Load balancing and fail-over

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Load balancing and fail-over

Indunil Jayasooriya
Hi,

I am looking for a Load balancing and fail-over setup. So I am working on
below 2 subjects


How can I do equal-cost multipath routing?

http://www.openbsd.org/faq/faq6.html



Load Balance Outgoing Traffic

http://www.openbsd.org/faq/pf/pools.html#outexample


My first question is how to do failover when one link goes down?

Can I do it with ping and ifstated ?

If yes, How to ping external internet host when that link is DOWN? I find
it difficult?

I tried it with below commands


ping -I WAN1_if_ip www.google.lk

ping -I WAN2_if_ip www.google.lk


Some times it works? some times it does NOT?

Could you pls explain why?


If it does NOT ping, How to do failover?


So, Now, I am trying with snmpwalk command. I think it is OKAY?  your
comments?

I found a URL here?

http://old.nabble.com/Re:-ifstated-and-ping-p15546523.html


Then, the other question is that when loadbalancing works as expected ,

I will have to send https via one link as described in Openbsd site.

Pls see below.

http://www.openbsd.org/faq/pf/pools.html#outexample

#  keep https traffic on a single connection; some web applications,
#  especially "secure" ones, don't allow it to change mid-session
pass in on $int_if proto tcp from $lan_net to port https \
    route-to ($ext_if1 $ext_gw1)


Then, If that link goes down, when, failiver happnes, How to send that
https traffic via other link?

I think delete that rule and add another rule like this? am I right?

pass in on $int_if proto tcp from $lan_net to port https \
    route-to ($ext_if2 $ext_gw2)


If I am right, How to delete the existing rule and add other rule when
failover happens?


Hope to hear from you.




--
Thank you
Indunil Jayasooriya

Reply | Threaded
Open this post in threaded view
|

Re: Load balancing and fail-over

Tomas Bodzar-4
On Wed, May 16, 2012 at 9:40 AM, Indunil Jayasooriya
<[hidden email]> wrote:

> Hi,
>
> I am looking for a Load balancing and fail-over setup. So I am working on
> below 2 subjects
>
>
> How can I do equal-cost multipath routing?
>
> http://www.openbsd.org/faq/faq6.html
>
>
>
> Load Balance Outgoing Traffic
>
> http://www.openbsd.org/faq/pf/pools.html#outexample
>
>
> My first question is how to do failover when one link goes down?
>
> Can I do it with ping and ifstated ?

You can and check man trunk as well.

>
> If yes, How to ping external internet host when that link is DOWN? I find
> it difficult?
>
> I tried it with below commands
>
>
> ping -I WAN1_if_ip www.google.lk
>
> ping -I WAN2_if_ip www.google.lk
>
>
> Some times it works? some times it does NOT?
>
> Could you pls explain why?
>
>
> If it does NOT ping, How to do failover?
>
>
> So, Now, I am trying with snmpwalk command. I think it is OKAY? B your
> comments?
>
> I found a URL here?
>
> http://old.nabble.com/Re:-ifstated-and-ping-p15546523.html
>
>
> Then, the other question is that when loadbalancing works as expected ,
>
> I will have to send https via one link as described in Openbsd site.
>
> Pls see below.
>
> http://www.openbsd.org/faq/pf/pools.html#outexample
>
> # B keep https traffic on a single connection; some web applications,
> # B especially "secure" ones, don't allow it to change mid-session
> pass in on $int_if proto tcp from $lan_net to port https \
> B  B route-to ($ext_if1 $ext_gw1)
>
>
> Then, If that link goes down, when, failiver happnes, How to send that
> https traffic via other link?
>
> I think delete that rule and add another rule like this? am I right?
>
> pass in on $int_if proto tcp from $lan_net to port https \
> B  B route-to ($ext_if2 $ext_gw2)
>
>
> If I am right, How to delete the existing rule and add other rule when
> failover happens?
>
>
> Hope to hear from you.
>
>
>
>
> --
> Thank you
> Indunil Jayasooriya

