1

We have outgrown the use of a single server for monitoring our network so we are looking to add another monitoring server. Unfortunately, we were shortsighted when we initially configured the hosts being monitored. We configured the hosts on our network to only allow monitoring from a single IP. To add another IP to all the hosts firewall rules is not logistically possible. I won't go into why but suffice it to say the servers have a mix of owners and cannot be updated at will.

So initially we were thinking of just having an OpenBSD box doing NAT with PF in front of the two servers. We're not thrilled about the additional complexity or, most especially, the single point of failure.

So, can we do some magic to allow both servers to use the same internal IP address without adding another host? Also, the system needs to continue working if either one of these hosts go down. So doing the NAT on one of the two hosts and routing the second server through the first isn't really enough. We basically need failover source NAT in front of the shared IP...without adding two additional boxes.

CarpeNoctem
  • 2,437
  • 4
  • 23
  • 32
  • Why do you need to scale your provision? Fault tolerance? Performance (if so have you upgraded to Nagios 3.x - which supports concurrent checks)? Something else? Are you constrained by your current OS platform? Can you partition the monitoring targets to balance the load (different ruotes, but the same ip on both nagios boxes)? – symcbean Aug 23 '10 at 12:30

2 Answers2

2

You could have the two servers receive connection on a shared IP using a load balancing solution (a hardware load balancer in front of the servers or software load balancing on them), but you can't have them use a single address for outgoing connections without putting some NAT in the middle.

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • Thanks but the load balancer would be a single point of failure. I know it's a long shot but I am just hoping someone throws out some super nifty trick with identical MAC adders and some nifty move that allows them to split the incoming traffic up. A guy can hope. – CarpeNoctem Aug 23 '10 at 07:58
  • Then you use a pair of load balancers and use VRRP between them to ensure that one takes the other's IP address in the event of it failing. Read this (and the rest of the LVS site, esp examples!): http://kb.linuxvirtualserver.org/wiki/VRRP – Tom O'Connor Aug 23 '10 at 08:08
  • That would *anyway* be completely useless for outgoing connections. – Massimo Aug 23 '10 at 08:42
  • Massimo is right all connections will originate on the two monitoring servers, zero inbound requests beyond those that are administrative in nature(ssh). We could even have seperate IPs for inbound requests that would negate any need for load balancing of any kind. This is more of a SNAT in front of the two servers kind of requirement. Just that we don't want a SNAT box in front. ;) – CarpeNoctem Aug 23 '10 at 09:34
0

Windows? Use NLB (Network Load Balancer). Multiple servers can serve on one IP. No single point of failure.

TomTom
  • 51,649
  • 7
  • 54
  • 136
  • But no way to have *outgoing* connection originate from the shared IP address. – Massimo Aug 23 '10 at 08:43
  • Again, all connections originate on the two servers. No reason for load balancing as far as I can tell. Just SNAT without additional hardware. – CarpeNoctem Aug 23 '10 at 09:39