just to confirm, there shouldn't be any issues in having this in my > default wan-failover.script e.g. whether outbound-snat is configured or not?
Correct, the OUTBOUND_SNAT nat chain should only exist when the outbound-snat plugin is enabled. But test anyway :-) Lonnie > On Mar 19, 2021, at 5:13 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > > Thanks Lonnie > > So just to confirm, there shouldn't be any issues in having this in my > default wan-failover.script e.g. whether outbound-snat is configured or not? > > Regards > Michael Knill > > On 20/3/21, 9:08 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote: > > Hi Michael, > > Again off the top of my head (needs testing), this would be more general... > -- /mnt/kd/wan-failover.script snippet -- > > SECONDARY) > ... > ## Disable outbound-snat plugin in iptables > if iptables -t nat -nL OUTBOUND_SNAT >/dev/null 2>&1; then > iptables -t nat -D POSTROUTING -j OUTBOUND_SNAT > fi > ;; > > PRIMARY) > ... > ## Re-Enable outbound-snat plugin > if iptables -t nat -nL OUTBOUND_SNAT >/dev/null 2>&1; then > iptables -t nat -I POSTROUTING -j OUTBOUND_SNAT > fi > ;; > -- > > I'm having second thoughts about editing the ENABLED variable ... what if > the box was rebooted while on failover, with ENABLED set to 0 on SECONDARY > you would have effectively disabled the outbound-snat plugin after reboot. > > But, the above snippet should work whether the outbound-snat plugin is > enabled or not. > > But still not perfect. > >> PS. Would this be worth doing as part of the standard failover as I cant >> think of any instance where we would not want to disable SNAT when it fails >> over to another WAN interface. > > Yes, but I doubt the outbound-snat plugin is enabled very commonly, > implying multiple IPv4 WAN addresses. My first though is to do as above in > the wan-failover.script. > > Lonnie > > >> On Mar 19, 2021, at 4:05 PM, Michael Knill >> <michael.kn...@ipcsolutions.com.au> wrote: >> >> Thanks Lonnie >> >> Sorry for the late reply. Yes I'm using the outbound-snat plugin. >> So just to confirm: >> SECONDARY) >> .... >> ## Disable outbound-snat plugin in both iptables and config file in case >> of reboot >> iptables -t nat -D POSTROUTING -j OUTBOUND_SNAT >> sed -i 's/^ENABLED=.*$/ENABLED=0/' >> /etc/arno-iptables-firewall/plugins/outbound-snat.conf >> ;; >> >> PRIMARY) >> ... >> ## Re-Enable outbound-snat plugin and config file >> iptables -t nat -I POSTROUTING -j OUTBOUND_SNAT >> sed -i 's/^ENABLED=.*$/ENABLED=1/' >> /etc/arno-iptables-firewall/plugins/outbound-snat.conf >> ;; >> >> I'm thinking that I might look at OUTBOUND_SNAT_NET_HOST to see if something >> is set to make the decision on whether I disable and re-enable so it can be >> a generic script. >> >> PS. Would this be worth doing as part of the standard failover as I cant >> think of any instance where we would not want to disable SNAT when it fails >> over to another WAN interface. >> >> Regards >> Michael Knill >> >> On 18/3/21, 1:49 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote: >> >> Hi Michael, >> >> When you say you have SNAT configured, are you using the nat-loopback >> plugin or the outbound-snat plugin ? >> >> Either of those require obtaining the WAN IPv4 address to attach iptables >> "-j SNAT --to-source $ip" rules, and as written only look at the primary >> external address. Even if the Failover interface was looked at, the >> firewall would have to be rebuilt for the failover context switch with the >> /mnt/kd/wan-failover.script . >> >> Question, does either of these plugins make sense for a failover situation ? >> >> Possibly you want to disable the outbound-snat plugin on failover and >> re-enable it on return to primary ? >> >> If you have the special case of the outbound-snat plugin enabled, you could >> (untested code): >> >> -- /mnt/kd/wan-failover.script snippet -- >> >> SECONDARY) >> ## Switched to Failover using secondary WAN link >> >> ## Disable outbound-snat plugin >> iptables -t nat -D POSTROUTING -j OUTBOUND_SNAT >> ;; >> >> PRIMARY) >> ## Switched back to normal using primary WAN link >> >> ## Re-Enable outbound-snat plugin >> iptables -t nat -I POSTROUTING -j OUTBOUND_SNAT >> ;; >> >> -- >> but this is somewhat fragile, such that if the firewall was restarted >> during failover it would revert to the PRIMARY setting. To be less fragile, >> you could also add: >> -- >> sed -i 's/^ENABLED=.*$/ENABLED=0/' >> /etc/arno-iptables-firewall/plugins/outbound-snat.conf" >> -- >> and ENABLED=1 on return to PRIMARY. >> >> >> Lonnie >> >> >> >>> On Mar 17, 2021, at 1:16 AM, Michael Knill >>> <michael.kn...@ipcsolutions.com.au> wrote: >>> >>> Grr problem now found. I had SNAT configured which didn't work on the >>> second WAN connection. >>> Any way I can fix this e.g. don't do SNAT on the failover WAN? >>> >>> Regards >>> Michael Knill >>> >>> From: Michael Knill <michael.kn...@ipcsolutions.com.au> >>> Reply to: AstLinux List <astlinux-users@lists.sourceforge.net> >>> Date: Wednesday, 17 March 2021 at 4:27 pm >>> To: AstLinux List <astlinux-users@lists.sourceforge.net> >>> Subject: [Astlinux-users] Weird routing problem >>> >>> Hi Group >>> >>> I'm currently at a site that has a primary and failover WAN connection and >>> a two LAN connections. The primary WAN connection has failed over to the >>> secondary WAN connection however it is only working on one of the LAN >>> interfaces and not the other. I can ping the interface address fine so its >>> not an interface problem. >>> >>> Does anyone have any idea why this would be happenning? >>> >>> Regards >>> Michael Knill >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >> >> >> >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> >> >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. > > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
