Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Pete Vickers (petesystemnet.no)
Date: Thu Aug 26 2010 - 04:13:56 CDT
On 26. aug. 2010, at 00.18, Don Tek wrote:
> I've recently implemented a firewall with two internet connections using
multipath routing and round-robin outbound load balancing.
> I am looking for a solution from the shell to detect failure of these two
internet gateways so I can force routing and pf changes from a script.
> I need something more robust than simply checking to see if the interface is
up or down.
> I have managed a solution using traceroute that allows me to accomplish half
of my goal. I can detect a failure and "down" that route, however, once I
delete the default route from the routing table for the failed connection, I
can no longer test it with traceroute. This is because it doesn't appear to
me that OpenBSD's traceroute allows forcing an interface to work on.
> I am looking for better solutions from some of you more experienced users.
Any suggestions are welcome.
Taking a look at the bigger picture, the 'correct' way to do this is to have
redundancy at the firewall level as well at ISP link level. This gives higher
availability, and makes your problem much easier. If you have a single ISP
link per firewall then link testing is simple. Redundancy/LB is then managed
by CARP between the two firewalls' _inside_ interfaces.