Can E. Acar wrote:
anybody got an ifstated.conf they're willing to share for having
redundancy on their pppoe connection? example: your firewall that does
the pppoe goes down and you want another machine to restart the pppoe
session and route your network.
I dont have the configuration with me right now (and it is probably gone
since the site using it does not have adsl anymore) however the most
fun configuration I did was something like that:
two adsl links, two OpenBSD firewalls, using carp for failover.
each firewall had connections to _both_ adsl modems, so that
they can balance outgoing stuff.
The load balancing was done using multipath routing (route -multi).
The carp was used on the inner interface.
So if carp was master, I would bring UP both pppoe interfaces
if one of the pppoe connections went down, I would adjust
routing to route over the remaining session etc.
thx for the input, can and stuart. i've setup routing adjustments as you
mentioned (not included here), didn't realize it was so easy :P.
here is a basic ifstated.conf that does what i need that runs on the
backup firewall:
# ifstated.conf for pppoe failover
# ensure the primary firewall's internal interface is up, if not start
another pppoe session
# on the backup firewall
# address of other firewall's int_if0
peer_up = '( ping -q -c 1 -w 1 10.0.0.252 /dev/null every 10)'
state auto {
if $peer_up {
set-state primary_online
}
if ! $peer_up {
set-state primary_offline
}
}
state primary_online {
init {
run /root/pppoe0.down
}
if ! $peer_up {
set-state primary_offline
}
}
state primary_offline {
init {
run /root/pppoe0.up
}
if $peer_up {
set-state primary_online
}
}
# cat
/root/pppoe0.up
#!/bin/ksh
# destroy existing pppoe0 interface and create anew
ifconfig pppoe0 inet x.y.z.w netmask 255.255.255.248 x.y.z.254 pppoedev
hme0 authproto pap authname [EMAIL PROTECTED] authkey SECRET up
# delete existing default route and add adsl
route delete default
route add default x.y.z.254
# cat
/root/pppoe0.down
#!/bin/ksh
ifconfig pppoe0 down
ifconfig pppoe0 destroy
route delete default
route add -mpath default a.b.c.d
In order to make failover work smoothly, I matched the MAC
addresses on the corresponding outer interfaces of each
firewall so that they can see the same pppoe sessions,
and built the kernel with PPPOE_TERM_UNKNOWN_SESSIONS
for my purposes it should be ok to omit this. haven't seen any troubles
getting a new pppoe session up when i've tested without considering this
case, e.g. down primary firewall to see if the backup starts the pppoe
session and routes packets over it ok. i think my ISP sends LCP echo
requests, but i could be wrong...
cheers,
jake
Can
--