Reply | Threaded
Open this post in threaded view
|

Re: Load balancing and fail-over

Russell Garrison
> On Wed, May 16, 2012 at 9:40 AM, Indunil Jayasooriya
> <[hidden email]> wrote:

>> If yes, How to ping external internet host when that link is DOWN? I find
>> it difficult?
>>
>> I tried it with below commands
>>
>>
>> ping -I WAN1_if_ip www.google.lk
>>
>> ping -I WAN2_if_ip www.google.lk
>>
>>
>> Some times it works? some times it does NOT?
>>
>> Could you pls explain why?
>>

I have been asked by management a few times about why some pings fail
when you ping things like google servers and core routers at the ISP.
The short answer I give is that things like that are too busy being
the Internet to respond to all the ping traffic that doesn't do
anything to enable them to be the Internet. Best advice is to consult
your routing tables or contact your ISP and have your ifstated ping
the far-end of your internet connection. Those systems are typically
less busy and have a higher expectation of answering all pings while
up.

Reply | Threaded
Open this post in threaded view
|

Re: Load balancing and fail-over

C. Bensend
> I have been asked by management a few times about why some pings fail
> when you ping things like google servers and core routers at the ISP.
> The short answer I give is that things like that are too busy being
> the Internet to respond to all the ping traffic that doesn't do
> anything to enable them to be the Internet. Best advice is to consult
> your routing tables or contact your ISP and have your ifstated ping
> the far-end of your internet connection. Those systems are typically
> less busy and have a higher expectation of answering all pings while
> up.

ICMP ECHOREQ is about the lowest form of life out there on the
intertubes.  Some routers will pass it, some won't, and if a
router is busy along the way it's the first thing that is dropped.

I've had to answer that question many times over the years.  My
standard response has been "pings are not important in the grand
scheme of things.  If there is any congestion along the path, it
may be discarded for the greater good."


--
"The problem with quotes on the internet is that it's very hard to
verify their authenticity."       -- Abraham Lincoln

Reply | Threaded
Open this post in threaded view
|

Re: Load balancing and fail-over

Stuart Henderson
In reply to this post by Russell Garrison
On 2012-05-16, Russell Garrison <[hidden email]> wrote:

>> On Wed, May 16, 2012 at 9:40 AM, Indunil Jayasooriya
>> <[hidden email]> wrote:
>
>>> If yes, How to ping external internet host when that link is DOWN? I find
>>> it difficult?
>>>
>>> I tried it with below commands
>>>
>>>
>>> ping -I WAN1_if_ip www.google.lk
>>>
>>> ping -I WAN2_if_ip www.google.lk
>>>
>>>
>>> Some times it works? some times it does NOT?
>>>
>>> Could you pls explain why?

Route lookups are based on the *destination* address not the source
address, you could add a route for a certain destination via a
certain interface to send packets out that way.

> I have been asked by management a few times about why some pings fail
> when you ping things like google servers and core routers at the ISP.

Management might need to set the TOS bits.

ping -T i_am_management_my_packets_are_important_dammit www.google.com

If they are really important they can use -i0.0001 -e to be sure
people pay attention. Needs root but they are probably logged
in like that already, right? :)

> The short answer I give is that things like that are too busy being
> the Internet to respond to all the ping traffic that doesn't do
> anything to enable them to be the Internet. Best advice is to consult
> your routing tables or contact your ISP and have your ifstated ping
> the far-end of your internet connection. Those systems are typically
> less busy and have a higher expectation of answering all pings while
> up.

"far-end of your internet connection" tends to be a router, which are
usually one of the worst things to be pinging, something like a
local web or ntp server might be a better idea.

Reply | Threaded
Open this post in threaded view
|

Re: Load balancing and fail-over

Indunil Jayasooriya
> Route lookups are based on the *destination* address not the source
> address, you could add a route for a certain destination via a
> certain interface to send packets out that way.
>
> Hmm. that sounds good to me. Since I have 2 interfaces for 2 different WAN
connections.  It is possible to add route to a certain destination ip
address in /etc/hostname.em0 and /etc/hostname.em1 files and make permanent
in this way.


