Redundant Firewall on CentOS 5.6 / RHEL

Discussion in 'Linux Networking' started by decond, Apr 19, 2012.

  1. decond

    decond New Member

    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0
    Hi Guys :)

    I have set up two servers with iptables and want them to have the same ip address on the wan and same on the lan side. I tried setting this up with heartbeat at it works. Got a link to fwbuilders, they had a heartbeat cluster example.

    My problem is, that the heartbeat only "works" when the whole server is down/both links are down and not if only the wan link is down.
    My question is, is there some way I can make sure that my backup firewall is taking over the trafik when the wan link on the main firewall is down?


    On of my colleagues said something about change the hostname to the wan ip in the heartbeat config, don't know if thats any usefull info :)

    Hope you can help a strugling semi-noob.
  2. Akendo

    Akendo New Member

    Messages:
    136
    Likes Received:
    7
    Trophy Points:
    0
    Could you print some details here? We can't help that way. Some configuration is need.

    so far
    akendo
  3. decond

    decond New Member

    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0
    Info

    Is this of any use?

    Net setup on FW01
    [root@fw01 /]# ip -4 addr ls
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
    inet 127.0.0.1/8 scope host lo
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    inet XXX.XX.107.221/26 brd XXX.XX.107.255 scope global eth0
    inet XXX.XX.107.204/26 brd XXX.XX.107.255 scope global secondary eth0:0
    5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth3
    7: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue
    inet 10.0.99.6/24 brd 10.0.99.255 scope global bond0
    inet 10.0.99.4/24 brd 10.0.99.255 scope global secondary bond0:0

    Setup on ha.cf
    deadtime 10
    warntime 5
    mcast eth0 225.0.0.1 694 1 0
    mcast bond0 225.0.0.1 694 1 0
    auto_failback on
    node fw01 fw02

    Setup on haresources
    fw01 IPaddr::XXX.XX.107.204/26/eth0/XXX.XX.107.255
    fw01 IPaddr::10.0.99.4/24/bond0/10.0.99.255
  4. Darwin

    Darwin New Member

    Messages:
    115
    Likes Received:
    3
    Trophy Points:
    0
    I kinda see what is going on here - your host will have an actual IP location that you can use to login from, eg 192.xxx.xxx/user:1010

    That can be found in your welcome email - try using that IP without the /user:1010 and see if you still have the same issue.
  5. decond

    decond New Member

    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0
    Sorry mate, I don't know what you are refering to :S
  6. Darwin

    Darwin New Member

    Messages:
    115
    Likes Received:
    3
    Trophy Points:
    0
    My bad I did not read the question correctly. You are on a Wide Area Network which is firewalled? If that is the case it could be that there is so much security it is getting confused. The master WAN would have to be set via the host server if I am correct, it will be configured on the TCP/IP. I think this is the IP that your colleague is referring to. It should be the main IP for your network. Try that route.

    If your network has been configured to a host name such as blabla(dot)com it is that (dot)com that would have the necessary configuration to use.

    I don't know if that makes sense I am cr*p at instructing, I would make the worst Live Support.

    Some info here may help http://www.linuxforums.org/forum/re...-firewall-server-centos-5-x-small-office.html

Share This Page