by September 19, 2003 0 comments



Most organizations can’t afford to have their Net connect go down for too long. Therefore, most have some form of a backup connection ready, probably an ISDN line, in case the primary connection fails. If you’re like most organizations, the chances are that when your primary connection goes down, your system administrator manually switches to the other one. This process could take anywhere between 15 to 20 mins or even longer depending upon how ready the backup setup is. Of course, it also depends upon the availability of the person who has to do the job. Then it would take the same amount of time to return to the primary connection once it recovers. There’s an easy way out-automatic switchover. 

We used PCQLinux 8.0 configured as a failover gateway. You’ll need to put three network cards into this Linux box. If you
already have a Linux-based proxy running, then the chances are that it already has two network cards (eth0 and eth1), one connecting to your LAN and the other to your Internet router. You just need to add a third card to this box and connect it to your backup Internet router. For convenience, we’ll say that eth0 and eth1 are connected to the primary and secondary
Internet routers, respectively. 

Configure network 
Assign the IP address given by your ISP to the first two network cards. We assigned eth0=192.168.1.2 and eth1=192.168.2.2 for convenience, which are private IPs. You’ll have to replace them with the public IPs that you got from your ISP. Of course, if you’re using a dial-up ISDN line, then assign it the same subnet IP as that of your ISDN router. Assign an IP address to the third network card based on your local LAN subnet (eth1=192.168.3.1).

You can do these configurations using Xwindow from Start>System Settings>Network. This will open a network configuration window, which will show all the network card on your system. Double click on the LAN card icon you want to configure, select the ‘Statically set IP address’ radio button and assign the IP address with subnet mask. 

After this, enable IP forwarding on the Linux box. For this, open the file /etc/sysclt.conf from a terminal window. Here, you’ll find an entry ‘net.ipv4.ip_forward = 0’. Set its value to 1 and save the file. Now execute a command sysctl —p from the # prompt to enable IP
forwarding.

Next, you need to set the IP table so that the internal network can route packets to the Internet. For this, issue the following commands from a terminal window.

# iptables —t nat —A POSTROUTING —o eth0 —j MASQUERADE (Routing packets to Internet connected to first ISP)
# iptables —t nat —A POSTROUTING —o eth1 —j MASQUERADE (Routing packets to Internet connected to second ISP) 
# iptables —A FORWARD —s 192.168.3.0/24 —j ACCEPT (Forwarding from Internal lan)
# iptables —A FORWARD —d 192.168.3.0/24 —j ACCEPT 
# iptables —A FORWARD —s ! 192.168.3.0/24 —j DROP 
# iptables-save > /etc/sysconfig/iptables (saving the IP tables)
# /etc/init.d/network restart (restarting the network)
# /etc/init.d/iptables restart (restarting the IP tables)

Configure failover routing 
Now you need to configure failover routing, wherein if the first route dies, then it will look for an alternative route path. For this, you’ll need to add default gateway routes (provided by your ISP) for both network cards. This is done as follows. 

# route add default gw 192.168.1.2 dev eth0
# route add default gw 192.168.2.2 dev eth0 

(192.168.1.2 is a gateway IP given by first ISP nad 192.168.2.2 is a gateway IP given by second ISP)

Add these commands in /etc/rc.d/rc.local file, otherwise the routes will vanish every time you reboot the system.

Finally, open /proc/sys/net/ipv4/ route/gc_timeout file from a terminal window and set the value from 300 to 10 and save this file. The gc_timeout file contains some timeout value, after which the kernel declares a route to be dead and automatically switches to other route. Your system will now automatically switch to the second route every time the primary route fails.

Sanjay Majumder

Related Articles

IPCop Firewall Appliance

Configure Tux Web Server

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.