/etc/hostname.em0

inet 192.168.10.6 255.255.255.0
!route add -host 173.194.38.184 192.168.10.5
!route add -mpath default 192.168.10.5


/etc/hostname.em1

inet 192.168.20.6 255.255.255.0
!route add -host 173.194.38.191 192.168.20.5
!route add -mpath default  192.168.20.5


Then, a shell script in crontab can ping those destination ip addresses
and see if they are UP or DOWN. ( ifstated also can do it. But, I will have
to understand its behaviour )


When , both are up Up, nothing is DONE  and when one fails remove that
-mpath default route

In this manner, When one link goes down, all traffic will go via the
available link.

That is what I am looking for. I think I am right.

I am right ain't I?


Then, I will have to discuss this below rule as well.

pass in on $int_if from $lan_net \
    route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \
    round-robin


When one link goes DOWN, Will all the traffic go via the available link ?

Does the above rule do this duty?


I think I am getting closer to achieve the goal.

Hi, Stuart Henderson, Many thanks to  your effort that put forth me to go
ahead,


Hope to hear from ALL.


>
>


--
Thank you
Indunil Jayasooriya

Reply | Threaded
Open this post in threaded view
|

Re: Load balancing and fail-over

Stuart Henderson
On 2012/05/17 13:20, Indunil Jayasooriya wrote:

>
>
>     Route lookups are based on the *destination* address not the source
>     address, you could add a route for a certain destination via a
>     certain interface to send packets out that way.
>
>
> Hmm. that sounds good to me. Since I have 2 interfaces for 2 different
> WAN connections.  It is possible to add route to a certain destination
> ip address in /etc/hostname.em0 and /etc/hostname.em1 files and make
> permanent in this way.
>
>
> /etc/hostname.em0
>
> inet 192.168.10.6 255.255.255.0
> !route add -host 173.194.38.184 192.168.10.5
> !route add -mpath default 192.168.10.5
>
>
> /etc/hostname.em1
>
> inet 192.168.20.6 255.255.255.0
> !route add -host 173.194.38.191 192.168.20.5
> !route add -mpath default  192.168.20.5
>
>
> Then, a shell script in crontab can ping those destination ip
> addresses  and see if they are UP or DOWN. ( ifstated also can do it.
> But, I will have to understand its behaviour )
>
>
> When , both are up Up, nothing is DONE  and when one fails remove that
> -mpath default route
>
> In this manner, When one link goes down, all traffic will go via the
> available link.
>
> That is what I am looking for. I think I am right.
>
> I am right ain't I?

Yes I think this is what you're looking for.


> Then, I will have to discuss this below rule as well.
>
>
> pass in on $int_if from $lan_net \
>     route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \
>     round-robin
>
>
> When one link goes DOWN, Will all the traffic go via the available link
> ?
>
> Does the above rule do this duty?

No, your script or ifstated config will need to adjust this rule,
you can do this by using a macro to write the rule, something like this:

GATEWAYS="1.1.1.1@em0 2.2.2.2@em1"
pass in on $int_if from $lan_net route-to { $GATEWAYS }

This helps because you can override the macro on the pfctl command line,
so you can use something like to reload the ruleset with your choice
of gateway:

pfctl -D GATEWAYS="1.1.1.1@em0" -f /etc/pf.conf
pfctl -D GATEWAYS="2.2.2.2@em1" -f /etc/pf.conf
pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf

While you're testing, use "pfctl -v ..." if you would like to check
how the parsed rules look.

