I'm currently using a linux box to handle my firewall/NAT using iptables. It has two NICs, one link to a LAN switch, one to our egress Internet provider. I'm looking at upgrade this box to two boxes for purposes of redundancy and adding a second Internet provider to the solution. This means I need four ports I believe (correct me if I'm wrong)
- Egress internet link #1
- Egress internet link #2
- LAN port
- Cross-over between the two boxes for failover purposes
I've read carp+pfsync is a good solution. Is that currently what most of you are using? Is there an equivalent solution in linux?
What are some suggestions for hot failover with ease of configuration as of today for a similar setup as above?
Yes and yes :)
As Instye notes, there are two public projects for CARP under Linux. But as you'll notice neither of them are particularly active and don't believe they include pfsync. Which is pretty important to the whole shebang.
Additionally there have been some huge advances in the PF and CARP code this year alone. Any port, including FreeBSD, often lags naturally behind in feature and bug fixes.
If the current machine isn't performing any other tasks then I'd recommend just biting the bullet and implementing OpenBSD. The learning curve won't be any steeper than getting one of the ports up and running. I don't think you'll regret it.
CARP is available in linux. Check out the ucarp project for a user-space implementation and there is apparently a project porting it to the 2.6 kernels:
http://www.ioremap.net/projects/carp
The web page you probably want to start looking at is linux-ha. One of the tools they offer is the heartbeat program that can be used to fail servers over.
if you're not dead set on your linux distro, you could look into vyatta, the community edition is free http://www.vyatta.com/downloads/documentation.php
ucarp and keepalived from linux-HA have been mentioned... the missing link is therefore a linux equivalent of pfsync: well look at conntrackd from conntrack-tools
The Linux equivalent would be using conntrack-tools to sync connection tracking state, and then iptables of course. http://conntrack-tools.netfilter.org/manual.html#sync
You could also run OpenBSD on your boxes and simply use CARP + pf "out of the box".