-
December 12th, 2005, 04:16 PM
#1
-
December 12th, 2005, 04:53 PM
#2
Add a static route to your 192.168.1.0 network (on your machines in the DMZ)..
As for fail over routing.. That depends on the type of routers used as gateways..
Usually you define a virtual IP address.. Both gateways listen on that virtual address..
The default gateway will point to that virtual IP address..
And to see what happens fire up tcpdump on one of the machines in the DMZ.... I'll bet you see lots of ICMP redirects.. The static route should help prevent those too..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
December 13th, 2005, 11:09 AM
#3
Thanks for that i will try today. As for the fail-over i was just wondering if i was to write
a little script to find out if the gateways is live or not and than just change default
gateway to it something quick like that?
The other option i am considering is downloading all the kernel patches for detecting
a dead gateway. I know Windows supports this but you need to patch 2.4 and 2.6
kernels for Linux as for the BSD i will have to look it up.
Also for load balance and fail over i looked up some Cisco protocols
like BGP what do you think of that as an option. Thanks a lot for the feedback.
-
December 13th, 2005, 11:13 AM
#4
As for the fail-over i was just wondering if i was to write a little script to find out if the gateways is live or not and than just change default gateway to it something quick like that?
Simple, yet effective solution..
Also for load balance and fail over i looked up some Cisco protocols like BGP what do you think of that as an option.
I believe BGP would be overkill for your situation..
What's the type of gateways you use?
Oliver's Law:
Experience is something you don't get until just after you need it.
-
December 13th, 2005, 11:21 AM
#5
Yeah i also think BGP is an overkill actually i don't think it would work in
this scenario.
I have two routers one is a Cisco 2600 where the leased line is connected and
the other is Cisco 805 for an ADSL. They are both small lines compareing to
anything similar in Europe or US. Being stuck in Africa with Telkom is a disaster.
But thats a basic setup nothing massive. I just want to make a simple switch in
case one of the gateways goes dead.
-
December 13th, 2005, 11:32 AM
#6
I just want to make a simple switch in case one of the gateways goes dead.
Have a look at HSRP. Both the 805 and the 2600 should support that..
Hot Standby Router Protocol (HSRP): Frequently Asked Questions
Oliver's Law:
Experience is something you don't get until just after you need it.
-
December 13th, 2005, 02:51 PM
#7
Well while we are on the issue of fail-over, i am building a freebsd failover setup for my firewall.
so far this is what i have in mind. Use freevrrpd (http://www.us.bsdshell.net).
Your thoughts on this sort of setup? Have you ever tried anything like this?
My aim is really that everything happens automatically without human intervenion
in case i am not around.
-
December 13th, 2005, 04:25 PM
#8
http://www.b0l.org/?idcategory=3&idsection=1
http://www.freshports.org/net/freevrrpd/
My aim is really that everything happens automatically without human intervenion in case i am not around.
HSRP and VRRP are both designed to work "automagicly" (if setup correctly)..
Never tried freeVRRPd though.. Looks like it should cooperate with Cisco's VRRP too..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
December 14th, 2005, 10:47 AM
#9
Sorry one more question about those static routes and loosing a gateway.
I added static routes but then when i telnet to my pop3 which is in a DMZ and
has no active gatway i see its connecting, then it says connected but you cannot
send any commands to the machine itself.
When i run ethereal i see that arp runs broadcast who has that IP example 10.0.1.34.
It seems that arp gets messed up. Then when i flush the ARP table on a machine
in a DMZ i can connect to it without any problems even if the gateway is down. Why would ARP get messed up i thought that NAT breaks but NAT runs fine.
-
December 14th, 2005, 11:10 AM
#10
Look at your routing tables on the DMZ machines.. netstat -rn Look for routes with the D flag.. These are added because of ICMP redirects and are probably the cause of your problems..
And ARP: arp -an
How's your firewall setup? Using NAT? Is it bridged? Statefull filters?
Can you post a tcpdump output from one of your DMZ machines? A plain tcpdump -i eth0 -n -e will do.. You can obfuscate the IPs if you want.. Use some thing like a.a.a.1 for 192.168.0.1; a.a.a.2 for 192.168.0.2; b.b.b.1 for 10.0.0.1 etc.. So we know a.a.a.1 is on the same subnet as a.a.a.2 and b.b.b.1 is not.. The actual IPs are irrelevant but we have to know how the subnets are setup...
For the sake of simplicity I'll use one gateway:
[LAN; 192.168.0.x/24]---------{1}[firewall]{1}----[DMZ; 10.0.0.x/24]-------{2}[gateway]
MachineA= 192.168.0.200
MachineDMZ= 10.0.0.100
Firewall LAN interface= 192.168.0.1
Firewall DMZ interface= 10.0.0.1
Gateway DMZ interface= 10.0.0.2
On MachineDMZ:
route add default 10.0.0.2
On MachineA:
route add default 192.168.0.1
What happens when MachineA connects to MachineDMZ?
MachineA: Arp who has 192.168.0.1? Tell 192.168.0.200
MachineA: send SYN to MachineDMZ
MachineDMZ: recieves SYN
MachineDMZ: Arp who has 10.0.0.2? Tell 10.0.0.100
MachineDMZ: Send SYN/ACK to MachineA
Here's where things go wrong..
Instead of sending the SYN/ACK back to the firewall it'll send it to the gateway. MachineDMZ doesn't know where 192.168.0.x/24 is so it sends it to it's default gateway..
The gateway will receive the SYN/ACK but doesn't know where to send it, so in turn it'll send it to it's default gateway. This is probably your ISP.. Hence no connection...
If the gateway knows the 192.168.0.0 network it will send an ICMP redirect to MachineDMZ telling it it can find the 192.168.0.0 network via the firewall..
MachineDMZ will then add a dynamic route (the ones with the D flag in the netstat -rn output).
By adding a static route on MachineDMZ route add -net 192.168.0.0/24 10.0.0.1 you prevent this whole dynamic thing making sure MachineDMZ knows the way back to 192.168.0.0/24 with or without a default gateway..
Hope this clears things up a bit... If not.. just ask
Oliver's Law:
Experience is something you don't get until just after you need it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|