>
> I think I am getting closer to achieve the goal.
>
> Hi, Stuart Henderson, Many thanks to  your effort that put forth me to
> go ahead,
>
>
> Hope to hear from ALL.
>  
>
>
>
>
>
>
> --
> Thank you
> Indunil Jayasooriya

Reply | Threaded
Open this post in threaded view
|

Re: Load balancing and fail-over

Holger Glaess
hi

why you not try the relayd way ?
look at
http://gouloum.fr/doc/multilink.html

the part with relayd

holger

> On 2012/05/17 13:20, Indunil Jayasooriya wrote:
>>
>>
>>     Route lookups are based on the *destination* address not the source
>>     address, you could add a route for a certain destination via a
>>     certain interface to send packets out that way.
>>
>>
>> Hmm. that sounds good to me. Since I have 2 interfaces for 2 different
>> WAN connections.  It is possible to add route to a certain destination
>> ip address in /etc/hostname.em0 and /etc/hostname.em1 files and make
>> permanent in this way.
>>
>>
>> /etc/hostname.em0
>>
>> inet 192.168.10.6 255.255.255.0
>> !route add -host 173.194.38.184 192.168.10.5
>> !route add -mpath default 192.168.10.5
>>
>>
>> /etc/hostname.em1
>>
>> inet 192.168.20.6 255.255.255.0
>> !route add -host 173.194.38.191 192.168.20.5
>> !route add -mpath default  192.168.20.5
>>
>>
>> Then, a shell script in crontab can ping those destination ip
>> addresses  and see if they are UP or DOWN. ( ifstated also can do it.
>> But, I will have to understand its behaviour )
>>
>>
>> When , both are up Up, nothing is DONE  and when one fails remove that
>> -mpath default route
>>
>> In this manner, When one link goes down, all traffic will go via the
>> available link.
>>
>> That is what I am looking for. I think I am right.
>>
>> I am right ain't I?
>
> Yes I think this is what you're looking for.
>
>
>> Then, I will have to discuss this below rule as well.
>>
>>
>> pass in on $int_if from $lan_net \
>>     route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \
>>     round-robin
>>
>>
>> When one link goes DOWN, Will all the traffic go via the available link
>> ?
>>
>> Does the above rule do this duty?
>
> No, your script or ifstated config will need to adjust this rule,
> you can do this by using a macro to write the rule, something like this:
>
> GATEWAYS="1.1.1.1@em0 2.2.2.2@em1"
> pass in on $int_if from $lan_net route-to { $GATEWAYS }
>
> This helps because you can override the macro on the pfctl command line,
> so you can use something like to reload the ruleset with your choice
> of gateway:
>
> pfctl -D GATEWAYS="1.1.1.1@em0" -f /etc/pf.conf
> pfctl -D GATEWAYS="2.2.2.2@em1" -f /etc/pf.conf
> pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf
>
> While you're testing, use "pfctl -v ..." if you would like to check
> how the parsed rules look.
>
>>
>> I think I am getting closer to achieve the goal.
>>
>> Hi, Stuart Henderson, Many thanks to  your effort that put forth me to
>> go ahead,
>>
>>
>> Hope to hear from ALL.
>>
>>
>>
>>
>>
>>
>>
>> --
>> Thank you
>> Indunil Jayasooriya

Reply | Threaded
Open this post in threaded view
|

Re: Load balancing and fail-over

Indunil Jayasooriya
> why you not try the relayd way ?
> look at
> http://gouloum.fr/doc/multilink.html
>
> the part with relayd
>







