Linux equivalent of pfsync+carp for failover firewall/routing

I'm currently using a linux box to handle my firewall/NAT using iptables. It has two NICs, one link to a LAN switch, one to our egress Internet provider. I'm looking at upgrade this box to two boxes for purposes of redundancy and adding a second Internet provider to the solution. This means I need four ports I believe (correct me if I'm wrong)

  1. Egress internet link #1
  2. Egress internet link #2
  3. LAN port
  4. Cross-over between the two boxes for failover purposes

I've read carp+pfsync is a good solution. Is that currently what most of you are using? Is there an equivalent solution in linux?

What are some suggestions for hot failover with ease of configuration as of today for a similar setup as above?


Solution 1:

I've read carp+pfsync is a good solution. Is that currently what most of you are using?

Yes and yes :)

As Instye notes, there are two public projects for CARP under Linux. But as you'll notice neither of them are particularly active and don't believe they include pfsync. Which is pretty important to the whole shebang.

Additionally there have been some huge advances in the PF and CARP code this year alone. Any port, including FreeBSD, often lags naturally behind in feature and bug fixes.

If the current machine isn't performing any other tasks then I'd recommend just biting the bullet and implementing OpenBSD. The learning curve won't be any steeper than getting one of the ports up and running. I don't think you'll regret it.

Solution 2:

CARP is available in linux. Check out the ucarp project for a user-space implementation and there is apparently a project porting it to the 2.6 kernels:

http://www.ioremap.net/projects/carp

Solution 3:

The web page you probably want to start looking at is linux-ha. One of the tools they offer is the heartbeat program that can be used to fail servers over.