More flexibility in multiwan configuration

firewall

(Davide Marini) #1

Hi all,
actually the multiWAN in NethServer offers the possibility to work in balance mode with all the providers active (even though the weight can help to “mute” the traffic of some of them) or in backup mode with just one provider a time.

I would like to have more flexibility in the multiWAN usage and configuration, more specifically I would like to:

  • set a number of providers always active (as actually in balance configuration)
  • set other providers as backup, so they become active only if a specific one of the main providers go out

ex:
provider 1,2,3 always active
providers 4 and 5 as backup

provider 4 become active if prov.1 fall down
provider 5 become active if prov.2 fall down

The idea is to not have a general behavior switch (backup/balance) , but a specific behavior switch for every provider.

What do you think about that?
Do you have any suggestion about that?


November 2015 Development Updates
#2

Hi,

Another way to approach the subject could be to implement router ability to Nethserver, to play with OSPF and such feature…
Two Nethserver instances with routing backup one of the other.


(Adam) #3

I like this idea. It’d also be nice to have rules for specific services, like which wan connection a firewall rule, static route, or port forward should use if a wan connection should go down.


(Davide Marini) #4

Hi all and thanks for your suggestions, we had an intense weekend @nethesis so I could not answer faster.

@Jim : the idea of the router ability seems interesting to me in order to have a only one machine that does all, even though it could need much work to be implemented

@Adam : I also like your suggestion, it’s an aspect that we need to analyze.
As you suggested a full implementation of a “backup” connection should also manage port forward, routing rules and so on, even though imho in a simple/medium environment a less refined solution could also do the job.
Just to clarify: actually we can force traffic through a specific WAN in a dynamic way so that if the connection get lost all the traffic can flow thorugh other WANs (but not a defined one), the port foward can also be set for all the interfaces so in case of down, one can connect using a different red.

What do you think about that?


(Adam) #5

I am currently using a different router for a customer with 3 WAN connections, cable, DSL and a T1. With all services up, this is how it’s set to operate:
-VoIP traffic flow over T1
-All other traffic flows over cable
-(DSL is stand-by only)

If the T1 were to go down:
-VoIP traffic flows over DSL
-All other traffic flows over cable

If the DSL and T1 are down:
-All traffic will flow over the cable internet

If the cable goes down while the other two are up:
-VoIP traffic flows over T1
-All other traffic flows over DSL

I was able to accomplish this behavior reliably by identifying the traffic by destination IP (VoIP provider) and setting up various probes through each WAN connection. This type of system is what I was referring to.


(Adam) #6

Just read through this again… Is there currently a way to route specified outgoing traffic through a specific WAN? I don’t see a way to do this.


(Davide Marini) #7

yes, you can see it here:

http://docs.nethserver.org/projects/nethserver-devel/en/latest/gateway.html#force-traffic-to-a-specific-provider

for example, to create a rule:

db tc set 1 rule Description "RULENAME" Dst CIDR_DEST_NETWORK Provider "provider;PROVIDER_NAME" Service "fwservice;SERVICE" Src CIDR_SOURCE_NETWORK status enabled Position 1

and after just apply the rule:

signal-event firewall-adjust

(Adam) #8

Very interesting. No way through the GUI though, huh?

So I could set something like this to apply a rule similar to what I was referring to above (assuming the provider’s IP is 1.2.3.4)? What would I put for service? What would happen if the ‘provider’ specified went down?

1=rule
Src=192.168.1.0/24
Dst=1.2.3.4/30
Service=any?
Provider=provider;myadsl
status=enabled
Position=2
Description=

Sorry if I’m getting off topic.


#9

Sure, multi wan is a good thing… But what’s happen when the Nethserver appliance is out or down?

Such OSPF feature can be a really serious improvement, enhancement for reliability, resilience.

Any enterprise with multi-site would greatly appreciate.
Like a disaster recovery plan, enterprise like to minimise all disrupting risk.
Why multi-wan if the weak point is the firewall?
The combo multi-wan+OSPF open lot of opportunities, the already said resilience,no only doing the link backup but the routeur backup and adding another form of load balancing.

With the software structure too, I think to the PDC/SDC rules and email to backup the MX link …


(Adam) #10

High availability would be a great feature to implement eventually, but it should be separate from multi wan features, or thought in general. If someone wants everything to go through one box, they should be able to.


#11

Sure, all of this stuff must be a panel of solutions, it’s not one in the place of the other :wink:


(Davide Marini) #12

I would really like to have all these cool features like OSPF, HA and many others… but I just would like to avoid to go too much off topic, if you like we can talk about them in a dedicated thread where we can share our ideas about that.

At this time my aim is just to improve the possibilities of the multiwan, giving to the administrator the most useful options to manage the connections available.

@Adam : we have plans to have a dedicated panel to force traffic through a specific provider, about your example … service ou have to put one of the services (firewall objects) you already created via gui, if you want all traffic just avoid to write Service “fwservice;SERVICE” in the command.
If the provider go down al traffic will pass through other active providers