Simple way to use backup gateway (metric?)

mangueJOE · 08-27-2009, 05:46 PM

This firewall has 3 interfaces (name fw1)
eth0 is WAN IP 200.200.200.2
eth1 is LAN IP 192.168.0.1
eth2 is DMZ IP 192.168.100.1

DMZ has another gateway (fw2) with a WAN interface. It also has DMZ interface with IP 192.168.100.5 (which is the second default gateway for fw1)

fw1 routing table

Code:

root@fw:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
200.200.200.0   0.0.0.0         255.255.255.192 U     0      0        0 eth0
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         200.200.200.1   0.0.0.0         UG    100    0        0 eth0
0.0.0.0         192.168.100.5   0.0.0.0         UG    200    0        0 eth2

As you can see it has 2 default gateways. If the eth0 default gw link fails, the second default gw doesn't work.

The only way the second link work is to actually disable eth0 (ifconfig eth0 down).

If both interfaces are up, but eth0 internet link (not the interface) gets down, the firewall wont use the second gateway. I checked man page for route and it says metric isn't used for recent kernels.

Is there a way to make it work?

evilted · 08-28-2009, 11:24 AM

i use a script, its original author called it gwping. i use an adapted version of it for redundancy in load balancing multiple external links, but im sure you can adapt it to suit your needs.

it can be found here:

http://blog.taragana.com/wp-content/upload/gwping

i am sure there are other methods, and if anyone knows other methods I too am all ears!

Other methods that I have tried have not been so good, likewise the gwping method: qos can be a cause of packet loss, ping (icmp) is one of the lowest in qos, and would be the first dropped over something like a sip call, and can cause your routes to be switched when in fact nothing is wrong with the current link.

i would really like to take advantage of the kernel's ability to detect dead gateways, but my problem is that my isp is dodgy, and not the connection between my servers and modems/routers. the dead gateway detection should be able to tell when the next hop goes down (not the connection leaving the ISP which is where i have problems 2 to 4 hops away), and will then mark the route as being dead. when having multiple defaults the next in the order should therefore take over.

metrics are not a 'failover or redundancy measure':

"Set the routing metric of the interface to n, default 0. The routing metric is used by the routing protocol. Higher metrics have the effect of making a route less favorable; metrics are counted as addition hops to the destination network or host."

mangueJOE · 08-31-2009, 10:46 AM

Well for that matter, we will use manual intervention (ifconfig eth0 down) so the other link would work.

Problem is, now I have to setup another firewall with similar structure, with real load balancing and fail over. I'll try some stuff and post here the results.

mangueJOE · 08-31-2009, 05:02 PM

Ok I just found this: http://packages.debian.org/lenny/ifenslave-2.6

And some HOW-TOs:

For Debian lenny
http://www.howtoforge.com/nic-bonding-on-debian-lenny

For Centos
http://www.howtoforge.com/network_card_bonding_centos

Will give a go with Virtual Machines in Virtualbox and post here the results.