david.lang at digitalinsight
Sep 18, 2002, 10:14 PM
Post #2 of 4
(1029 views)
Permalink
|
what you would need to do is to put switches between the firewall and the
DMZ box, use floating addresses on both sides of the firewalls, and on both
sides of the DMZ boxes, then switches again between the DMZ and the local
boxes
so you do
outside
------------
| |
fw1 fw2
| |
------------
| |
dmz1 dmz2
| |
------------
| |
local1 local2
for max redundancy have each of the netowrk layers (the switches -----)
actually be a pair of switches joined togeather so that any one component
can fail and the traffic will still have a route available to get through.
basicly treat each layer as if it was alone and didn't have HA on the other
layers, implement the HA on that layer and then go on to the next.
the problem gets much easier to deal with that way.
David Lang
-----Original Message-----
From: Rob Dawson [mailto:rob.dawson [at] investis]
Sent: Wednesday, September 18, 2002 6:03 AM
To: 'linux-ha [at] muc'
Subject: obscure networking failover help
Hi,
I'm considering how to get heartbeat to failover a set of nodes for me, and
having some fun trying to figure out what I actually need. Alan mentioned
there were a number of reasonably clued up people on this list (thanks, Alan
:-) so I thought I'd drop a line in here and see if someone could help.
What I'm trying to do is set up a couple of firewalls, with failover. I'll
see if I can diagram it below, but it sortof goes like this: I have an
external IP address which can float, no problem. I have an internal link
from each firewall box (live and failover - fw1 & fw2) to each dmz box
(again, live and failover, dmz1 & 2 - it'd be nice to manage an
active-active config, but I'm not sure heartbeat will manage that, and,
really, it's probably overkill. nice overkill, but still.. :-) This leave a
total of 4 internal cables, plus the heartbeat eth link between fw1 & fw2,
and between dmz1 & dmz2, plus the serial heartbeat links between fw1-fw2 &
dmz1-dmz2
internet
| |
| | IP addresses:
e0 e0 fw1-e0=192.168.0.40/24
fw2-e0=192.168.0.41/24
+-------+S0----S0+-------+ fw1-S0=serial link fw2-S0=serial
link
| fw1 |e3----e3| fw2 | fw1-e1=192.168.10.1/28
fw2-e1=192.168.10.5/28
+-------+e2 e2+-------+ fw1-e2=192.168.10.9/28
fw2-e2=192.168.10.13/28
e1 \ / e1 fw1-e3=192.168.10.17/30
fw2-e3=192.168.10.18/30
| \/ | N1=192.168.10.3/28
N2=192.168.11/28
N1 N2 N1
| /\ | N1=192.168.10.4/28
N2=192.168.12/28
e0 / \ e0 dmz1-e0=192.168.10.2/28
dmz2-e0=192.168.10.6/28
+-------+e3 e3+-------+ dmz1-e1=192.168.11.1/24
dmz2-e1=192.168.11.2/24
| dmz1 |S0----S0| dmz2 | dmz1-e2=192.168.12.2/24
dmz2-e2=192.168.12.1/24
+-------+e4----e4+-------+ dmz1-e3=192.168.10.14/28
dmz2-e3=192.168.10.10/28
e1 e2 e2 e1 dmz1-e4=192.168.10.21/30
dmz2-e4=192.168.10.22/30
| \ / |
| \/ |
| /\ |
+-------+__/ \__+-------+
|lobal1 | |local2 |
+-------+ +-------+
I've put aside N1 & N2 addresses addresses for failover, but I'm still
having trouble seeing how to set it up...
Now, the problem is not the internet side - that's easy. Nor is it in the
internal side, with the load balancers - I can accept (unlike many) that we
drop a minute or two of traffic - what's behind this is a reasonable-sized
web farm, so we'd really like not to drop anything, but we can accept that
in case of hardware or admin failure :-) it might take a minute or so to
cope. The traffic is being NATed through, so there's minimal handling on the
box itself - connections would drop, as conntrack wouldn't be able to hand
over between boxes without a heck of a lot of interesting kernel coding,
which I'm not feeling up to this week :-)
The bit I have trouble with is how to get failover working nicely on the
network between fw & dmz. The only way I can see it working is, say, in the
situation of fw1/dmz1 being the live boxes, and fw1 dies for some reason -
fw2 will pick up the external link, and traffic will pile through there, get
directed internally (via NAT) and wander through dmz2, and caper on happily.
If, however, dmz2 goes down as well, I was looking at how I can then a) have
fw2 become aware of that, and b) have it redirect traffic through dmz1.
About the only way I can come up with is having a set of firewall scripts
that heartbeat runs on ip-up/down equivalence, and 6 heartbeat links - one
for every pair of hosts. This is... not clean. Not even close. Unless
heartbeat is more flexible than it seems in regard to this particular setup,
I'd be looking at 4 running copies on every box, with 4 sets of config files
et al.
Is there some way of doing this cleanly, or do I have to make this up as I
go along? I've had a browse through the maillist archives, but I'm more or
less at a loss as to what to search for. I couldn't see anything that seemed
appropriate, although that's probably myopia more than anything...
I expect I'm looking at this from the wrong angle. Would someone care to
hand me a mirror, so I can see round the bend?
Many thanks,
Rob Dawson
System Administrator
Investis Ltd
Ph. 020 7071 8513
Mb. 077 8917 2195
|
