OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: decent loadbalancing with 2 different ISP's with minimum risks

From: James Couzens (jcouzensobscurity.org)
Date: Wed May 05 2004 - 12:15:02 CDT

> Le sam 17/04/2004 à 06:46, Ravi a écrit :
> > -vrrpd if using two gateways
>
> VRRP is a failover protocol. I don't see how you can achieve load
> balancing with.

What you fellows seek is the Linux Virtual Server ("LVS") project which
is currently available in both 2.4 and 2.6 linux kernels. LVS turns
your router into a Layer-3, Layer-4, and Layer-5/7 switch. Setup is
simplistic and the load balancing functionality is second to none. LVS
can also be implemented in three different ways, DIRECTOR, NAT, and
TUNNEL.

Should you wish to high availability I would recommend the keepalived
project which offers VRRP support through its independent VRRPv2 stack
for failover detection and execution, and handles individual service
checks with the ability to pull individual services or fail over the
entire server. There is also a keepalived fork which offers "threaded
plugin" support which adds even more functionality.

In short keepalived is userspace daemon for LVS cluster nodes
healthchecks and LVS directors failover.

Linux Virtual Server Project:
http://www.linuxvirtualserver.org/

HealthChecking for LVS & High Availability through keepalived:
http://keepalived.sourceforge.net/

keepalived w/ Threaded-Health-Check support:
http://homes.tiscover.com/jrief/keepalived/

Linux Kernel routing patch: http://www.ssi.bg/~ja/routes-2.6.4-10.diff

- Static Routes (remain during failure)
- Alternative Routes (multipath)
- Dead Gateway Detection (removes multi-path routes during failure)
- NAT (correct routing during use of multi-paths)

Multi-path howto:
http://www.ssi.bg/~ja/nano.txt

Dead Gateway Detection explained:
http://www.ssi.bg/~ja/dgd-usage.txt

Dead Gateway Detection status:
http://www.ssi.bg/~ja/dgd.txt

Julian Anastasov is my hero, grab myriads of other excellent patches
from his website here, in addition to DGD patches for kernels other than
2.6.x: http://www.ssi.bg/~ja/

Having spent a recent weekend with the OpenBSD team at their pf
Hackathon, I was given an exceptional look into pf's current and future
status. That being said, you can do load balancing through pf in
addition to making use of the Common Address Redundancy Protocol
("CARP") which is a protocol not myred in the patent problems which have
plauged VRRP. CARP has been developed by members of the OpenBSD team.
You can find this all in the just recently released v3.5 (I managed to
obtain a pre copy at CansecWest/Core04 <3) of OpenBSD available for
download or purchase from their website.

Firewall Failover with pfsync and CARP:
http://www.countersiege.com/doc/pfsync-carp/

CARP port to FreeBSD 5.x:
http://pf4freebsd.love2party.net/carp.html

Although the OpenBSD functionality is not near as mature, or feature
rich, its well on its way to delivering much needed networking
functionality to the BSD community. I'm currently in the middle of
stress testing this code myself, but to date it delivers the goods, and
I look forward to future enhancements and userland utilities to assist
in management.

Cheers,

James

--
James Couzens,
Programmer
-----------------------------------------------------------------
http://libspf.org -- ANSI C Sender Policy Framework library
http://libsrs.org -- ANSI C Sender Rewriting Scehem library
-----------------------------------------------------------------
PGP: http://gpg.mit.edu:11371/pks/lookup?op=get&search=0x6E0396B3

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBAmSEVyJv1gm4DlrMRAhTTAKC9CGlWAUt2pk6HYN4ZXaxmv2Qm9ACZAUO0
wMhIg1dCQ+tmZjPYHJUjJFw=
=7/fm
-----END PGP SIGNATURE-----