Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] WAN fail-over configuration in Linux-based router



Quoting Jianshi Huang:
> Could somebody tell me what's the best way to achieve WAN fail-over
> (backup) in a Linux-based router, e.g. openwrt or Vyatta open
> networking.
>
> Since full fail-over also needs support from ISP side. Any established
> connection can allowed to be dropped if one line drops. New
> connections would be routed to the backup line.

Okay, so we're not talking about true BGP multi-homing here, but about
having two separate ISP connections, using one as a primary link and one as
a backup link. As you said, since you will be NATting your internal network
to two different public IPs (probably dynamic IPs unless you are paying
extra to get static IPs), connections will have to be re-initiated by the
users/programs on your network when a failover occurs.

I had this exact kind of setup until recently, using my neighbor's FLETS
Hikari link whenever my cable modem service failed (not often!), using
OpenWRT running on a cheap Buffalo AirStation G router (although in the end
I disabled my automatic route failover scripts because all I really cared
about was the overlaid OpenVPN network, which already detects VPN link
failures and adjusts routing accordingly).

First, you'll need to reconfigure the router for multiple WAN connections.
For example, OpenWRT routers are usually setup with only one port used for
the WAN connection and the rest bridged together (usually by using VLANs on
the hardware switch). How to do this is well documented on the OpenWRT
pages and will depend on the particular hardware you are using; it
basically involves setting up a series of variables in the nvram to
describe your desired interface settings. Depending on the version, you
might also have to adjust the firewall settings.

Then, since you're not asking for link sharing, all you need is to reliably
detect when a link goes down and update your routing table to reflect that
fact. When using true routing protocols (BGP, OSPF, RIP, etc.) this is
detected by the protocol being able to talk to the next router or not, but
in this case, you're not getting that from your ISPs, so we need to hack it
up differently.

If the links are PPP (e.g. PPPoE on ADSL), failure of the PPP session
can bring the interface down automatically, so you could have two default
routes with different metrics and simply rely on that. But this would not
protect you against failures anywhere else /within/ that ISP's network,
between you and their upstream connection(s)...

So, the bottom line is, PPPoE or not, it's probably better to setup an
infinitely looping script that will use a criteria of your choice to select
the best exit; for example, you might want to ping a set of remote hosts
you use often, and if they all fail, delete the default route for the
interface being tested. Or you might want to check if you can connect to
some web servers with wget. Make sure you use multiple targets, and
declare your link "up" if /any/ of them is reachable -- you don't want
to trigger a failover just because your favorite website is down at
the other end.

Also, do you need to support /incoming/ connections to your network from
the Internet? If so, you will likely want to setup DNS records with very
low timeouts, and setup something on your side to update the records to
point to the backup address when the primary address fails. There are
several ways to do this, but using the tools present in OpenWRT it's pretty
easy if you're dealing with one of the free dynamic DNS providers like
DynDNS -- you just need to invoke the update program when you change your
route. This could also be handled from one of the computers inside your
network.

This is a very general overview. We can give you more specific information
on how to accomplish all this with OpenWRT if you want.

One final thought... If possible, I would strongly suggest using different
technologies for the two links, e.g. one fiber and one ADSL, or cable
modem, etc., although the absolute cheapest way to do it (which would
not protect you against a physical problem on your end of the link) would
be two separate PPP sessions to two different ISPs over the same ADSL
link.

-- 
()  Patrick (L.) Bernier <pat@example.com>
()  http://www.TZoNE.ORG/~pat/
()  GPG B070 BBB6 188D EB1E 353A 90E4 96FF D8EB 1ADC BE03
()  "Words have meaning, and names have power." -- Lorien


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links