On 26. aug. 2010, at 00.18, Don Tek wrote: > I've recently implemented a firewall with two internet connections using multipath routing and round-robin outbound load balancing. > > I am looking for a solution from the shell to detect failure of these two internet gateways so I can force routing and pf changes from a script. > > I need something more robust than simply checking to see if the interface is up or down. > > I have managed a solution using traceroute that allows me to accomplish half of my goal. I can detect a failure and "down" that route, however, once I delete the default route from the routing table for the failed connection, I can no longer test it with traceroute. This is because it doesn't appear to me that OpenBSD's traceroute allows forcing an interface to work on. > > I am looking for better solutions from some of you more experienced users. Any suggestions are welcome. > > don.. >
Taking a look at the bigger picture, the 'correct' way to do this is to have redundancy at the firewall level as well at ISP link level. This gives higher availability, and makes your problem much easier. If you have a single ISP link per firewall then link testing is simple. Redundancy/LB is then managed by CARP between the two firewalls' _inside_ interfaces. /Pete
