Em 13-05-2014 08:58, Magnus escreveu:
> Hello Misc-Users,
>
> I'm looking in to the possibility to do multihoming (more than one isp)
> on a Carp setup.
> To do live failover if one isp goes down, the other takes over.
> Just as carp does if one of the routers goes down.
>
> I'm thinking that in combination with ifstated it might be possible, but
> have yet to find someone that has actually done it sofar.
>
> Next issue if the first one is possible.
>
> The proposed router in question is a IPSEC gateway, with several nodes
> connected to it.
> Fail over here with just the carp and one isp is no issues.
> But if the remote node, has only one isp, and it has no carp or such,
> its just a plain obsd box running a site-to-site tunnel,
> routing everything (0.0.0.0/0) over the tunnel.
> How would one manage to do a failover to the second isp of the above
> box, without loss of the tunnel during fail over.
>
> Regards,
>
> Magnus
>
Magnus,
I used some years ago a carp setup with 4 ISP's on the same machine,
no problem there. You are right about using ifstated. There are several
ways to accomplish this. You can even use relayd instead of ifstated.
The carp setup will probably not interfere with your isp failover part,
if you carefully craft your ifstated.conf. I suggest you put on a piece
of paper all the possible different states your setup can have and you
can replicate them on the ifstated.conf. Nowadays I don't use carp, but
I do have one OpenBSD firewall with 2 ISP's and it works very well.
Your first concern is to determine how you'll be able to detect a
link failure. If your IPSEC router has snmp, and it sends the
appropriates MIB's when you snmpwalk it, them you might be able to
detect a link failure by simply monitoring the interfaces changes in
your router. If not, then you'll have to use a external method. My
method is to use 3 consecutive ping's to 3 different ip addresses and,
if all 3 of them fails, them I failover the link and change state in
ifstated. And, I use the multipath option in OpenBSD, so I can have more
than one gateway configured in the routing table. You can play with
their priorities to accomplish the failover, or you can simply remove a
route and add the other. As I mentioned there are lot's of ways to
accomplish this. I even make my ifstated mail me when a link failure
occurs and with it gets back. There is also the pf.conf part but, if I'd
go there, this e-mail would be too big. If you want I can elaborate more.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
