Hi,
I would appreciate it if I could get some advice before setting up a firewall
with a failover procedure.
Network layout:
loc1
|
net1 --- Shorewall1 --- net2
| |
net1 --- Shorewall2 --- net2
|
loc2
loc1: 10.0.0.0/16
loc2: 10.1.0.0/16
net1: 172.16.0.0/24
net2: 172.16.1.0/24
Shorewall1: 3 NICs connected to loc1, net1 and net2
Shorewall2: 3 NICs connected to loc2, net1 and net2
Assumption:
Shorewall1,2 route loc1 and loc2 traffic via net1 by default and use net2 only
as a backup in case net1 fails. If net1 comes back on-line, packets should be
re-routed through net1.
Connection example:
HTTP or FTP data download from client in loc1 (10.0.0.1) and server in loc2
(10.1.0.1) through net1 (default route loc1->loc2).
While HTTP/FTP download in progress, net1 link fails.
I suppose Shorewall1 and Shorewall2 can be configured to re-route packets
automatically in case a link (net1 or net2) fails. However, changing the route
through a different physical interface should break active connections.
I don't think there's any way of "preserving" a connection in this scenario and
"moving it transparently" from, say, net1 to net2, so that the user application
(FTP/HTTP) isn't interrupted. Am I right?
ie. the connection must always be re-initiated/resumed by the client after
transient network failure and re-routing.
=============================================
Other network layout:
loc1 ----------------- loc1
| |
(ucarp or keepalived) Shorewall1 --- Shorewall2 (conntrackd)
| |
net1 net2
| |
(ucarp or keepalived) Shorewall3 --- Shorewall4 (conntrackd)
| |
loc2 ----------------- loc2
conntrackd: 192.168.100.0/24 (crossover cable)
loc1, loc2, net1, net2: same as in previous example
Assumptions:
Shorewall1 and Shorewall3 are "masters" and route traffic through net1 (default
route).
Shorewall2 and Shorewall4 are "slaves" and route traffic through net2.
If net1 fails then all traffic from/to loc1/loc2 is sent through net2.
Conntrackd sync's connection states between Shorewall1 and Shorewall2. Same for
Shorewall3 and Shorewall4.
Connection example:
Same as in previous example.
HTTP or FTP data download from client in loc1 (10.0.0.1) and server in loc2
(10.1.0.1) through masters Shorewall1 & Shorewall3 via net1.
While HTTP/FTP download in progress, net1 link fails and traffic should flow
through slaves Shorewall2 & Shorewall4 via net2.
Will the HTTP/FTP client in loc1 be able to continue downloading the file in
loc2 as if there weren't any network disruptions?
Thanks for your time,
Vieri
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
