I have an old Linux HA firewall/router setup that never quite worked. As it was never quite put into true production (just testing and demo's), I always had to have one firewall shutdown to make it route. Now we're planning on putting this into production, I need to make this work.
So what I want to do is try to make it finally work correctly in an HA failover mode.
What I have are two Linux servers acting as firewall/routers. They each are fed directly with 10G fibre drops and a point to point /30 network. They run BGP. And they route Infiniband which is the LAN side This explains why I'm not using a regular router but a server for this purpose.
These 10G drops when installed I believe were termed multi provider or similar but as far as I'm concerned they come from the same provider and they have a lot of HA upstream.
Looking at every HA setup out there, there is a floating IP on both the public and private side. I assume this is to do with ensuring that flows can be correctly replicated to the backup machine when using conntrackd. And normally keepalived is used on Linux to provide floating IP's on the WAN and the LAN side of the connection.
Something like this:
Rather than explain in great detail the old setup that didn't work. I'm asking for pointers on how I might make this work correctly given that I don't have a switch on the public 10G side. I do however have the eth2 link directly between the two routers. And another eth3 link that are connected together via a switch. I guess what I'm wanting to try and avoid is asymmetric routing where flows come in one server and go out the other. Ideally it'll come into the active server.
The network range as mentioned is provided by BGP and is a /25.
I'm wondering whether I can accomplish something like the following with Linux:
Could I use the eth2 network as a kind of switch so that if a packet entered the backup server it could be fed to the other server via eth2 and then from the master to the LAN? Would that work?
The other thing I had been thinking about was having two default routes on the LAN and forget about floating IP's. But am I right in thinking this could be problematic? how would I ensure 1 session per server. I couldn't figure out the policy routing in Linux.
BTW: I have no windows servers in behind the firewalls. It will be feeding Linux Servers only.
Actually, Mark has reminded me that I did actually ask for some help on this early on but I wasn't about to do anything with it at the time the response came in. We all got busy and forgot about it. I have found the email.
The response was:
Hello, Sorry for the late reply. Most of the time you would be able to use HA and have both firewalls working at the same time but that isn't possible here. What I would do here is use route-maps to direct traffic to one side vs the other. On the router you do not want the traffic, you would prepend the route(s) you send us. This makes the path to this device longer so our routers take the other path.
route-map Net:Out
set as-path prepend 65007 65007
router bgp 65007
neighbor <Net IP> route-map out NetDC:Out
On the same router you would then lower the preference of the routes we send you.
route-map Net:In
set local-preference 10
rotuer bgp 65007
neighbor <Net IP> route-map in Net:In
Please let me know if you have any questions. The syntax I posted was for Brocade but Quagga should be very similar.
Where "Net" is actually the name of the provider that I don't want to reveal.
How would that work in practice? I know keepalive can run a script.
i.e. vrrp_instance MyVRRPInstance { [...] notify /usr/local/bin/keepalivednotify.sh }
Ahh, would it simply work to stop the BGP daemon when in the backup state and start it in the master state?
