How to set up Route failover between hosts on the same interface

Security Gateway Articles and How to's
Post Reply
Ersu
Posts: 4
Joined: 29 Apr 2016, 13:01
Location: Clavister HQ - Örnsköldsvik

How to set up Route failover between hosts on the same interface

Post by Ersu » 29 Aug 2018, 14:41

This How-to applies to:
  • Clavister Security Gateway 12.x.
Schematic:
ERSU-Schematic-1_23780.png
ERSU-Schematic-1_23780.png (208.11 KiB) Viewed 1218 times
Problem :

A common scenario is to have 2 servers behind the same DMZ interface, where one server is serving as a backup for the primary server. With a single public IP that is SATed towards the servers internal IP
This failover can be tricky to accomplish in these scenarios. A simple route failover alone will not work for this scenario as route failover require that we have two routes that point to the same host/network with different interfaces.


Solution:

What we need is the ability to SAT the traffic to different IP addresses depending on if the primary server is reachable or not.
This can be achieved using Loopback interfaces, and an Additional Routing Table.
As when we route traffic in to a Loopback interface it will create a new connection, which needs to consult the IP policies again before being set out from the firewall. This allows us to create a policy that will only trigger when traffic is routed through the Loopback interface to send it to the backup server.
And using route failover, we can make the firewall route the traffic to the DMZ as normal as long as the primary server is responding. And when the primary server is no longer responding it will fall back to routing the traffic into our Loopback interface.

In this guide I will have two servers, and one External IP
Server 1: 172.16.201.20
Server 2: 172.16.201.30
Server_Ext_IP: 192.168.120.82

In this example I have configured the firewall to only handle icmp towards the server.

We will start by creating a new routing table.
Name: RT2
Ordering: Only
RT2_config_23780.png
RT2_config_23780.png (20.16 KiB) Viewed 1218 times
We will come back to create some routes in this table later.

Now we need to create a set of Loopback interfaces.
For simplicities sake we will name these Loop1 and Loop2
Loopbacks_23780.png
Loopbacks_23780.png (26.21 KiB) Viewed 1218 times

First Loopback.
General Tab
Loop1_General_Tab_23780.png
Loop1_General_Tab_23780.png (22.44 KiB) Viewed 1218 times
Name: Loop1
Loop To: Loop2* (Note we will need to come back and set this after we have created Loop2. This can be left empty for now)
IPv4 Address: 1.1.1.1
Network: 1.1.1.0/24
Note: The IP and Network can be anything (as long as it's not causing IP conflicts), and could be set to 127.0.0.1, but setting a "bogus" IP is preferred as it helps us if we need to troubleshooting in the future, so we don't see a bunch of logs telling us traffic is coming from local host.

Virtual Routing Tab
Loop1_VR_Tab_23780.png
Loop1_VR_Tab_23780.png (28.84 KiB) Viewed 1218 times
Enable Make interface a member of a specific routing table.
And set Routing table: main

Advanced Tab
Loop1_Adv_Tab_23780.png
Loop1_Adv_Tab_23780.png (20.14 KiB) Viewed 1218 times
To keep routing tables a bit cleaner and avoid issues in case the network we set on the Loopback interfaces is used by anything we can disable "AUTOMATIC ROUTE CREATION" in the advanced tab.




Second Loopback.
This will largely be the same as the first Loopback.
General Tab
Loop2_General_tab_23780.png
Loop2_General_tab_23780.png (22.59 KiB) Viewed 1218 times
Name: Loop2
Loop To: Loop1
IPv4 Address: 2.2.2.2
Network : 2.2.2.0/24

Virtual Routing settings
Loop2_VR_Tab_23780.png
Loop2_VR_Tab_23780.png (28.97 KiB) Viewed 1218 times
Enable Make interface a member of a specific routing table.
And set Routing table: RT2

Advanced Tab
Loop2_Adv_Tab_23780.png
Loop2_Adv_Tab_23780.png (19.74 KiB) Viewed 1218 times
To keep routing tables a bit cleaner and avoid issues in case the network we set on the Loopback interfaces is used by anything else we can disable "AUTOMATIC ROUTE CREATION" in the advanced tab.

Remember to return to Loop1 and set the ' Loop To ' parameter to Loop2


Now let us go back to routing tables, we will start with the main routing table and setup a route failover.
For this we need 3 routes, one to core route and publish the external IP.
RT_Main_23780.png
RT_Main_23780.png (60.87 KiB) Viewed 1218 times

General TAB
Core_route_general_tab_23780.png
Core_route_general_tab_23780.png (24.16 KiB) Viewed 1218 times
Interface: core
Network: Server_Ext_IP

Proxy ARP TAB
Core_route_ProxyARP_Tab_23780.png
Core_route_ProxyARP_Tab_23780.png (22.99 KiB) Viewed 1218 times
Add WAN interface. As I have two ISP in this setup I'm using the WANZone Interface group.