> holger
>
> > On 2012/05/17 13:20, Indunil Jayasooriya wrote:
> >>
> >>
> >>     Route lookups are based on the *destination* address not the source
> >>     address, you could add a route for a certain destination via a
> >>     certain interface to send packets out that way.
> >>
> >>
> >> Hmm. that sounds good to me. Since I have 2 interfaces for 2 different
> >> WAN connections.  It is possible to add route to a certain destination
> >> ip address in /etc/hostname.em0 and /etc/hostname.em1 files and make
> >> permanent in this way.
> >>
> >>
> >> /etc/hostname.em0
> >>
> >> inet 192.168.10.6 255.255.255.0
> >> !route add -host 173.194.38.184 192.168.10.5
> >> !route add -mpath default 192.168.10.5
> >>
> >>
> >> /etc/hostname.em1
> >>
> >> inet 192.168.20.6 255.255.255.0
> >> !route add -host 173.194.38.191 192.168.20.5
> >> !route add -mpath default  192.168.20.5
> >>
> >>
> >> Then, a shell script in crontab can ping those destination ip
> >> addresses  and see if they are UP or DOWN. ( ifstated also can do it.
> >> But, I will have to understand its behaviour )
> >>
> >>
> >> When , both are up Up, nothing is DONE  and when one fails remove that
> >> -mpath default route
> >>
> >> In this manner, When one link goes down, all traffic will go via the
> >> available link.
> >>
> >> That is what I am looking for. I think I am right.
> >>
> >> I am right ain't I?
> >
> > Yes I think this is what you're looking for.
> >
> >
> >> Then, I will have to discuss this below rule as well.
> >>
> >>
> >> pass in on $int_if from $lan_net \
> >>     route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \
> >>     round-robin
> >>
> >>
> >> When one link goes DOWN, Will all the traffic go via the available link
> >> ?
> >>
> >> Does the above rule do this duty?
> >
> > No, your script or ifstated config will need to adjust this rule,
> > you can do this by using a macro to write the rule, something like this:
> >
> > GATEWAYS="1.1.1.1@em0 2.2.2.2@em1"
> > pass in on $int_if from $lan_net route-to { $GATEWAYS }
> >
> > This helps because you can override the macro on the pfctl command line,
> > so you can use something like to reload the ruleset with your choice
> > of gateway:
> >
> > pfctl -D GATEWAYS="1.1.1.1@em0" -f /etc/pf.conf
> > pfctl -D GATEWAYS="2.2.2.2@em1" -f /etc/pf.conf
> > pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf
> >
> > While you're testing, use "pfctl -v ..." if you would like to check
> > how the parsed rules look.
> >
> >>
> >> I think I am getting closer to achieve the goal.
> >>
> >> Hi, Stuart Henderson, Many thanks to  your effort that put forth me to
> >> go ahead,
> >>
> >>
> >> Hope to hear from ALL.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Thank you
> >> Indunil Jayasooriya
>
>


--
Thank you
Indunil Jayasooriya

Reply | Threaded
Open this post in threaded view
|

Re: Load balancing and fail-over

Indunil Jayasooriya
> why you not try the relayd way ?
>> look at
>> http://gouloum.fr/doc/multilink.html
>>
>> the part with relayd
>>
>
>
>
>
      I found that URL  yesterday, I will have to learn it. I just try to
do it with a shell script.


>    anyway, Thanks a  lot.
>



>
>


--
Thank you
Indunil Jayasooriya

Reply | Threaded
Open this post in threaded view
|

Re: Load balancing and fail-over

Indunil Jayasooriya
In reply to this post by Stuart Henderson
> No, your script or ifstated config will need to adjust this rule,
> you can do this by using a macro to write the rule, something like this:
>
> GATEWAYS="1.1.1.1@em0 2.2.2.2@em1"
> pass in on $int_if from $lan_net route-to { $GATEWAYS }
>
> This helps because you can override the macro on the pfctl command line,
> so you can use something like to reload the ruleset with your choice
> of gateway:
>
> pfctl -D GATEWAYS="1.1.1.1@em0" -f /etc/pf.conf
> pfctl -D GATEWAYS="2.2.2.2@em1" -f /etc/pf.conf
> pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf
>
> While you're testing, use "pfctl -v ..." if you would like to check
> how the parsed rules look.
>
>


    Thanks once again for your introduction. I wrote a shell script, pls
see below

in /etc/pf.conf . I have the below variable

GATEWAYS="1.1.1.1@em0 2.2.2.2@em1"


Now, This is the script.


#Checking WAN1
ping -q -c 3 -i 2 -w 3 -I 1.1.1.5 173.194.38.191 > /dev/null 2>&1
VARWAN1=$(echo $?)

