[ previous ] [ next ] [ threads ]
 
 From:  Peter Allgeyer <allgeyer at web dot de>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] m0n0wall-failover
 Date:  Fri, 24 Dec 2004 12:02:31 +0100
Am Freitag, den 24.12.2004, 00:24 +0100 schrieb Daniele Guazzoni:
> I'm working on a failover version of m0n0wall using freeVRRP.
> The VRRP implementation is not a big issue, the headache part is the
> configuration replica/synchronization between primary and secondary...
I don't really think we need this replication between the nodes. Just
like Nokias IP Series we can configure each node by hand. Syncing the
filter and NAT rules would be enough. This can be done by syncing the
appropriate part of the config.xml.

> What does the list think about this ?
> Any idea, hints, any obscure freeBSD port ?
> I maybe need some help on PHP changes (I'm not a PHP guru...) any
> volountier ?
The really problem is state- and NAT-table syncronisation. Without this,
any failover/vrrp/whatsoever solution doesn't make much sense. Therefor
many people thought about using pf/carp. Maybe carp is a solution for
dynamically assigned IP addresses, I don't know. For using pf you'll
need FreeBSD 5.x. Another problem with pf is, that you have to use
proxies in userland for such simple things like ftp-data. Not really
nice, nor really performant, but not unresolvable. I found a hint about
an existing state- and NAT-table syncronisation for ipfilter from the
author of ipfilter himself. But he isn't considering making the code
free.

This all has stoped me coding a HA-solution. Any suggestions?

Ciao ...
	... PIT ...



---------------------------------------------------------------------------
 copyleft(c) by |   _-_     Dijkstra probably hates me (Linus Torvalds,
 Peter Allgeyer | 0(o_o)0   in kernel/sched.c)
---------------oOO--(_)--OOo-----------------------------------------------