On August 26, 2010 4:14 Pete Vickers wrote: >On 26. aug. 2010, at 00.18, Don Tek wrote:
>> I've recently implemented a firewall with two internet connections using multipath routing and round-robin outbound load balancing. >> >>I am looking for a solution from the shell to detect failure of these two internet gateways so I can force routing and pf changes from a script. >> >> I need something more robust than simply checking to see if the interface is up or down. >> >> I have managed a solution using traceroute that allows me to accomplish half of my goal. I can detect a failure and "down" that route, however, once I delete the default route from the routing table for the failed connection, I can no longer test it with traceroute. This is because it doesn't appear to me that OpenBSD's traceroute allows forcing an interface to work on. >> >> I am looking for better solutions from some of you more experienced users. Any suggestions are welcome. >> >> don.. >> >Taking a look at the bigger picture, the 'correct' way to do this is to have redundancy at the firewall level as well at ISP link level. This gives higher availability, and makes your problem much easier. If you have a single ISP link per firewall then link testing is simple. Redundancy/LB is then managed by CARP between the two firewalls' _inside_ interfaces. >/Pete I wish I could do this, but this particular client is as stingy as it gets with IT spending. They also aren't very concerned about redundancy. The only reason they even have two ISP's is because they don't employ any internal IT personnel and we try and do almost everything remotely, and, they insist on hosting file sharing for their road warriors internally and it was the cheapest route to more speed. Of course, the two ISP's are nothing more than DSL and DOCIS from two different companies which seem to flake out fairly often. At least if I can test on the one firewall, I can send notification and adjust routes when one of them goes down.