Now we need the single host routes that will handle to two scenarios,
The first which will monitor Server1 and automatically get disable if server 1 stops responding.

General Tab
Main_server1_route_general_tab_23780.png
Main_server1_route_general_tab_23780.png (25.12 KiB) Viewed 1218 times
Interface: DMZ
Network:Server1
Metric: 90
Note the Metric, it needs to be lower than the metric of the next route we are about to create.

Monitor Tab
Main_server1_route_Monitor_tab_23780.png
Main_server1_route_Monitor_tab_23780.png (28.08 KiB) Viewed 1218 times
Enable Monitor and Host Monitoring.


Monitored Hosts Tab
Main_server1_route_Monitored_Hosts_tab_23780.png
Main_server1_route_Monitored_Hosts_tab_23780.png (24.04 KiB) Viewed 1218 times
Here we add Server1 as a monitored host
Server1_Monitor_23780.png
Server1_Monitor_23780.png (24.58 KiB) Viewed 1218 times
Method: ICMP
IP address: Server1


And next we need the route that we will failover to when Server1 stops responding.
And this is the route with will put our Loopback and new routing table to work.

General Tab
Main_loop1_route_23780.png
Main_loop1_route_23780.png (25.35 KiB) Viewed 1218 times
Interface: Loop1
Network: Server1
Metric: 100* or anything that is higher than the metric set on the monitored route we just created.


That is it for the main routing table, we can now move on to the new RT2 routing table.
We will need 3 routes here as well.
RT2_table_23780.png
RT2_table_23780.png (33.98 KiB) Viewed 1218 times
The first to allow the traffic coming in from the Loopback

General Tab
Loop2_route_23780.png
Loop2_route_23780.png (24.19 KiB) Viewed 1218 times
Interface: Loop2
Network: all-nets (We set all-nets here, as the traffic will be sourced from the internet)

The second route we need so that the traffic won't be routed back out of this routing table due to us using all-nets on the Loopback route.
Remember that the traffic at this stage has not consulted the IP rules sets for a second time , so it still has Server1 as its destination.

General Tab
RT2_server1_route_23780.png
RT2_server1_route_23780.png (23.88 KiB) Viewed 1218 times
Interface: DMZ
Network: Server1

And the last route we need so that we can route the traffic to Server2

General Tab
RT2_server2_route_23780.png
RT2_server2_route_23780.png (23.91 KiB) Viewed 1218 times
Interface: DMZ
Network: Server2


And that is it for the routing.
Now we need our IP Policies to SAT the traffic to the correct server, and it is for this we needed the Loopbacks.
Main_rule_set_23780.png
Main_rule_set_23780.png (33.24 KiB) Viewed 1218 times

We start with the policy that triggers when users on the internet is accessing the servers on the external IP, and SAT the traffic to the primary server.

General Tab
SAT_server1_ping_23780.png
SAT_server1_ping_23780.png (34.29 KiB) Viewed 1218 times
Action: Allow
Name: SAT_Server1_ping

Source Interface: WANZone
Source Network: all-nets
Destination Interface: core
Destination Network: Server_Ext_IP
Service all_icmp (Modify this for the services you will be needing)

Destination Translation
Address Translation: SAT
Address Action: Single IP
New IP Address: Server1

This rule will trigger both when the primary server is up and down, it is our routing that will allow us to have the next rule we create trigger when the primary server is down, as the traffic is then routed through the Loopback interface which creates a new connection to be check by the rules sets.

General Tab
SAT_server2_ping_23780.png
SAT_server2_ping_23780.png (34.41 KiB) Viewed 1218 times
Action: Allow
Name: SAT_Server2_ping

Source Interface: Loop2
Source Network: all-nets
Destination Interface: DMZ
Destination Network: Server1
Note: We use DMZ and Server1 as destinations as the first SAT rule have changed the destination to Server1 which is routed on DMZ.
Service all_icmp (Modify this for the services you will be needing)

Destination Translation
Address Translation: SAT
Address Action: Single IP
New IP Address: Server2

And that's it. Now we will have only the first SAT policy trigger when server 1 is up, and as such we send the traffic to server 1.
And when server 1 is down, we route the traffic in to the Loopback interface, creating a new connection that will trigger our second SAT policy which sends the traffic to server 2.

Post Reply