Two ISPs, One NAT'ed Internal Subnet, Firewall Policys

[jludwig]

On Tue, 2004-09-21 at 05:11, Daniel Bartlett wrote:
> Hi,
> 
> >  
> > That's the simple part.  The more interesting part is detecting the "dead"
> > gateway, for some definition of "dead".  In the typical external ADSL
> > or cable modem configuration, there can be a failure of communication
> > between the Linux firewall and the ADSL/cable router, between the
> > ADSL/cable router and the ISP, and between the ISP and the wider Internet
> > (usually due to routing screwups, etc., at the ISP).  So detecting whether
> > the local gateway (i.e., the ADSL/cable router) is alive is of only
> > marginal utility; one usually wants to detect reachability of the wider
> > Internet, via pinging highly-available sites, or an equivalent method.
> > 
> > Then there is the issue of DNS resolution. For many clients, if the ISP's
> > DNS servers are not working, the route to the internet is again of marginal
> > utility.  One can configure DNS to use the nameservers of both ISP's, though
> > that doesn't help with certain Byzantine failures (that seem to occur in
> > real life), where one ISP's nameserver returns nonsense.  For this and
> > other reasons, it is generally desirable to give priority to the DNS server
> > of the ISP that you are routing through, and a more active approach to
> > DNS server monitoring is often used.
> 
> The DNS issue i was thinking of setting up a caching DNS server that
> had its configs updated on the connection failing, ie for the ISP
> nameservers.
> 
> > 
snip

Convoluted, but ---

You could set up an say in INPUT, FORWARD, etc rule to look for an ICMP
error and send that to syslog or some such that could trigger a script
to change your ISP.
-- 
jludwig <wralphie at comcast.net>