On Wed, 2005-10-26 at 15:28, Nathaniel Hall wrote: > I am looking to load balance two or three linux servers running > iptables. Each of these firewalls will separate another network segment > and will perform load balancing to the servers behind them. My biggest > problem with this setup is the possibility of the firewall going down, > causing the entire system to stop. Does anybody have a good idea for > this? Here is an idea of how I would like to make the system: > > Internet > | > | > FW1 |--Server1 > |--------FW2--|--Server2 > |--------FW3--|--Server3 > |--------FW4--|--Server4 > |--Server5 > > I want to be able to use each firewall to load balance between > Server1-5, but I also want to be able to load balance between FW2-4. > Any ideas? > > -- > Nathaniel Hall, GSEC The problem is how are you going to share the state tables between the firewalls? Typically an application establishes a connection through a particular firewall. If that firewall goes down the application has to re-establish the connection through an alternate firewall. Most applications will simply hang until the user restarts them. Nokia with Checkpoint had an HA setup that use VRRP to fail over between two systems. These systems shared state table information along with the heart beat info so if one system failed the other was able to take over the connections that were routing through the primary. This does depend on the particular application and protocols you are using. If they are UDP based then you don't have this issue. But most interesting protocols are TCP based. If your application can restart when it times out due to a failed firewall you might be able to work around this.
