Submitted by stintel on
I guess better late than never...
So we've got a failover IP, and a nice trick to be able to get the same WAN IP on both our routers. If you do stateless packet filtering, this is actually enough, and your redundant setup is already finished. However, if you do stateful packet filtering, the moment the failover IP moves to the backup router, your connection will be dropped because it doesn't have any knowledge about it in its connection tracking table.
Fortunately this too can be solved, by syncing the connection tracking table with conntrackd. Since we're using an active-backup setup, we'll configure conntrack like this as well. The conntrackd configuration file looks like this:
Sync { Mode FTFW { } Multicast { IPv4_address 225.0.0.50 Group 3780 IPv4_interface 192.168.54.254 Interface eth0.54 SndSocketBuffer 1249280 RcvSocketBuffer 1249280 Checksum on } Options { TCPWindowTracking Off ExpectationSync On } } General { Nice -20 Scheduler { Type FIFO Priority 99 } HashSize 32768 HashLimit 32768 LogFile off Syslog on LockFile /var/lock/conntrack.lock UNIX { Path /var/run/conntrackd.ctl Backlog 20 } NetlinkBufferSize 2097152 NetlinkBufferSizeMaxGrowth 8388608 NetlinkOverrunResync On NetlinkEventsReliable On Filter From Userspace { Protocol Accept { TCP SCTP DCCP UDP ICMP # This requires a Linux kernel >= 2.6.31 IPv6-ICMP # This requires a Linux kernel >= 2.6.31 } Address Ignore { IPv4_address 127.0.0.1 IPv4_address 192.168.54.253 IPv4_address 192.168.54.254 IPv6_address ::1 } } }
Now merge the starting and stopping of services and interfaces from the primary-backup.sh script in part 2 into the primary-backup.sh script from the conntrack-tools documentation, and you should be good. Whenever a router switches from active to backup state, the script will instruct conntrackd to sync it's connection tracking table to the other router, and the firewall will no longer drop your connection.