[TriLUG] BSD/Linux firewall with multiple ISP and failover?

Jon Carnes jonc at nc.rr.com
Sat Jan 28 13:13:40 EST 2006 

On Fri, 2006-01-27 at 11:13, Greg Brown wrote:
> Hey all.  I think I finally hit a dead-end with M0n0wall.  My outer banks
> client now requires fail over from the DSL Internet connection to a 2nd ISP,
> probably a cable modem.  My research indicates that M0n0 doesn't support
> this yet.
> 
> What are my options here besides something like a Cisco 2621xm (WAY too
> expensive for this client)?  Does anyone know of an inexpensive appliance
> that they have tested for fail over Internet?  Or can a BSD/Linux box be
> built for this purpose?
> 
> Greg

My firewalls at work are OpenBSD. I love them... well, I like them a
*lot*. 

Since you use Monowall, you probably aren't used to directly programming
a firewall. PF (the firewall in OpenBSD) can be a bit intimidating for
the first 10 minutes of learning, but the docs are very good and there
are also plenty of examples. 

CARP is that way as well - very well documented with good examples. So
really, if you just want to get something up and running (and don't care
about how it all works), then you can get up and running fairly fast.

==
In your email you talk about using the second firewall for an alternate
connection - using a separate ISP vendor. That being the case, CARP
really isn't the tool you want. On fail-over you are switching Vendors.
So when moving to the secondary firewall you will also be switching the
IP range used by the Firewall. Your users sessions will no longer be
valid and all current connections will have to be re-established from
scratch.

That being the case, all you really want is a second firewall - attached
to the alternate ISP - and running a fail-over script that will let it
take over as the primary firewall..

Most likely you will only need the secondary firewall to take over the
internal address of the primary firewall. This lets the internal users
continue to browse/access the internet with a minimal amount of fuss.
The scripting to do that is very trivial.

You can find an example of that here:
   http://www.trilug.org/~jonc/Failover_scripts/

Good Luck, and I hope you do learn more about OpenBSD and pf!

Jon Carnes

More information about the TriLUG mailing list