The company I work for has commissioned me to add failover capability
to m0n0wall. As the new version of our software is web-based, we need
to help our customers by ensuring their Internet connection is
rock-solid. Our customer base will generally be using subscriber grade
lines, so I plan on using m0n0wall with a DSL or Cable connection
along with Verizon wireless broadband account as backup. I have
already setup a proof-of-concept for my boss, it is the following
Soekris 4521 w/ case.
128MB C/F card.
Audiovox/Sierra Wireless 5220 CDMA 1xEVDO wireless card.
I built a custom kernel including support for USB serial devices. I
also enabled PPP.
I am planning on hacking failover in the following manner. I want to
ask the list if there is an easier way, as I don't know what others
are working on at this time. Furthermore, I know nothing of the next
version of m0n0wall, and it could very well offer this capability, or
offer a newer FBSD version + PF, which would make this task much
easier. I will of course contribute my changes back to the community
if anyone is interested in this feature. That is why I am basically
asking if my method sounds "good enough".
I plan on doing this.
1. I will modify the PHP config system (xml file) to allow the
a. primary interface (choose interface).
b. interface poll interval (3s, 4s, 10s).
c. failback (y/n).
2. I will use minicron to execute a php script at the configured
interval. This php script will use global variables (globals.inc) to
track the state of the interfaces. It will perform a ping to the
primary gateway on the primary interface. If this ping times out, it
will try two more times, and failover the interface. It will It will
continue to ping, and if the interface comes back up, after two
successful retries if configured to do so, it will fail back to the
3. The PHP web interface will be modified to support the new config
options, and also to display the interface status (failed
over/normal). Futhermore, I may provide a log of failover events, and
the error message from ping that caused them.
I realize that pf can accomplish the same as the above in more elegant
manner, and that it can also provide load balancing as another option.
However, I need to get this feature done by the end of this month to
demo to customers, and I feel the above will work. I don't have time
to recreate m0n0wall out of FBSD5 with pf.
Manuel, does this sound like a good plan to you? Does anyone have any feedback?
We are going to use the device at customer locations to replace their
current DSL/Cable routers, so m0n0wall is the perfect choice, as our
customers are not tech savvy enough to manage anything more difficult,
and we don't want to manage the devices on their behalf. I will likely
dumb down the interface for them while I am at it, however those
changes probably won't be of interest to anyone.
Futhermore, as a pet project, if I am able to pull the above off (no
doubt I will) I plan on updating m0n0 to include pf + carp, and adding
redundancy to the feature list. I have already built failover
firewalls out of OpenBSD 3.6 with pf and carp, and it works great.
Having this feature in m0n0wall would be absolutely great in my
opinion, does anyone have interest in this?