Feature #2332

Firewall-base: add support for multi-wan

Added by Giacomo Sanchietti almost 6 years ago. Updated about 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.5
Resolution: NEEDINFO:No

Description

Add support for multi-wan configuration.
A virtually unlimited number of red interface should be allowed.

Multi-wan must implement two behavior:
  • weighted balanced mode: each new connection can use a random configured red interface
  • active backup: all traffic is routed through the master interface, backup connections will be used only in case of master failure
See:

Related issues

Related to NethServer 6 - Enhancement #2743: Base: split 'local networks' into 'static routes' and 'tr... CLOSED
Related to NethServer 6 - Enhancement #2771: Merge nethserver-shorewall and nethserver-firewall-base CLOSED
Copied to NethServer 6 - Enhancement #2827: Firewall-base: multi-wan dhcp failover not supported CLOSED

Associated revisions

Revision 7f3daf42
Added by Giacomo Sanchietti almost 6 years ago

providers and tcrules template: add support for multi-wan. Refs #2332

Revision e4e99ab5
Added by Giacomo Sanchietti almost 6 years ago

shorewall hosts template: add support for multi-wan. Refs #2332

Revision 46352639
Added by Giacomo Sanchietti almost 6 years ago

createlinks, shorewall templates: add support for multi-wan, add oriDst prop for portforwards. Refs #2332

Revision 28006da2
Added by Giacomo Sanchietti almost 6 years ago

shorewall.conf template: add support for multi-wan. Refs #2332

Revision 883d4ec4
Added by Giacomo Sanchietti almost 6 years ago

shorewall_script_nethesis: handle only group events. Refs #2332

Revision 3d7d5066
Added by Giacomo Sanchietti almost 6 years ago

shorewall.conf layout: use high bit to mark provider traffic. Refs #2332

Revision 90cb235d
Added by Giacomo Sanchietti almost 6 years ago

/etc/shorewall/providers template: use high bit for provider mark. Refs #2332

Revision 3db3b274
Added by Giacomo Sanchietti almost 6 years ago

/etc/shorewall/providers: auto-calculate tproxy rule index. Refs #2332

Revision 64771058
Added by Giacomo Sanchietti over 5 years ago

Web UI: add GUI for Providers. Refs #2332

Revision 11170bf2
Added by Giacomo Sanchietti over 5 years ago

Multi WAN: move provider configuration to network db. Refs #2332

Revision 3f5025fb
Added by Giacomo Sanchietti over 5 years ago

tcinterfaces templates: Refs #2332

Revision 0d8542d7
Added by Giacomo Sanchietti over 5 years ago

Templates: custom findgw for red with DHCP. Refs #2332

Revision 0cf92f97
Added by Giacomo Sanchietti over 5 years ago

Web interface: add header for Configure controller. Refs #2332

Revision 28e8ff77
Added by Giacomo Sanchietti over 5 years ago

Events: add wan-uplink-event. Refs #2332

Revision d2aaf50a
Added by Giacomo Sanchietti over 5 years ago

Events: add new wan-link-update event. Refs #2332

Revision 89040b99
Added by Giacomo Sanchietti over 5 years ago

lsm.conf template: change default timeout values Refs #2332

Revision ba363adc
Added by Giacomo Sanchietti over 5 years ago

nethserver-shorewall-wan-update: disable interface if event is no 'up'. Refs #2332

Revision 786c258e
Added by Giacomo Sanchietti over 5 years ago

shorewall.conf: change ROVIDER_BITS value. Refs #2332

Revision e84ddc17
Added by Giacomo Sanchietti over 5 years ago

Web ui: update MultiWAN. Refs #2332

Revision 52e490a4
Added by Giacomo Sanchietti over 5 years ago

Providers: always sort providers in descending order. Refs #2332

Revision 1c518103
Added by Giacomo Sanchietti over 5 years ago

actions: add support for static routes. Refs #2332

Revision 5da14a15
Added by Giacomo Sanchietti over 5 years ago

actions: move static routes to routes db. Refs #2332

Revision d18738e1
Added by Giacomo Sanchietti over 5 years ago

actions: change static route records from 'route' to 'static' type. Refs #2332

Revision 64b83003
Added by Giacomo Sanchietti over 5 years ago

createlinks, actions: add provider static routes to static-routes-save event. Refs #2332

Revision 96a6b72e
Added by Giacomo Sanchietti over 5 years ago

Network configuration: support provider-static routes. Refs #2332

Handle special static routes for providers.

Revision 6062bb80
Added by Giacomo Sanchietti over 5 years ago

createlinks: add static-routes-save event. Refs #2332

Revision 423a7f5c
Added by Giacomo Sanchietti over 5 years ago

providers: use Firewall library in templates. Refs #2332

Revision 52125330
Added by Giacomo Sanchietti over 5 years ago

Providers: support enable/disable. Refs #2332

Revision 93f03e79
Added by Giacomo Sanchietti over 5 years ago

lsm.conf: skip disabled providers. Refs #2332

Revision 56007e89
Added by Giacomo Sanchietti over 5 years ago

Firewall.pm: fix provider logic. Refs #2332

Revision 4aa7d657
Added by Giacomo Sanchietti over 5 years ago

Web UI: show provider status on dashboard. Refs #2332

Revision 7af76170
Added by Giacomo Sanchietti over 5 years ago

providers-static-routes: remove blank spaces. Refs #2332

Revision b8132cc6
Added by Giacomo Sanchietti over 5 years ago

init scripts: start lsm only if there is at least one provider. Refs #2332

Revision d4a46e58
Added by Giacomo Sanchietti over 5 years ago

init scripts: fix start/restart. Refs #2332

Revision 47214a8c
Added by Giacomo Sanchietti over 5 years ago

Inline help: add Multi WAN rst files. Refs #2332

Revision d1194baa
Added by Giacomo Sanchietti about 5 years ago

lsm.conf template: change default timeout values Refs #2332

History

#1 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#3 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 30 to 60

Commited test implementation.

