Feature #2332
Firewall-base: add support for multi-wan
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.5 | |||
Resolution: | NEEDINFO: | No |
Description
Add support for multi-wan configuration.
A virtually unlimited number of red interface should be allowed.
- weighted balanced mode: each new connection can use a random configured red interface
- active backup: all traffic is routed through the master interface, backup connections will be used only in case of master failure
Related issues
Associated revisions
providers and tcrules template: add support for multi-wan. Refs #2332
shorewall hosts template: add support for multi-wan. Refs #2332
createlinks, shorewall templates: add support for multi-wan, add oriDst prop for portforwards. Refs #2332
shorewall.conf template: add support for multi-wan. Refs #2332
shorewall_script_nethesis: handle only group events. Refs #2332
shorewall.conf layout: use high bit to mark provider traffic. Refs #2332
/etc/shorewall/providers template: use high bit for provider mark. Refs #2332
/etc/shorewall/providers: auto-calculate tproxy rule index. Refs #2332
Web UI: add GUI for Providers. Refs #2332
Multi WAN: move provider configuration to network db. Refs #2332
tcinterfaces templates: Refs #2332
Templates: custom findgw for red with DHCP. Refs #2332
Web interface: add header for Configure controller. Refs #2332
Events: add wan-uplink-event. Refs #2332
Events: add new wan-link-update event. Refs #2332
lsm.conf template: change default timeout values Refs #2332
nethserver-shorewall-wan-update: disable interface if event is no 'up'. Refs #2332
shorewall.conf: change ROVIDER_BITS value. Refs #2332
Web ui: update MultiWAN. Refs #2332
Providers: always sort providers in descending order. Refs #2332
actions: add support for static routes. Refs #2332
actions: move static routes to routes db. Refs #2332
actions: change static route records from 'route' to 'static' type. Refs #2332
createlinks, actions: add provider static routes to static-routes-save event. Refs #2332
Network configuration: support provider-static routes. Refs #2332
Handle special static routes for providers.
createlinks: add static-routes-save event. Refs #2332
providers: use Firewall library in templates. Refs #2332
Providers: support enable/disable. Refs #2332
lsm.conf: skip disabled providers. Refs #2332
Firewall.pm: fix provider logic. Refs #2332
Web UI: show provider status on dashboard. Refs #2332
providers-static-routes: remove blank spaces. Refs #2332
init scripts: start lsm only if there is at least one provider. Refs #2332
init scripts: fix start/restart. Refs #2332
Inline help: add Multi WAN rst files. Refs #2332
lsm.conf template: change default timeout values Refs #2332
History
#1 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
#2 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#3 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 30 to 60
Commited test implementation.
See Gateway Design.
In nethserver-testing:
nethserver-shorewall-1.0.2-1.0git28006da2.ns6
nethserver-firewall-base-1.0.6-3.0git54f43433.ns6
nethserver-ipsec-1.0.0-1.0gite4e99ab5.ns6
nethserver-squid-1.0.4-1.0git7f3daf42.ns6
nethserver-lsm-0.0.3-1.ns6
lsm-0.163-1.ns6
#4 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from MODIFIED to ON_DEV
- % Done changed from 60 to 30
#5 Updated by Giacomo Sanchietti over 7 years ago
- Target version set to ~FUTURE
#6 Updated by Giacomo Sanchietti over 7 years ago
- Assignee set to Giacomo Sanchietti
#7 Updated by Giacomo Sanchietti over 7 years ago
- Target version changed from ~FUTURE to v6.5
#8 Updated by Giacomo Sanchietti over 7 years ago
- Assignee deleted (
Giacomo Sanchietti)
For each configured provider, the system (LSM) will send ping to a configured IP (checkip
).
When a provider status changes, the system will signal a wan-uplink-update
event.
nethserver-shorewall-wan-update
invokes:
shorewall enable <interface>
when a red interface is usableshorewall disable <interface>
then a red interface is not usable
When an interface is disabled, all associated routes will be deleted. If checkip
belongs to an external network, the system will not be able to check the link status because there will no route to the external host. With current implementation when an interface is disabled, there is no way to re-enabled it.
#9 Updated by Giacomo Sanchietti over 7 years ago
The solution is to add static routes for checkip inside the main table.
For example, if checkip is 89.97.3.129:
ip ro add 89.97.3.129/32 via 89.97.245.225Some considerations:
- static rules must be added in
firewall-adjust
event and after boot (maybe we can use http://shorewall.net/shorewall_extension_scripts.htm) - a checkip can't be reused between providers
- when a red interface goes down, the host specified as checkip is no more reachable, so do not use system DNS as checkip
- probably the best checkip is the hop just next the gateway
To find the next hop use:
ping -c 1 -I eth2 -t 2 8.8.8.8 | grep 'Time to live' | cut -d' ' -f2
#10 Updated by Giacomo Sanchietti about 7 years ago
Added static routes support. Routes will be generate in interface-update
and network-*
events.
A static route is a record of type static
inside the routes
database.
Each record has following properties:
- key: network address
- Mask: network mask
- Router: gateway for the network
- Description: a custom description (optional)
Example:
8.8.4.4=static Description=My route Mask=255.255.255.255 Router=89.97.245.225
Added also special static routes providers. These routes are auto-calculated by the system and
can't be edited by the user.
Static routes for providers are records of type provider-static
inside the routes
database.
Valid properties are the same of static
records.
#11 Updated by Giacomo Sanchietti about 7 years ago
- Assignee set to Giacomo Sanchietti
#12 Updated by Giacomo Sanchietti about 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 30 to 60
#13 Updated by Giacomo Sanchietti about 7 years ago
- Related to Enhancement #2771: Merge nethserver-shorewall and nethserver-firewall-base added
#14 Updated by Giacomo Sanchietti about 7 years ago
Merged on master.
#15 Updated by Giacomo Sanchietti about 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
- nethserver-firewall-base-1.1.0-66.0git67ac1559.ns6.noarch.rpm
- nethserver-lsm-0.0.3-7.0gitd4a46e58.ns6.noarch.rpm
- nethserver-squid-1.1.1-3.0git37fbdd7c.ns6.noarch.rpm (già su testing)
- nethserver-snort-0.0.1-5.0git32850266.ns6.noarch.rpm
- nethserver-base-2.2.1-57.0git27156ae2.ns6.noarch.rpm
- nethserver-nethgui-1.5.0-22.0git051080ae.ns6.noarch.rpm
#16 Updated by Davide Principi about 7 years ago
- Assignee set to Davide Principi
#17 Updated by Davide Principi about 7 years ago
- Assignee changed from Davide Principi to Filippo Carletti
#18 Updated by Filippo Carletti about 7 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
I have verified both configuration modes: balance and backup.
Tests:
routing is ok, traffic goes to both providers in balance and to highest weight link in active-backup
link failure disables failed link, traffic switches to working link
connection is re-enabled after link recovery
manually disabling a link (shorewall disable ethX) works as expected
check ip auto discovery gets the right ip in all tested cases
online help is correct
Not tested: 3 or more wan
Remaining issue:
https://groups.google.com/forum/#!topic/nethserver/NGmP9D0BqqY
I'd file a new issue about dhcp wan and failed link detection.
#19 Updated by Filippo Carletti about 7 years ago
- Copied to Enhancement #2827: Firewall-base: multi-wan dhcp failover not supported added
#20 Updated by Giacomo Sanchietti about 7 years ago
- Assignee deleted (
Filippo Carletti)
#21 Updated by Davide Principi almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-firewall-base-2.0.0-1.ns6.noarch.rpm
nethserver-lsm-1.0.0-1.ns6.noarch.rpm