[Linux-HA] redundant firewalls with heartbeat
Bjoern Metzdorf
bm at turtle-entertainment.de
Wed Aug 9 04:35:23 MDT 2006
Hello Ian,
>> I want to setup redundant firewalls on two ISP uplinks on the external
>> and multiple VLAN interfaces on the internal side.
>
> Assuming that at least one of your ISPs offers a static IP address, I would
> recommend that you ditch Linux and buy two cisco routers (probably 870 or 830
> series) and configure them with SLAs and HSRP. That configuration will be far
> easier to set up (though not trivial), and far more reliable than you can
> hope to get from a PC. If you buy a support contract (about 1/10th the price
> of the router), Cisco will also handhold you while you set it up.
The problem is that a cisco router will never give us the flexibility of
a linux-based system. We can do layer7-filtering, advanced port
forwardings and so on very easily with linux. Besides we would need
redundant firewalls behind the ciscos anyway..
>> Is there a way to make heartbeat on FW1 recognize the ping to ISP1 and
>> switch to ISP2 instead of switching to FW2?
>
> Instead of using ping nodes, you can configure status monitoring on the ISP1
> resources, so that heartbeat notices when the network goes down. But getting
> your constraints set up in such a way that things failover the way you want
> will be a nightmare, IMHO.
We are right now evaluating a setup with keepalived VRRP and nagios to
monitor ISP availibity and having failover.
Regards,
Bjoern
More information about the Linux-HA
mailing list