#Checking WAN2
ping -q -c 3 -i 2 -w 3 -I 2.2.2.5 173.194.38.184 > /dev/null 2>&1
VARWAN2=$(echo $?)

if [ ${VARWAN1} = 0 ] && [ ${VARWAN2} = 0 ]; then
    echo "Both links are UP"
    route add -mpath default 1.1.1.1
    route add -mpath default 2.2.2.2
    pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf

elif [ ${VARWAN1} != 0 ] && [ ${VARWAN2} != 0 ]; then
    echo "Both links are DOWN "
    route add -mpath default 1.1.1.1
    route add -mpath default 2.2.2.2
    pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf

elif [ ${VARWAN1} != 0 ] ; then
    echo "WAN1 is DOWN"
    route add -mpath default 2.2.2.2
    route delete -mpath default 1.1.1.1
    pfctl -D GATEWAYS="2.2.2.2@em1" -f /etc/pf.conf

elif [ ${VARWAN2} != 0 ] ; then
    echo "WAN2 is DOWN"
    route add -mpath default 1.1.1.1
    route delete -mpath default 2.2.2.2
    pfctl -D GATEWAYS="1.1.1.1@em0" -f /etc/pf.conf
fi



Pls NOTE - Section2 ( i.e , when BOTH links are DOWN, No internet at ALL.
So Just behave as BOTH links are UP. It does NOT matter for me )

I think that traffic routes as I expected. I will have to test it.


Now, the interesting thing is this ( Taken from openbsd website)

#  keep https traffic on a single connection; some web applications,
#  especially "secure" ones, don't allow it to change mid-session
pass in on $int_if proto tcp from $lan_net to port https \
    route-to ($ext_if1 $ext_gw1)


When both links are UP and WAN1 is UP https traffic will go via WAN1
When, WAN1 goes down, https should go via WAN2

  I think If I add another variable to /etc/pf.conf, I will be able to
achieve it too.


ONEWAYHTTPS="1.1.1.1@em0"

pass in on $int_if proto tcp from $lan_net to port https \
    route-to { $ONEWAYHTTPS }


and use this below while WAN1 goes DOWN

pfctl -D ONEWAYHTTPS="2.2.2.2@em1" -f /etc/pf.conf


Is it allringt ?

I think a few miles left for me to reach the goal.

If you can give an example it is worth millions time.


Your comments are welcome...






--
Thank you
Indunil Jayasooriya

Reply | Threaded
Open this post in threaded view
|

Re: Load balancing and fail-over

Indunil Jayasooriya
> Now, the interesting thing is this ( Taken from openbsd website)
>
>
> #  keep https traffic on a single connection; some web applications,
> #  especially "secure" ones, don't allow it to change mid-session
> pass in on $int_if proto tcp from $lan_net to port https \
>     route-to ($ext_if1 $ext_gw1)
>
>
> When both links are UP and WAN1 is UP https traffic will go via WAN1
> When, WAN1 goes down, https should go via WAN2
>
>   I think If I add another variable to /etc/pf.conf, I will be able to
> achieve it too.
>
>
> ONEWAYHTTPS="1.1.1.1@em0"
>
>
> pass in on $int_if proto tcp from $lan_net to port https \
>     route-to { $ONEWAYHTTPS }
>
>
> and use this below while WAN1 goes DOWN
>
> pfctl -D ONEWAYHTTPS="2.2.2.2@em1" -f /etc/pf.conf
>
>
> Is it allringt ?
>

No, It is NOT OK ( I think it messes up )


So, I myself found a method. it would be easier with an anchor.

http://www.openbsd.org/faq/pf/anchors.html

The above URL shows the power of PF with anchors. I just tried it. It
worked. Pls see below . ( I feel really sorry to disturb you.) ,


In /etc/pf.conf


GATEWAYS="1.1.1.1@em0 2.2.2.2@em1"

##BEGIN - Loadbalancingwithfailover

pass in on $int_if from $lan_net route-to { $GATEWAYS }

anchor "onewayhttps" {
   pass in on em2 proto tcp from 192.168.0.0/24 to port https route-to
2.2.2.2@em1
}

##END



and ,


my script is now like this.


