Date: Fri, 10 Aug 2001 14:47:14 +0200 From: "Jeroen Massar" <jeroen@unfix.org> To: "'Krzysztof Zaraska'" <kzaraska@student.uci.agh.edu.pl>, "'Tony Landells'" <ahl@austclear.com.au> Cc: <freebsd-security@FreeBSD.ORG> Subject: RE: distributed natd Message-ID: <000701c1219a$96206470$2a1410ac@kei.azr.nl> In-Reply-To: <Pine.BSF.4.21.0108101222250.54541-100000@lhotse.zaraska.dhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday, 10 August 2001, Krzysztof Zaraska
<kzaraska@student.uci.agh.edu.pl> wrote:
>
> On Fri, 10 Aug 2001, Tony Landells wrote:
>
> > The idea is to run two (or more) firewalls in parallel in such a way
> > that if one failed the other one would pick up the slack without
users noticing.
> Seems interesting.
<SNIP> :)
I thought of something like this before myself but with a different
viewing point in that every gateway machine has an uplink to a separate
provider, but still to the global internet (eg, telephone and gsm and
satelite and cable linkups :)
This though also implies that we got multiple external IP's and thus
sessions would be lost if an uplink would go down.
My idea was to do the following setup:
Inet <-----> ISP1 <----> (a.a.a.a) Gate1 (10.0.0.1) <---> LAN
<-----> ISP2 <----> (b.b.b.b) Gate2 (10.0.0.2) <--->
<-----> ISP3 <----> (c.c.c.c) Gate3 (10.0.0.3) <--->
GateNet <---> (192.168.0.1) Gate1
<---> (192.168.0.2) Gate2
<---> (192.168.0.3) Gate3
Whenever ISP1's uplink would go down Gate1 would bring down it's
10.0.0.1 IP and notify this to Gate2 and Gate3 over GateNet, the fastest
of the two would then alias Gate1's LanIP (10.0.0.1) and takeover it's
service and so on.
If Gate1 gets it's uplink back it would simply notify Gate2&3 who would
bring down their 10.0.0.1 alias and Gate1 would bring it up again.... et
tada we got redundancy.
Client boxes on the LAN could have a 'preferred' gateway either
Gate1,2,3 making some users go over the slowest line etc.
Packets could also be redirected over the Gatenet if needed...
You could have PING's between the Gate's to check if the boxes itself
are still alive etc...
Ofcourse this basically comes down to routing though with BSD/* boxes
and not redundant hardware routers (Cisco etc :)
Instead of aliasing the Gate's LAN IP one could also send RouterRedirect
ICMP's to the clients.
If one has the same outside IP on the gates.... you could transfer
states between the boxes and keep on doing stuff.
But I would only use that for redundant linkups. The hardware and OS
should be 'trusted' to keep on running then :)
Greets,
Jeroen
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000701c1219a$96206470$2a1410ac>