On 09/17/2012 06:06 AM, Vieri Di Paola wrote: > Hi, > > I would appreciate it if I could get some advice before setting up a firewall > with a failover procedure. > > Network layout: > > loc1 > | > net1 --- Shorewall1 --- net2 > | | > net1 --- Shorewall2 --- net2 > | > loc2 > > loc1: 10.0.0.0/16 > loc2: 10.1.0.0/16 > net1: 172.16.0.0/24 > net2: 172.16.1.0/24 > Shorewall1: 3 NICs connected to loc1, net1 and net2 > Shorewall2: 3 NICs connected to loc2, net1 and net2 > > Assumption: > Shorewall1,2 route loc1 and loc2 traffic via net1 by default and use net2 > only as a backup in case net1 fails. If net1 comes back on-line, packets > should be re-routed through net1. > > Connection example: > HTTP or FTP data download from client in loc1 (10.0.0.1) and server in loc2 > (10.1.0.1) through net1 (default route loc1->loc2). > While HTTP/FTP download in progress, net1 link fails. > > I suppose Shorewall1 and Shorewall2 can be configured to re-route packets > automatically in case a link (net1 or net2) fails. However, changing the > route through a different physical interface should break active connections. > > I don't think there's any way of "preserving" a connection in this scenario > and "moving it transparently" from, say, net1 to net2, so that the user > application (FTP/HTTP) isn't interrupted. Am I right? > ie. the connection must always be re-initiated/resumed by the client after > transient network failure and re-routing.
It depends on how net1 fails. If an error ICMP is returned to either of the endpoints, then the connection will be broken. > > ============================================= > > Other network layout: > > loc1 ----------------- loc1 > | | > (ucarp or keepalived) Shorewall1 --- Shorewall2 (conntrackd) > | | > net1 net2 > | | > (ucarp or keepalived) Shorewall3 --- Shorewall4 (conntrackd) > | | > loc2 ----------------- loc2 > > conntrackd: 192.168.100.0/24 (crossover cable) > loc1, loc2, net1, net2: same as in previous example > > Assumptions: > Shorewall1 and Shorewall3 are "masters" and route traffic through net1 > (default route). > Shorewall2 and Shorewall4 are "slaves" and route traffic through net2. > If net1 fails then all traffic from/to loc1/loc2 is sent through net2. > Conntrackd sync's connection states between Shorewall1 and Shorewall2. Same > for Shorewall3 and Shorewall4. > > Connection example: > Same as in previous example. > HTTP or FTP data download from client in loc1 (10.0.0.1) and server in loc2 > (10.1.0.1) through masters Shorewall1 & Shorewall3 via net1. > While HTTP/FTP download in progress, net1 link fails and traffic should flow > through slaves Shorewall2 & Shorewall4 via net2. > > Will the HTTP/FTP client in loc1 be able to continue downloading the file in > loc2 as if there weren't any network disruptions? Same issue as above. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