See Gateway Design.

In nethserver-testing:
nethserver-shorewall-1.0.2-1.0git28006da2.ns6
nethserver-firewall-base-1.0.6-3.0git54f43433.ns6
nethserver-ipsec-1.0.0-1.0gite4e99ab5.ns6
nethserver-squid-1.0.4-1.0git7f3daf42.ns6
nethserver-lsm-0.0.3-1.ns6
lsm-0.163-1.ns6

#4 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from MODIFIED to ON_DEV
  • % Done changed from 60 to 30

#5 Updated by Giacomo Sanchietti over 5 years ago

  • Target version set to ~FUTURE

#6 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee set to Giacomo Sanchietti

#7 Updated by Giacomo Sanchietti over 5 years ago

  • Target version changed from ~FUTURE to v6.5

#8 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee deleted (Giacomo Sanchietti)

For each configured provider, the system (LSM) will send ping to a configured IP (checkip).
When a provider status changes, the system will signal a wan-uplink-update event.

Inside the event, the action nethserver-shorewall-wan-update invokes:
  • shorewall enable <interface> when a red interface is usable
  • shorewall disable <interface> then a red interface is not usable

When an interface is disabled, all associated routes will be deleted. If checkip belongs to an external network, the system will not be able to check the link status because there will no route to the external host. With current implementation when an interface is disabled, there is no way to re-enabled it.

See:

#9 Updated by Giacomo Sanchietti over 5 years ago

The solution is to add static routes for checkip inside the main table.

For example, if checkip is 89.97.3.129:

 ip ro add 89.97.3.129/32 via 89.97.245.225

Some considerations:
  • static rules must be added in firewall-adjust event and after boot (maybe we can use http://shorewall.net/shorewall_extension_scripts.htm)
  • a checkip can't be reused between providers
  • when a red interface goes down, the host specified as checkip is no more reachable, so do not use system DNS as checkip
  • probably the best checkip is the hop just next the gateway

To find the next hop use:

ping -c 1 -I eth2 -t 2 8.8.8.8 | grep 'Time to live'  | cut -d' ' -f2

#10 Updated by Giacomo Sanchietti over 5 years ago

Added static routes support. Routes will be generate in interface-update and network-* events.

A static route is a record of type static inside the routes database.
Each record has following properties:

  • key: network address
  • Mask: network mask
  • Router: gateway for the network
  • Description: a custom description (optional)

Example:

8.8.4.4=static
    Description=My route
    Mask=255.255.255.255
    Router=89.97.245.225

Added also special static routes providers. These routes are auto-calculated by the system and
can't be edited by the user.
Static routes for providers are records of type provider-static inside the routes database.
Valid properties are the same of static records.

#11 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee set to Giacomo Sanchietti

#12 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 30 to 60

#13 Updated by Giacomo Sanchietti over 5 years ago

  • Related to Enhancement #2771: Merge nethserver-shorewall and nethserver-firewall-base added

#14 Updated by Giacomo Sanchietti over 5 years ago

Merged on master.

#15 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-firewall-base-1.1.0-66.0git67ac1559.ns6.noarch.rpm
  • nethserver-lsm-0.0.3-7.0gitd4a46e58.ns6.noarch.rpm
  • nethserver-squid-1.1.1-3.0git37fbdd7c.ns6.noarch.rpm (giĆ  su testing)
  • nethserver-snort-0.0.1-5.0git32850266.ns6.noarch.rpm
  • nethserver-base-2.2.1-57.0git27156ae2.ns6.noarch.rpm
  • nethserver-nethgui-1.5.0-22.0git051080ae.ns6.noarch.rpm

#16 Updated by Davide Principi about 5 years ago

  • Assignee set to Davide Principi

#17 Updated by Davide Principi about 5 years ago

  • Assignee changed from Davide Principi to Filippo Carletti

#18 Updated by Filippo Carletti about 5 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

I have verified both configuration modes: balance and backup.
Tests:
routing is ok, traffic goes to both providers in balance and to highest weight link in active-backup
link failure disables failed link, traffic switches to working link
connection is re-enabled after link recovery
manually disabling a link (shorewall disable ethX) works as expected
check ip auto discovery gets the right ip in all tested cases
online help is correct

Not tested: 3 or more wan

Remaining issue:
https://groups.google.com/forum/#!topic/nethserver/NGmP9D0BqqY

I'd file a new issue about dhcp wan and failed link detection.

#19 Updated by Filippo Carletti about 5 years ago

  • Copied to Enhancement #2827: Firewall-base: multi-wan dhcp failover not supported added

#20 Updated by Giacomo Sanchietti about 5 years ago

  • Assignee deleted (Filippo Carletti)

#21 Updated by Davide Principi about 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-firewall-base-2.0.0-1.ns6.noarch.rpm
nethserver-lsm-1.0.0-1.ns6.noarch.rpm

Also available in: Atom PDF