BFW Firewall & Router

[joaquindiz]

Hi everybody!
I build an addon for the Load Balance failover, its basically a script that pings google through the diferents ethernet devices and the ping binary.
When a ping fails remove the gateway from the route table.

The addon was tested only in bfw 2.30 hd install.

http://www.brazilfw.com.br/users/joaquindiz/failover.tgz

Please report Bugs! this is the first beta.

[chiareloto]

Ola This system obtains to test link that this is and to place it in air again

[RedBeard]

joaquindiz,

Please, tell us how do you send a ping chosing the device. Do you use other ping (executable) then the default BFW's ping command?

I willl test your add-on tonight or first time tomorow.

(sorry my english)

RedBeard

[Claudio]

Very cool.
If you agree, i'd like add this to the next version.

[chiareloto]

the modem in bridge PPPOE has some configuration using, therefore later that I installed the package not I obtain to have access the InterNet

[joaquindiz]

Hi Readbeard! to chose the interface i compile the ping binary from iputils. The ping included in bfw (busybox) don´t support that option.

Claudio you can add the script in the next version of bfw. But first we have to test it enough, don't forget this is the first beta!!!

I would like to add an interface in the webmin so i can view the line status (i'm clear???). How can i do it?

Bye!

[Claudio]

Claudio you can add the script in the next version of bfw. But first we have to test it enough, don't forget this is the first beta!!!

Of course, i intend to merge your script, my keepalive.sh and TaagMan's linecheck in just one nice script.

I would like to add an interface in the webmin so i can view the line status (i'm clear???). How can i do it?

This would be fine.
The only advice i have to give is you can look at the others add-ons to see how they do it.

[RedBeard]

joaquindiz,

Didn't work here.

When I did install and reboot, the WebAdmin stop working. Connecting in SSH, the main tests shows that the DNS is not working. All other tests are ok.

In my computer, inside the BFW net, I can ping all the interfaces and all the gateways (3), but nothing else.

The new ping will be a great tool. I made a copy to my working BFW and the command is fine. Now I can choose the device for the ping.

Thanks for now. I will do some tests trying to find the problem.

RedBeard

[joaquindiz]

Hi Readbeard, i work in that problem. It seems that in some boxes the webmin dies. I worked in the addon and now its ok!
The package was, so downloadit again and try it.

bye!

[RedBeard]

Ok, joaquindiz,

I will make another test tonight.

I look the script and, if you don't mind, I’d like to suggest some little improvements.

1 - your script ping the google site. If we have a problem in DNS, all pings will failure and ...
So, I think its better to choose some IP address. In my opinion, the best choice is the next gateway outside our net, but this maybe is not the best for everyone.

2 - I think that would be nice if we (users) can make some configuration. If you intent to make a Webadmin Inteface, this is a good start. Maybe use 2 files: one to config file and other to the script. The best thing to configure is the IP (or internet address) to ping in each device (completing the above suggestion), but there are others little things that may be in the config file in order to make the script more efficient.

3 - in failover script, the device is "deactivated" if just one ping fail. Is very difficult to make another test after the first fault, just to sure the device is really off?

Again, it's only suggestions. Congratulations for the add-on. It’s really one of my wishes.

Best regards,

RedBeard

[joaquindiz]

Hi Readbeard!!!
your sugestions and modifications are welcome!!!!

1 - i'm thinking in your question about the dns and i don't now what happens when the ping is forced to reech internet through a specific interface. which dns server it use when there are multiple internet acces? The seccond issue about pinging the gw. In some scenarios people use routers (like linksys) to fix the address of the internet conection, because their isp provide DHCP assigned address. In that case pinging the gateway (the router itself) is not a good idea because when the connection fails the gateway (router) continuing responding to the ping. Thats why i need to compile ping form iputils and ping google.com.

2- Yes i would like to add a webmin interface to the addon, but there is much important work to do before (like item 1, jeje)

3 - yes if the ping fails the device is deactivated but i don´t know what another test to do. i prefer a faster and user transparent solution. what kind of test you sugest to do? maybe mixing issue 1 and three we can improbe the script.

Bye!

ps: do you test the new version?

[RedBeard]

joaquindiz,

The new version is working fine (until now, at least, heheheheh).

I don’t know if there is a problem in ping2, but every time I use this command, about 20 secs after the first reply, show this warning message:

Código: Selecionar todos

WARNING: failed to install socket filter
: Protocol not available

Let's go...

1 - When you make any ping to some internet address, the first thing to do is to find the IP thru the DNS protocol. If the address is in cache, it will be used, but otherwise the request will be made by some device (this is not important now). The problem is if in the first ping the DNS server is off-line. The ping2 command will fail in every interface, just because there no valid IP for http://www.google.com .
In normal use, I know that this address will be on cache, but after a local power failure, the system need to find this IP. If the first ping fail in every device, all will be deactivate, isn't ?

