[Linux-HA] redundant firewalls with heartbeat

[Ian Turner]

> I want to setup redundant firewalls on two ISP uplinks on the external
> and multiple VLAN interfaces on the internal side.

Assuming that at least one of your ISPs offers a static IP address, I would 
recommend that you ditch Linux and buy two cisco routers (probably 870 or 830 
series) and configure them with SLAs and HSRP. That configuration will be far 
easier to set up (though not trivial), and far more reliable than you can 
hope to get from a PC. If you buy a support contract (about 1/10th the price 
of the router), Cisco will also handhold you while you set it up.

Also, then you can do something called "stateful NAT": If one router fails 
(unlikely), the other can pick up without resetting anybody's connections.

The one caveat I have to offer (having created this exact configuration) is 
that if both of your internet connections use DHCP, then you will have to 
assign one router to each connection; Cisco routers don't play nice when you 
connect multiple DHCP gateways.

> Is there a way to make heartbeat on FW1 recognize the ping to ISP1 and
> switch to ISP2 instead of switching to FW2?

Instead of using ping nodes, you can configure status monitoring on the ISP1 
resources, so that heartbeat notices when the network goes down. But getting 
your constraints set up in such a way that things failover the way you want 
will be a nightmare, IMHO.

--Ian