[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Redundancy
From:       Jefferson Ogata <jogata () nodc ! noaa ! gov>
Date:       2001-03-31 6:24:54
[Download RAW message or body]

Ryan Williams wrote:
> 
> Is there any way to have two firewalls setup in a redundant setup (not
> necessairly load balancing but it would be a + ) here is what I am looking
> for...
> 
>               (T1)       (T1)
>                   \      /
>                   [Router]
>                    /    \
>               [FW] [FW]
>                     \   /
>                    [Switch]
>                   / / | |\ \
>                 {Servers}
> 
> Sorry if the above did not show up right, I did my best to check it.
> 
> My only problem comes when I have two firewalls and they are both on
> different ip addresses and I can have only one default gateway. I am very
> much afraid that if I only have one firewall it WILL fail and it will happen
> at the most inoportune time. I also do not want to have to wory about
> rebooting a firewall and having my whole network go down. Has anyone done
> anything like this? I might have the wrong idea about how to go about doing
> this. It almost seems to me like I need another router that combins the two
> firewalls on the internal side. That would kinda defeat the point.

One way to approach this is to keep both firewalls attached to the network in
parallel. Set them up on separate IPs on both sides, but do not use these IPs
for routing. Use static arp entries to publish the addresses you use for
routing, assigning them to the currently active firewall. Keep the external
interface of the backup router unconfigured, but attached. Then, to fail over
from the primary to the backup you need to do the following:

1. Configure the external interface of the backup.
2. Unpublish the arp entries assigning the router addresses to the primary's
ethernet interfaces.
3. Publish arp entries assigning the router addresses to the backup's ethernet
interfaces. It is good if you can do this in a way that causes a gratuitous
arp to be transmitted; otherwise, you'll have to wait for the old arp entries
to time out before they'll start getting used.

The routers and internal hosts will now start routing traffic through the
backup firewall. Since the router addresses aren't actually configured into
any network interface, but are visible only through arp, switching from one
firewall to the other has minimal effect on the system configurations. One
reason this is nice is that you don't lose any connections you've established
to the firewalls during fail-over, as you would if you were actually changing
the IP addresses of their network interfaces.

One drawback of this approach is that you lose state when you fail over. IP
Filter 4.0 has features to enable you to save state, but I think in a
fail-over situation this may be pointless, since presumably your primary is in
trouble and you may be unable to transfer the current state to the backup
anyway.

-- 
Jefferson Ogata <jogata@nodc.noaa.gov> National Oceanographic Data Center
You can't step into the same river twice. -- Herakleitos

[prev in list] [next in list] [prev in thread] [next in thread]