![]() In this example, devices on the internal LAN that are going out through the HA firewall pair should be configured with a default gateway of 10.1.1.1.įirewall Builder Overview and Configuration When using VRRP, devices on the network should be configured to route through the virtual IP address. If the lj-fw-1 server fails, the lj-fw-2 server automatically will take over the virtual IP addresses and respond to traffic sent to it. Because the lj-fw-1 server has the highest priority number, as long as the lj-fw-1 server is “alive”, it will respond to traffic sent to the virtual IP addresses. The firewall with the highest priority number is chosen as the master. VRRP uses priority numbering to determine which firewall should be the master when both firewalls are on-line. The primary-backup.sh script, which was copied to the /etc/conntrackd directory earlier, informs conntrackd of VRRP state transitions so that conntrackd knows which firewall is currently acting as the master. The sync_group configuration includes information about the scripts to call in the event of a VRRP transition on the local server to the master, backup or fault states. This is important for Active-Backup HA firewall deployments where all the traffic must flow in and out of the same firewall. One of the benefits of keepalived is that it provides sync_groups-a feature to ensure that if one of the interfaces in the sync_group transitions from the master to the backup, all the other interfaces in the sync_group also transition to the backup. ![]() Edit the default values in this section to match the example network environment shown in Figure 1. Open the /etc/conntrackd/nf file for editing, and find the section in the file called Multicast. cd /usr/share/doc/conntrackd/examples/sync gunzip ftfw/ cp ftfw/nf /etc/conntrackd/ cp primary-backup.sh /etc/conntrackd Run the commands listed below to copy the sample config file and failover script to the default directory for conntrackd, /etc/conntrackd/nf: Garrick, shrink below. For Ubuntu, these example files are located in the /usr/share/doc/conntrackd/examples/sync/ directory. There is also a script called primary-backup.sh that provides integration between keepalived and conntrackd. This configuration uses the FTFW reliable protocol to synchronize the connection data between the firewalls. The example here is based on one of the example configuration files that comes with conntrackd. In the event of a failover, the backup firewall already will have information about the active allowed connections, so that existing connections do not have to be re-established after the failover occurs. ![]() ![]() In an Active-Backup configuration, like the example in this article, each time a connection is allowed through the active firewall, information about this connection is sent to the backup firewall. Conntrackd synchronizes the state of active connections between two or more firewalls running iptables. Conntrackd is a dæmon developed by the project, the same organization that develops iptables. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |