[Pacemaker] Active-Active HA Firewall
Marcel Hauser
marcel_hauser at gmx.ch
Fri Oct 15 07:44:55 EDT 2010
On 15.Oct 2010 13:26, Michael Schwartzkopff wrote:
> On Friday 15 October 2010 09:47:50 Marcel Hauser wrote:
>> On 14.Oct 2010 22:31, Michael Schwartzkopff wrote:
>>>> i do know about fwbuilder and that it's possible to use fw builder in
>>>> order to build a cluster configuration. I've also read a pdf dated in
>>>> feb 2009 about ha firewalls by using heartbeat.
>>>
>>> Yes, I know I should update that paper ;-)
>>
>> That would be awesome! :-)
>
> Please add two hours to my day.
same thing for me ...
>> Is was somehow hoping, that this might have become possible these days.
> No chance.
ok... got it :-)
>> In an active-active like setup you basically know that both system are
>> actually working as expected.
>
> You can exercise a failover test every Tuesday 13:00 if everybody is surfing.
> Or shift the exercise to Friday 6:00
yes... that's a valid point
>> why did you choose to run conntrackd and heartbeat over a dedicated
>> bonding interface in your pdf, compared to the FW builder docs which say
>> to run heartbeat over every interface of the firewall, which therefore
>> might enable the cluster to detect network card failures... because the
>> heartbeat is not received over a given failed interface anymore ?
>
> network card failure should be detected by the monitor of the IPaddr2
> resource. Of course your could run your corosync and conntrac traffic over the
> dedicated links.
but the monitor does NOT detect link state changes on a given nic.. right ?
> Another hint: Just read the interesting parts of the book. Basically the
> points I explained in my mails.
i'll think about it... ok ? :-) but nevertheless: thank you very much
for your support!
marcel
More information about the Pacemaker
mailing list