#Checking WAN1
ping -q -c 3 -i 2 -w 3 -I 1.1.1.5 173.194.38.191 > /dev/null 2>&1
VARWAN1=$(echo $?)

#Checking WAN2
ping -q -c 3 -i 2 -w 3 -I 2.2.2.5 173.194.38.184 > /dev/null 2>&1
VARWAN2=$(echo $?)

if [ ${VARWAN1} = 0 ] && [ ${VARWAN2} = 0 ]; then
    echo "Both links are UP"
    route add -mpath default 1.1.1.1
    route add -mpath default 2.2.2.2
    pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf

elif [ ${VARWAN1} != 0 ] && [ ${VARWAN2} != 0 ]; then
    echo "Both links are DOWN "
    route add -mpath default 1.1.1.1
    route add -mpath default 2.2.2.2
    pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf

elif [ ${VARWAN1} != 0 ] ; then
    echo "WAN1 is DOWN"
    route add -mpath default 2.2.2.2
    route delete -mpath default 1.1.1.1
    pfctl -D GATEWAYS="2.2.2.2@em1" -f /etc/pf.conf

elif [ ${VARWAN2} != 0 ] ; then
    echo "WAN2 is DOWN"
    route add -mpath default 1.1.1.1
    route delete -mpath default 2.2.2.2
    pfctl -D GATEWAYS="1.1.1.1@em0" -f /etc/pf.conf
    echo "pass in on em2 proto tcp from 192.168.0.0/24 to port https
route-to 1.1.1.1@em0" | pfctl -a onewayhttps -f -
fi


I think I am NOW all right. Anyway,  I will have to test it in 2 or 3 days
time. Then, I will let you know everything.

Stuart , Thanks a LOT for your compassion towards me. I worked hard. I am
very happy. Any way, I will have to test its behaviour.


Hope to hear from you.




>
>


--
Thank you
Indunil Jayasooriya

Reply | Threaded
Open this post in threaded view
|

Re: Load balancing and fail-over

Stuart Henderson
In reply to this post by Indunil Jayasooriya
On 2012-05-17, Indunil Jayasooriya <[hidden email]> wrote:

>> why you not try the relayd way ?
>>> look at
>>> http://gouloum.fr/doc/multilink.html
>>>
>>> the part with relayd
>>>
>>
>>
>>
>>
>       I found that URL  yesterday, I will have to learn it. I just try to
> do it with a shell script.
>

This can be useful as long as

1) you don't need to use NAT to send correctly-addressed traffic out
the various lines

2) you can get away with just checking that the next-hop router pings ok.
if your usual failure mode involves a line failing but the router staying up,
things will still fail

however for a lot of "standard" cases this isn't going to work well

Reply | Threaded
Open this post in threaded view
|

Re: Load balancing and fail-over

Indunil Jayasooriya
In reply to this post by Indunil Jayasooriya
> good :)  hopefully I have given you enough clues to work the rest out
> for yourself, this is much better for you as you get a better understanding
> so it will be easier for you to diagnose any problems you run into later.
>
>
>
   The script I wrote worked as expected. (i.e - Fialover happened , when a
link goes down. when that link came up , load was balanced via both links.

With my script, I had a cronjob ruining every 1 minute to check the link.
It did ping every 1 minute. ( I sent that script before. )


But, While Browsing Internet, We found slower than before.

I think it was due to bandwidth of links.

These are my links

WAN1 - ADSL - 2 mbit/s

WAN2 - Leased line - 128 kbit/s


Before that, Default route was via ADSL ( 2 mbit/s ), Then, We found OK.


Since the browsing is slower, we removed the script. Now, We are back with
as it was before. ( i.e everything via ADSL)


I am happy since the script worked .

Stuart, Thanks trillions times for your compassion and effort.  Anyway, I
welcome your ideas, if I have to look any further and if there are things
to be improved.






--
Thank you
Indunil Jayasooriya