[Shorewall-users] failover setup

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I would appreciate it if I could get some advice before setting up a firewall with a failover procedure.

Network layout:

           loc1
            |
net1 --- Shorewall1 --- net2
|                        |
net1 --- Shorewall2 --- net2
            |
           loc2

loc1: 10.0.0.0/16
loc2: 10.1.0.0/16
net1: 172.16.0.0/24
net2: 172.16.1.0/24
Shorewall1: 3 NICs connected to loc1, net1 and net2
Shorewall2: 3 NICs connected to loc2, net1 and net2

Assumption:
Shorewall1,2 route loc1 and loc2 traffic via net1 by default and use net2 only as a backup in case net1 fails. If net1 comes back on-line, packets should be re-routed through net1.

Connection example:
HTTP or FTP data download from client in loc1 (10.0.0.1) and server in loc2 (10.1.0.1) through net1 (default route loc1->loc2).
While HTTP/FTP download in progress, net1 link fails.

I suppose Shorewall1 and Shorewall2 can be configured to re-route packets automatically in case a link (net1 or net2) fails. However, changing the route through a different physical interface should break active connections.

I don't think there's any way of "preserving" a connection in this scenario and "moving it transparently" from, say, net1 to net2, so that the user application (FTP/HTTP) isn't interrupted. Am I right?
ie. the connection must always be re-initiated/resumed by the client after transient network failure and re-routing.

=============================================

Other network layout:

                     loc1 ----------------- loc1
                          |               | 
(ucarp or keepalived) Shorewall1 --- Shorewall2 (conntrackd)
                          |               |
                        net1             net2
                          |               |
(ucarp or keepalived) Shorewall3 --- Shorewall4 (conntrackd)
                          |               |
                     loc2 ----------------- loc2

conntrackd: 192.168.100.0/24 (crossover cable)
loc1, loc2, net1, net2: same as in previous example

Assumptions:
Shorewall1 and Shorewall3 are "masters" and route traffic through net1 (default route).
Shorewall2 and Shorewall4 are "slaves" and route traffic through net2.
If net1 fails then all traffic from/to loc1/loc2 is sent through net2.
Conntrackd sync's connection states between Shorewall1 and Shorewall2. Same for Shorewall3 and Shorewall4.

Connection example:
Same as in previous example.
HTTP or FTP data download from client in loc1 (10.0.0.1) and server in loc2 (10.1.0.1) through masters Shorewall1 & Shorewall3 via net1.
While HTTP/FTP download in progress, net1 link fails and traffic should flow through slaves Shorewall2 & Shorewall4 via net2.

Will the HTTP/FTP client in loc1 be able to continue downloading the file in loc2 as if there weren't any network disruptions?

Thanks for your time,

Vieri