ifstated.conf for multiple links with failover

Hi,


I want to setup ifstated  for multiple links.


My requirement is very simple.

I have 2 links. one is ADSL and the other is leased-line.

When both links are up, outgoing traffic should be balanced via both links.

When ADSL is DOWN, outgoing traffic  should go via Leased line

When Leased line is DOWN, outgoing traffic should go via ADSL line.

I am wrinting /etc/ifstated.conf file.

But , I still haven't achieved it. Could you pls help me to solve this.

These are the urls I refer.

http://gouloum.fr/doc/multilink.html

http://www.suborbital.org.uk/canofworms/index.php?/archives/2-Failover-routing-with-OpenBSD-and-ifstated.html


And, here's my /etc/ifstated.conf file


pingVIAbothlinks = '( "ping -c 1 -I 192.168.1.253 www.google.lk
>/dev/null" every 10 && "ping -c 1 -I 172.16.10.253 www.google.lk
>/dev/null" every 10)'
pingVIAadsl = '( "ping -c 1 -I 192.168.1.253 www.google.lk >/dev/null"
every 10)'
pingVIAleasedline  = '( "ping -c 1 -I 172.16.10.253 www.google.lk
>/dev/null" every 10)'

#init-state zero

state zero {
    init {
        run "route add -mpath default 192.168.1.1"
        run "route add -mpath default 172.16.10.254"
        }
        if ! $pingVIAadsl {
            set-state one
    }

}

state one {
    init {
        run "route delete -mpath default 192.168.1.1"
        run "route add -mpath default 172.16.10.254"
    }
    if ! $pingVIAleasedline {
            set-state two
    }
}

state two {
    init {
        run "route delete -mpath default 172.16.10.254"
        run "route add -mpath default 192.168.1.1"
    }
    if  $pingVIAbothlinks {
            set-state zero
    }
}



Pls note:

192.168.1.253 is the ip of the PF box that connects to ADSL side.

172.16.10.253 is the leased line ip of the PF box that connects to
Leased line side.


here are my configuration details of the PX box ( OpenBSD - 5 - 64 bit )


# cat /etc/hostname.ne1
inet 172.16.10.253 255.255.255.0
!route add -mpath default 172.16.10.254


# cat /etc/hostname.ne2
inet 192.168.1.253 255.255.255.0
!route add -mpath default 192.168.1.1


# netstat -r |grep default
default            192.168.1.1        UGSP       0     2274     -     8 ne2
default            172.16.10.254      UGSP       1      280     -     8 ne1

I have enabled below values in /etc/sysctl.conf file.


net.inet.ip.forwarding=1

net.inet.ip.multipath=1



hope to hear from you.







--
Thank you
Indunil Jayasooriya

On Jan 25, 2012 5:39 PM, "Indunil Jayasooriya" <indunil75@...> wrote: links.
>
> When ADSL is DOWN, outgoing traffic  should go via Leased line
>
> When Leased line is DOWN, outgoing traffic should go via ADSL line.
>
> I am wrinting /etc/ifstated.conf file.
>
> But , I still haven't achieved it. Could you pls help me to solve this.
>

www.openbsd.org/faq/pf/pools.html

>> I am wrinting /etc/ifstated.conf file.
>>
>> But , I still haven't achieved it. Could you pls help me to solve this.
>>
>
> www.openbsd.org/faq/pf/pools.html
>

Hi, I have already gone to it. Does automatic fail over happens, when
one link goes down?

I have Not tried it.

Do yo have any experience in regard to it.


I am using squid as transparent proxy on my PF box. So I think I only
need pass out traffic.

So , I am trying the below URL.

http://www.openbsd.org/faq/faq6.html#Multipath

That's why I try to configure ifstated......

any comments?




--
Thank you
Indunil Jayasooriya

On Thu, Jan 26, 2012 at 11:54 AM, Indunil Jayasooriya
<indunil75@...> wrote:
>>> I am wrinting /etc/ifstated.conf file.
>>>
>>> But , I still haven't achieved it. Could you pls help me to solve this.
>>>

I've attached two files, my ifstated.conf and manage-routes.sh, a
script I wrote for adding and removing routes based on the current
state from ifstated.

From your example, you cannot ping google to check if a specified WAN
link is up while the gateway for that specific link is not in the
routing table because it will be unreachable (Especially when both
links are down, ifstated will have no way of pinging google and they
will remain down.) That is why I have chosen to ping the gateways of
my WAN links instead. I have been toying around with the idea of a
multistage check that first pings the gateway, then google but I have
not tested it yet.

Hope this helps.

--
Justin Jereza
LPIC-2

[demime 1.01d removed an attachment of type application/octet-stream which had a name of ifstated.conf]

[demime 1.01d removed an attachment of type application/x-sh which had a name of manage-routes.sh]

Thanks for your reply. I am still studying your scripts.

anyway, I came across this below URL ( it is for Linux with fail over)

http://tech.gaeatimes.com/index.php/archive/how-to-load-balancing-failover-with-dual-multi-wan-adsl-cable-connections-on-linux/


They are doing it. Your comments?

Can I apply this to OpenBSD 5 ?

> anyway, I came across this below URL ( it is for Linux with fail over)
>
> http://tech.gaeatimes.com/index.php/archive/how-to-load-balancing-failover-with-dual-multi-wan-adsl-cable-connections-on-linux/
>
>
> They are doing it. Your comments?
>
> Can I apply this to OpenBSD 5 ?

