El Martes, 17 de Abril de 2007 23:40, tom escribió: > On Tue, 17 Apr 2007, Ashley M. Kirchner wrote: > > Rick Stevens wrote: > >> You still have a single point of failure > >> (the Linux box), but you have redundant broadband links. > > > > Guys, the problem isn't the lines going down. We have a Cisco router > > handling two T1s coming in and it does just fine whenever some idiot > > contractor decides to slice a cable somewhere in town. That's not where > > my problem is. My problem is the firewall that sits between the Cisco > > and our internal network. That's what I'm trying to figure out some kind > > of failover setup. > > I'm a few light years away from being a network guru, so grab a large > block of salt here. However... > > >From what I understand of your setup, you are worried about a the firewall > > machine getting wonky, and not the router. The router talks to two > different broadband connections, and the firewall sits between the router > and inside. > > How about something like such: connect an inside machine via both the > network and something else which can force a reboot, either a serial > link to the firewall box with root priveledges, or a software controled > power switch. Now periodically, say once every two minutes, run > a traceroute to one or more of the outside destinations which your people > need to get to (preferably destinations that you actually control, lets > not be rude to slashdot or redhat for obvious reasons.) When the > traceroute fails, look at the failure point. If things fail at the > firewall, force the reboot. If a full traceroute is too heavy, try a > single packet ping, followed by a traceroute when the ping gets hosed > twice in a row. Slightly more complicated scripting, probably > significantly less network load. > > Possibly a slightly stronger alternative would be to combine the router > and firewall, but apparently somebody doesn't want to do so. (And I'd be > that somebody, as I'm not sure I could get the firewall and routes going > correctly at the same time.) > > Hope this helps, and thanks to all for the bandwidth. I don't see the point there, actually, It's much more easier to set up LVS+Keepaliver or Ultramonkey and every case will be cover, if the firewall1 fails, the other one will route all the clients, and viceversa. -- Manuel Arostegui Ramirez. Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues.
