From owner-freebsd-questions@FreeBSD.ORG Fri Apr 3 12:57:34 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 784806E9 for ; Fri, 3 Apr 2015 12:57:34 +0000 (UTC) Received: from mail-ob0-x22b.google.com (mail-ob0-x22b.google.com [IPv6:2607:f8b0:4003:c01::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3B86E65F for ; Fri, 3 Apr 2015 12:57:34 +0000 (UTC) Received: by obbec2 with SMTP id ec2so169191096obb.3 for ; Fri, 03 Apr 2015 05:57:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Pb0Yad9hSHBR80eLiEZKCafH3eOH7u95IxDwIXU+ZAY=; b=I0lOhGhyUovkwncE1lWiTaf99URt0VpH9oSWUklTstnqTJt3TaoiDx5BYutGzuqAZq ufKz/vKIvbP4OnpEcXDCV8T0mbUs3FM2Jzy2VYQ5iMkIZiFNRuBrDI69xWarUi+n7lto F3r3c9gxrX2AMRJeS4M54ICnBb2kVip7YzLX3Cx1O1WLpZqg5HVz5k4ZQwxy8CEJwFqi Bv27eofZSmWCVncd6+B/yk66xoMqovyesS1jAPFH3wePEqorLsgRTYBdAf4lJz5hdXQf zRH3X51imAH0/cAq/G9HbsXl1wCAAi926OdFJZjpt64KwMdEns0H6I1AdRgE+p4Wt7Wh Fq2g== MIME-Version: 1.0 X-Received: by 10.60.50.69 with SMTP id a5mr2788818oeo.23.1428065853366; Fri, 03 Apr 2015 05:57:33 -0700 (PDT) Received: by 10.202.174.196 with HTTP; Fri, 3 Apr 2015 05:57:33 -0700 (PDT) Date: Fri, 3 Apr 2015 13:57:33 +0100 Message-ID: Subject: Looking for advice on GRE failover From: Harry Duncan To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2015 12:57:34 -0000 Hi Guys, I've been using FreeBSD as gateways and implementing vpn's using GRE tunnels, but hit a new requirement which I'm struggling to find a solution for, and thought I might share it here and get your advice on how to proceed. Two sites, sitea and siteb, both running freebsd gateway servers, both currently on ADSL for wan, with a GRE tunnel tunnel between the sites, secured by racoon, but now we need a highly available solution for the intersite link. We use pf to firewall. Site-a will have a dependency on infrastructure at site-b, but site-b will not have any dependency on site-a The physical solution will be to add another wan to each side, this time based on a wireless broadband link from an alternate provider which, just like the adsl these connections will be bridged into the server. What I would 'like' to have is the following GRE tunnels: site-a site-b wisp-a_.._.._.._.._.._wisp-b \ ______/ \ / \---------- _____/ \ / \ adsl-a===============adsl-b So, GRE tunnels would be: Primary: wisp-a_.._.._.._.._.._wisp-b Backup1: adsl-a________________wisp-b Backup2: wisp-a----------------adsl-b Backup3: adsl-a================adsl-b What i need then is an automatic means to route traffic from site-a to site-b over those 4 tunnels depending on the availability of the link, and current best thinking is that the above order will apply, but that may vary once the the wisp links go in. First hit I came up with is Carp, but that would require separate devices for each tunnel config and even still, I'm not sure I can make the device unavailable if there is a link problem. Second hit i came up with is lagg, but it appears to me that this will require the actual interface to go down in order to change the route. My preference is to have this as automated as possible but with an alerting structure to monitor the links for manual intervention which I can easily implement with something like nagios So my question is, am I looking for another tool on FreeBSD to manage this, or should I be looking at a tool to heartbeat the links and take the interfaces down if the heartbeat fails thus allowing lagg to autofailover to the next in the list, and then make it a manual alert response to bring the preferred link back up. any thoughts or advice or even advice on a different more appropriate list for this question? Thanks, Harry.