[Fedora] Re: Failover setup
Manuel Arostegui Ramirez
manuel at todo-linux.com
Tue Apr 17 21:51:04 UTC 2007
El Martes, 17 de Abril de 2007 23:40, tom escribió:
> On Tue, 17 Apr 2007, Ashley M. Kirchner wrote:
> > Rick Stevens wrote:
> >> You still have a single point of failure
> >> (the Linux box), but you have redundant broadband links.
> >
> > Guys, the problem isn't the lines going down. We have a Cisco router
> > handling two T1s coming in and it does just fine whenever some idiot
> > contractor decides to slice a cable somewhere in town. That's not where
> > my problem is. My problem is the firewall that sits between the Cisco
> > and our internal network. That's what I'm trying to figure out some kind
> > of failover setup.
>
> I'm a few light years away from being a network guru, so grab a large
> block of salt here. However...
>
> >From what I understand of your setup, you are worried about a the firewall
>
> machine getting wonky, and not the router. The router talks to two
> different broadband connections, and the firewall sits between the router
> and inside.
>
> How about something like such: connect an inside machine via both the
> network and something else which can force a reboot, either a serial
> link to the firewall box with root priveledges, or a software controled
> power switch. Now periodically, say once every two minutes, run
> a traceroute to one or more of the outside destinations which your people
> need to get to (preferably destinations that you actually control, lets
> not be rude to slashdot or redhat for obvious reasons.) When the
> traceroute fails, look at the failure point. If things fail at the
> firewall, force the reboot. If a full traceroute is too heavy, try a
> single packet ping, followed by a traceroute when the ping gets hosed
> twice in a row. Slightly more complicated scripting, probably
> significantly less network load.
>
> Possibly a slightly stronger alternative would be to combine the router
> and firewall, but apparently somebody doesn't want to do so. (And I'd be
> that somebody, as I'm not sure I could get the firewall and routes going
> correctly at the same time.)
>
> Hope this helps, and thanks to all for the bandwidth.
I don't see the point there, actually, It's much more easier to set up
LVS+Keepaliver or Ultramonkey and every case will be cover, if the firewall1
fails, the other one will route all the clients, and viceversa.
--
Manuel Arostegui Ramirez.
Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.
More information about the users
mailing list