[Linux-HA] HA Firewall
mzagrabe at d.umn.edu
Mon Oct 29 09:38:30 MDT 2007
On Thu, 2007-10-25 at 22:23 +0100, North Country Boy wrote:
> Ok ok, I admit. I dont get it!!!!
> I am trying to config a simple HA firewall and it just isnt working to how I had imagined.
> Ok here is the deal.
> The Firewall has two interfaces
> 1) Internal interface eth1 192.168.0.254
> 2) External Interface eth0 188.8.131.52, 184.108.40.206, 220.127.116.11
> The plan would be that in the event of failure, these IP addresses as well as an iptables script would be brought online on the second box.
> The story so far....
> Because I am new to this, I wanted to take things nice and slowly and realise the full solution in stages so that I could learn & understand. I decided to test a simple failover with one ip just using the external interface.
> I added a second nic to both machines (node1 & node2) and got heartbeat working no problem. Using the verison 1 haresource file, I added the following line
> node1 18.104.22.168
> In the ha.cf file I added
> ping 22.214.171.124 (an external router accessible by both nodes)
> Also I added the ipfail command.
> Ok so heartbeat all looks good so far, the new address 126.96.36.199 is added as eth1:0
> No I prevent access to the external router from node1, it recognises that it can no longer reach 188.8.131.52 in the logs, whilst node 2 says and does nothing. huh????
> I thought that at this point, ipfail flags a failure and the failover process begins????
> Conicidentally, pulling the heartbeat cable causes the failover to happen perfectly (which is nice to know).
> So now I am left wondering... If my external eth0 card fails, this isnt enough to cause failover?
Yes, if things are configured correctly.
I have been dealing with v2 only, so I won't be able to help you with
your configs, but I did play with v1 a tiny bit and I remember ipfail
Speaking of configs, you should post your ha.cf and haresources files
along with logs. I believe the list prefers attachments rather than
Matt Zagrabelny - mzagrabe at d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7 887F 84E2 2DA2
He is not a fool who gives up what he cannot keep to gain what he cannot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.community.tummy.com/pipermail/linux-ha/attachments/20071029/b42dad19/attachment.pgp
More information about the Linux-HA