On 02-10-2014 16:12, Jeff wrote: > With the addition of a carefully constructed route-to rule I now have all of the > individual pieces working. Now, with some careful plumbing and testing I should > be all set. The final solution will be a combination of ifstated, multipath routing > (prioritized) and "ping -I"; thanks to everyone for your suggestions and patience!!! No problem. Just a few more points for you to be aware of. If your firewall is also you dns server, the requests will go through the link that is active. You might want to prioritize its packets to get the minimum dns latency possible. As I mentioned before, if you can avoid ping -I, avoid it. Most modems and routers support snmp or have another method for determining link availability without the need for external tests. Also, for making your life easier, use anchors for the rules that direct traffic to the internet. This way you can easily make the ifstated daemon to change the rules according the state of your links. On some countries (mine included) there are some very poor quality links that gets disconnected many times a day or show a lot of instability for a few moments. I've developed a sqlite database and queries, so not only I have logging, but I can also permanently disable a link if it is unstable for the last few minutes. And only enable it again once it remained stable for other determined amount of time. These are just a few of the things you can do. You can send you e-mails when links go down and get back up (of course if both go down you won't get any notification, at all). The combination of multipath routing, with pf + anchors and a carefully written machine state on ifstated can provide a very good failover mechanism. I even managed firewalls with 4, 5 internet links that would failover each other and/or balance traffic between them. Good luck with your setup.
Cheers, [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
