|
Hello,
Do you know if you can do something like carp+pfsync with linux+ipvs.
IPVS has not much to do with firewalling, you can achieve CARP+pfsync
like setups using VRRP+ctsync under Linux.
My goal is to have two firewall, a master and a backup.
Both sharing the same IP: VIP
keepalived.
I can do it easily with keepalived and a VRRP method and same ruleset but it
means that all connections are lost when master comes down.
ctsync
I want to know is ipvs is the solution.
Nope, provided that was a question.
I read then
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-
HOWTO.server_state_sync_demon.html
This is IPVS template synchronisation.
but I saw:"Note that the feature of connection synchronization is under
experiment now, and there is some performance penalty when connection
synchronization, because a highly loaded load balancer may need to multicast
a lot of connection information. If the daemon is not started, the performance
will not be affected. "
Under experiment is a bit strong ...
and from:
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-
HOWTO.failover.html
Honestly, as good as LVS is for real server load balancing, for firewalls I like
OpenBSD with CARP and pfsync. CARP+pfsync provides easy, scalable load
balancing and HA for firewalls. pf, the OpenBSD firewall, is very well written
and nicely designed. Give it a look, www.openbsd.com.
It is indeed.
Note
Carp is available for Linux too. "
CARP is the same as VRRP basically.
yes carp is available for linux but not pfsync which is what I need.
Does ctsync not work? I know that you've also asked in the nf-failover
ml. It's sort of maintained (there have been a couple of patches to
ct_sync this year already) and it sort of works for the handful of
people that actually use it. It had problems with tcp window tracking
the last time I tried it but Krisztian and Harald are certainly more
than happy to fix a couple of issues related to ctsync problems. People
send in patches to ct_sync regularly to netfilter-devel and some even
maintain out of tree kernel patches:
http://vvv.barbarossa.name/files/ct_sync/
Please try out the available software and if this does not work,
complain at netfilter-dev ml ;).
I have 2 questions:
First is it possible to use ipvs in this way?
.----FW backup---.
/ | \
INET--- | +---LAN
\ | /
`----FW master---'
a master, a backup, firewall scripts and update in real time of the
ip_conntrack?
Basically yes, however IPVS is of no use to you since you only need VIP
failover functionality, aka VRRP.
Second: and what if I add load balancing of servers from the firewall?
This I don't understand.
Best regards,
Roberto Nibali, ratz
--
echo
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
|
