Laurent CARON escreveu:
> Hi,
>
> I'm currently setting-up a fully redundant gateway under OpenBSD (4.3)
> with IPSEC, CARP, PF, SA Sync, ...) and would like to benefit of
> failover over 2 wans connections (for outgoing connections of course).
>
> I already have a round robin on the 2 external links:
> pass in log on $IntIf route-to { ($ExtIf_1 $ExtGw_1), ($ExtIf_2
> $ExtGw_2) } round-robin from $IntNet to any
>
> and wish to be able to get true failover (if one connection goes down,
> all the trafic is handeled by a single one).
>
> An interesting look seems to be ifstatd.
>
> Did anyone setup such a gateway ?
>
> Thanks
>
> Laurent
>
>
I did setup several gateways like this, but only on one firewall. With 2
firewalls, you have the additional complexity of ifstated no only
checking if the wan link goes down, but you will have to put other thins
into account, like the migration of them. ifstated is a state machine.
It will do exactly what is told. There are some pitfalls, most of them
regarding what must be done in the start of a state. Also, i recommend
that you use snmp for checking if the wan connection went down. Most
people ping external sites to accomplish that, but i don't recommend
this. The modem/router/etc, can provide accurate information about the
link, using snmp. I've been wanting to write a tutorial about using
CARP+ifstated+pfsync+multi wan links. Didn't had time yet to do so. I
can provide you some examples later, if you want.My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD Stable Ubuntu 8.04 Hardy Heron 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
