On Tue, 17 Apr 2007, Ashley M. Kirchner wrote:
Rick Stevens wrote:
You still have a single point of failure
(the Linux box), but you have redundant broadband links.
Guys, the problem isn't the lines going down. We have a Cisco router
handling two T1s coming in and it does just fine whenever some idiot
contractor decides to slice a cable somewhere in town. That's not where my
problem is. My problem is the firewall that sits between the Cisco and our
internal network. That's what I'm trying to figure out some kind of failover
setup.
I'm a few light years away from being a network guru, so grab a large
block of salt here. However...
From what I understand of your setup, you are worried about a the firewall
machine getting wonky, and not the router. The router talks to two
different broadband connections, and the firewall sits between the router
and inside.
How about something like such: connect an inside machine via both the
network and something else which can force a reboot, either a serial
link to the firewall box with root priveledges, or a software controled
power switch. Now periodically, say once every two minutes, run
a traceroute to one or more of the outside destinations which your people
need to get to (preferably destinations that you actually control, lets
not be rude to slashdot or redhat for obvious reasons.) When the
traceroute fails, look at the failure point. If things fail at the
firewall, force the reboot. If a full traceroute is too heavy, try a
single packet ping, followed by a traceroute when the ping gets hosed
twice in a row. Slightly more complicated scripting, probably
significantly less network load.
Possibly a slightly stronger alternative would be to combine the router
and firewall, but apparently somebody doesn't want to do so. (And I'd be
that somebody, as I'm not sure I could get the firewall and routes going
correctly at the same time.)
Hope this helps, and thanks to all for the bandwidth.
