Redundant Firewall on CentOS 5.6 / RHEL

D

decond

Guest
Hi Guys :)

I have set up two servers with iptables and want them to have the same ip address on the wan and same on the lan side. I tried setting this up with heartbeat at it works. Got a link to fwbuilders, they had a heartbeat cluster example.

My problem is, that the heartbeat only "works" when the whole server is down/both links are down and not if only the wan link is down.
My question is, is there some way I can make sure that my backup firewall is taking over the trafik when the wan link on the main firewall is down?

On of my colleagues said something about change the hostname to the wan ip in the heartbeat config, don't know if thats any usefull info :)

Hope you can help a strugling semi-noob.
 


Could you print some details here? We can't help that way. Some configuration is need.

so far
akendo
 
Info

Could you print some details here? We can't help that way. Some configuration is need.

so far
akendo

Is this of any use?

Net setup on FW01
[root@fw01 /]# ip -4 addr ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
inet XXX.XX.107.221/26 brd XXX.XX.107.255 scope global eth0
inet XXX.XX.107.204/26 brd XXX.XX.107.255 scope global secondary eth0:0
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth3
7: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue
inet 10.0.99.6/24 brd 10.0.99.255 scope global bond0
inet 10.0.99.4/24 brd 10.0.99.255 scope global secondary bond0:0

Setup on ha.cf
deadtime 10
warntime 5
mcast eth0 225.0.0.1 694 1 0
mcast bond0 225.0.0.1 694 1 0
auto_failback on
node fw01 fw02

Setup on haresources
fw01 IPaddr::XXX.XX.107.204/26/eth0/XXX.XX.107.255
fw01 IPaddr::10.0.99.4/24/bond0/10.0.99.255
 
I kinda see what is going on here - your host will have an actual IP location that you can use to login from, eg 192.xxx.xxx/user:1010

That can be found in your welcome email - try using that IP without the /user:1010 and see if you still have the same issue.
 
I kinda see what is going on here - your host will have an actual IP location that you can use to login from, eg 192.xxx.xxx/user:1010

That can be found in your welcome email - try using that IP without the /user:1010 and see if you still have the same issue.

Sorry mate, I don't know what you are refering to :S
 
Sorry mate, I don't know what you are refering to :S

My bad I did not read the question correctly. You are on a Wide Area Network which is firewalled? If that is the case it could be that there is so much security it is getting confused. The master WAN would have to be set via the host server if I am correct, it will be configured on the TCP/IP. I think this is the IP that your colleague is referring to. It should be the main IP for your network. Try that route.

If your network has been configured to a host name such as blabla(dot)com it is that (dot)com that would have the necessary configuration to use.

I don't know if that makes sense I am cr*p at instructing, I would make the worst Live Support.

Some info here may help http://www.linuxforums.org/forum/re...-firewall-server-centos-5-x-small-office.html
 

Members online


Top