2 - I didn't express exact what I mean... (sorry my english). I think that make a config-file (now) is the first step to make a webadmin interface (in future). This config may solve some others problems, like the item 1 that may be configurable.

3 - I think that ping is ok to this issue. Maybe, after a failure on first ping, make some others pings before deactivate the interface.

That is it...

Thanks again!

RedBeard

[joaquindiz]

Hi readbeard!

about the question of ping2. I have that problem too, i search in google and it seems that the cuase is a kernel incompatibility with ipv6 or a firewall rule. I will continue looking for a solution lets see what happen.

1- thank's it wasn't clear for me how dns works with multiple connections, but now you explained me is ok!

2- i write a tiny configuration file (/etc/failover.conf) with a few options. I use google ip as the default ping ip. Also was added an option to choose how many pings to do per device: the COUNT variable.
I add an option to activate or deactivate the script.
The device option it wasn't added because i prefer to obtain automatically from /tmp/netsubsys.state. It makes the script easier to implement for unexperience users.
Any sugestion or idea to add at the conf file are welcome.

3- i continue thinking about the extra tests.

i upload the new packet try it!

bye!

[RedBeard]

joaquindiz,

Unhappily didn’t work here.

Early morning I was still with older version (without config) and after a Reboot the system stopped. I thing that the problem was the first link that took a long time to get the ip via dhcp. WebAdmin shows a failure on DNS, but when I login via ssh, all ping's return failure for unreachable address. So, who became first, the egg or the chicken??? or, the dns failure causes the failover clear the route table or the failover clear the route table making the dns unreachable ?

Now, couple minutes ago, I down your new version and install. The system crashes again, but the DNS test was OK.

I cant make other tests because my BFW with 3 links are my main server, and need to be on-line fast.

Another problem that I'd note is the failover always set the weight to 1. My links have different weight and it is lost. I think you need to import and use the BFW main config file.

Just to improve the config file, I think is a good idea to have one ip address for each device. In this case, I can set the right gateway for each interface.

That's all for now.

RedBeard

[Claudio]

The device option it wasn't added because i prefer to obtain automatically from /tmp/netsubsys.state. It makes the script easier to implement for unexperience users.

You are right.
But when we're using pppoe, it's need to ping by ppp0 interface instead eth1.

I have plans to add more then one pppoe conections to the system, and this bring us another problem:

We cannot say that eth1 will be ppp0 and eth2 will be ppp1 because ppp interfaces are numerated when they get conneted. If the second link conect first it will be ppp0 and they will be inverted. Then i might to modificate the netsubsys.state to find a way to indicate which fisical interface handles which ppp conection.

Keep the good working.

[joaquindiz]

maybe it's a stupid answer but...
if i have two ppp connections running i don't care which one is ppp1 and which one is ppp2. I only care that the names don't change... (eg: ppp1 -> ppp5 & ppp2 -> pp7)
get the point????
bye.

[Claudio]

get the point????

Yes.

However we have a lot of configurations to take care, for example:
link weight
qos
firewall rules
etc....

Most of these configurations requires the interface parameter. Until now, anywere we need it i just do:
if inettype = pppoe then change eth1 to ppp0.......

[yeager]

Hi joaquindiz
can you write a little howto?
have two providers
via eth1 i will ping to my dns 100.25.0.1, when not reponding, then remove the gateway 100.25.11.1 from the route table and write a new gateway to the route table 192.168.3.1, when dns 100.25.0.1 responding then remove gateway 192.168.3.1 from the route table and write gateway 100.25.11.1 to it. is it possible?
i will use my second connection only at that time when my firs connection mismatch

[joaquindiz]

Hi yeager!
actually im working in a webmin interface for the script. After that i will write a tutorial.

For the moment the scrip only works when load balance is activated, so you will be using your two connections at the same time. And of course it will be removed the one that isn't working.

Bye!

ps: The script doesn't modify the default routing table, in fact, when load balance is activated the default routing table is empty.

[yeager]

ok, i waiting

[creptilico]

Hi, is not working in my BFW. my configutration: main line 2M/512K Cablemodem DHCP, second line 512K/128k ADSL Estatic routed whith the modem.

the LB works fine while the 2 conection are online, when one line is down the script refresh the 222 table and it steel working fine!
But when a line is up agains the table is not refreshed, I need a reboot to the BFW to load the 2 lines.

EDIT: Im using diferents ISPs, whith Public DNS servers.

[joaquindiz]

Hi creptilico!
thanks for the report. I make i few modifications to the package, so please download it again and tell me if it works.
Bye