1. As far as I know, only equal cost multipath routing works on
OpenBSD. There is no support for weighted multipath routing. This can
conceivably be simulated by using probability in pf but I have not
tested it and I do not know how performance will be affected by the
dropped packets.

2. A modern Linux distro should have dead gateway detection built-in
so compiling a custom kernel should not be necessary.

3. That page shows RFC 1918 addresses being used in between the CPEs
(Which act as NATs.) and the load balancing gateway. I would use a
public IP address instead because I would rather implement the NAT in
OpenBSD. This reduces the number of hops required to reach any
external address by one (assuming the CPE is configured for bridging)
as well as reduce the possibility of a double NAT being implemented
while giving me the capability to use other OpenBSD features like
altq.

4. I do not see how the alternate script provided by that page can
automatically recover from a situation where both WAN links are down
since a multistage ping check is not being employed either.

Regards,

--
Justin Jereza
LPIC-2

>> [demime 1.01d removed an attachment of type application/octet-stream which
>> had a name of ifstated.conf]
>>
>> [demime 1.01d removed an attachment of type application/x-sh which had a
>> name of manage-routes.sh]
>>

Since I have been receiving requests for the files, I am pasting them
here in full.

<file path="/etc/ifstated.conf">
dns = '"host google.com > /dev/null" every 10'
icap = '"ping -q -c 1 -w 3 icap.example.com > /dev/null" every 10'
wan1 = '"ping -q -c 1 -w 3 -I 74.125.71.2 74.125.71.1 > /dev/null" every 10'
wan2 = '"ping -q -c 1 -w 3 -I 75.125.71.66 75.125.71.65 > /dev/null" every 10'

state all {
        init {
                run "manage-routes.sh ALL"
                run "pf-create-nat.sh ALL"
                run "pf-create-route.sh LAN WAN-ALL"
        }
        if $dns
                run "/etc/rc.d/squid start"
        if ! $dns
                run "/etc/rc.d/squid stop"
        if $icap && $dns
                run "/etc/rc.d/dansguardian start"
        if ! $icap
                run "/etc/rc.d/dansguardian stop"
        if $wan1 && ! $wan2
                set-state wan1
        if $wan2 && ! $wan1
                set-state wan2
        if ! $wan1 && ! $wan2
                set-state none
}

state wan1 {
        init {
                run "manage-routes.sh WAN1"
                run "pf-create-nat.sh WAN1"
                run "pf-create-route.sh LAN WAN1"
        }
        if $dns
                run "/etc/rc.d/squid start"
        if ! $dns
                run "/etc/rc.d/squid stop"
        if $icap && $dns
                run "/etc/rc.d/dansguardian start"
        if ! $icap
                run "/etc/rc.d/dansguardian stop"
        if $wan1 && $wan2
                set-state all
        if $wan2 && ! $wan1
                set-state wan2
        if ! $wan1 && ! $wan2
                set-state none
}

state wan2 {
        init {
                run "manage-routes.sh WAN2"
                run "pf-create-nat.sh WAN2"
                run "pf-create-route.sh LAN WAN2"
        }
        if $dns
                run "/etc/rc.d/squid start"
        if ! $dns
                run "/etc/rc.d/squid stop"
        if $icap && $dns
                run "/etc/rc.d/dansguardian start"
        if ! $icap
                run "/etc/rc.d/dansguardian stop"
        if $wan1 && $wan2
                set-state all
        if $wan1 && ! $wan2
                set-state wan1
        if ! $wan1 && ! $wan2
                set-state none
}

state none {
        init {
                run "manage-routes.sh NONE"
                run "pfctl -a LAN -F all"
                run "pfctl -a NAT -F all"
                run "/etc/rc.d/squid stop"
                run "/etc/rc.d/dansguardian stop"
        }
        if $wan1 && $wan2
                set-state all
        if $wan1 && ! $wan2
                set-state wan1
        if $wan2 && ! $wan1
                set-state wan2
}
</file>

<file path="/usr/local/sbin/manage-routes.sh">
#!/bin/sh

SCRIPT="$0";

function help {
    echo "Usage: $SCRIPT ALL | WAN1 | WAN2 | NONE";
}

function in_table {
    GW="$1";

    route -n show | grep '^default' | awk '{ print $2 }' | grep $GW
2>&1 > /dev/null;
}

function add_route {
    GW="$1";
    route add -mpath default $GW 2>&1 > /dev/null;
}

function delete_route {
    GW="$1";
    route delete default $GW 2>&1 > /dev/null;
}

if [ $# -ne 1 ]; then
    help;
    exit 1;
fi

STATE="$1";
WAN1_GW="74.125.71.1";
WAN2_GW="75.125.71.65";

case "$STATE" in
    ALL)
        if ! in_table $WAN1_GW; then
            add_route $WAN1_GW;
        fi
        if ! in_table $WAN2_GW; then
            add_route $WAN2_GW;
        fi
        ;;
    WAN1)
        if ! in_table $WAN1_GW; then
            add_route $WAN1_GW;
        fi
        if in_table $WAN2_GW; then
            delete_route $WAN2_GW;
        fi
        ;;
    WAN2)
        if in_table $WAN1_GW; then
            delete_route $WAN1_GW;
        fi
        if ! in_table $WAN2_GW; then
            add_route $WAN2_GW;
        fi
        ;;
    NONE)
        if in_table $WAN1_GW; then
            delete_route $WAN1_GW;
        fi
        if in_table $WAN2_GW; then
            delete_route $WAN2_GW;
        fi
        ;;
    *)
        help;
        exit 1;
        ;;
esac
</file>

Regards,

--
Justin Jereza
LPIC-2