[Linux-HA] HA Firewall

Matt Zagrabelny mzagrabe at d.umn.edu
Mon Oct 29 09:38:30 MDT 2007 

On Thu, 2007-10-25 at 22:23 +0100, North Country Boy wrote:
> Ok ok, I admit.  I dont get it!!!!
>  
> I am trying to config a simple HA firewall and it just isnt working to how I had imagined.
>  
> Ok here is the deal.
>  
> The Firewall has two interfaces
>  
> 1) Internal interface eth1 192.168.0.254
>  
> 2) External Interface eth0  195.63.63.100, 195.63.63.101, 195.63.63.102
>  
> The plan would be that in the event of failure, these IP addresses as well as an iptables script would be brought online on the second box.
>  
> The story so far....
>  
> Because I am new to this, I wanted to take things nice and slowly and realise the full solution in stages so that I could learn & understand.  I decided to test a simple failover with one ip just using the external interface.
>  
> I added a second nic to both machines (node1 & node2) and got heartbeat working no problem.  Using the verison 1 haresource file, I added the following line
>  
> node1 195.63.63.101
>  
> In the ha.cf file I added
>  
> ping 195.63.63.254  (an external router accessible by both nodes)
>  
> Also I added the ipfail command.
>  
> Ok so heartbeat all looks good so far, the new address 195.63.63.101 is added as eth1:0 
>  
> No I prevent access to the external router from node1, it recognises that it can no longer reach 195.63.63.254 in the logs, whilst node 2 says and does nothing. huh????
> I thought that at this point, ipfail flags a failure and the failover process begins????
>  
> Conicidentally, pulling the heartbeat cable causes the failover to happen perfectly (which is nice to know).
>  
> So now I am left wondering...  If my external eth0 card fails, this isnt enough to cause failover?

Yes, if things are configured correctly.

I have been dealing with v2 only, so I won't be able to help you with
your configs, but I did play with v1 a tiny bit and I remember ipfail
working fine.

Speaking of configs, you should post your ha.cf and haresources files
along with logs. I believe the list prefers attachments rather than
inline.

[...]

-- 
Matt Zagrabelny - mzagrabe at d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85  C5CA 53E7 887F 84E2 2DA2

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.community.tummy.com/pipermail/linux-ha/attachments/20071029/b42dad19/attachment.pgp

More information about the Linux-HA mailing list