SFScon 2020 - Jakob Schwienbacher - Linux as HA Router - Linux Kernel keepalived conntrackd
0 likes296 views
The document is a technical guide for configuring a Linux-based high availability (HA) router using components like network configuration, Keepalived for load balancing, and Conntrackd for connection tracking. It includes specific Bash commands for setting up network interfaces, kernel modules, and configuration files for Keepalived and Conntrackd. Troubleshooting tips for monitoring connection status are also provided.
SFScon 2020 - Jakob Schwienbacher - Linux as HA Router - Linux Kernel keepalived conntrackd
- 1. linux as HA router Author: Jakob Schwienbacher Work done by: Telmekom NOC Copyright: 2020 Telmekom GmbH
- 2. overview
- 3. things to do ● network configuration ● linux kernel ● keepalived ● conntrackd
- 4. network configuration bash# cat /etc/network/interfaces auto eth0 iface eth0 inet static up ip link set up dev $IFACE down ip link set down dev $IFACE up ip route add 1.1.1.0/24 dev $IFACE auto eth1 iface eth1 inet static up ip link set up dev $IFACE down ip link set down dev $IFACE up ip route add 2.2.2.0/24 dev $IFACE
- 5. linux modules bash# cat /etc/modules nf_conntrack nf_conntrack_pptp nf_conntrack_proto_gre
- 6. linux sysctl bash# cat /etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 net.netfilter.nf_conntrack_buckets = 32768 net.netfilter.nf_conntrack_max = 131072
- 7. keepalived ● health check ● VRRP ● load balancing (optional)
- 8. keepalived bash# cat /etc/keepalived/keepalived.conf vrrp_sync_group FW_VOICE { group { VIP_IPV4 VIP_IPV6 } notify_master "/etc/conntrackd/primary-backup.sh primary" notify_backup "/etc/conntrackd/primary-backup.sh backup" notify_fault "/etc/conntrackd/primary-backup.sh fault" } ...
- 9. vrrp_instance VIP_IPV4 { interface ha0 virtual_router_id 30 advert_int 0.5 priority 100 nopreempt authentication { auth_type PASS auth_pass secret } virtual_ipaddress { 1.1.1.1/27 dev eth0 2.2.2.1/27 dev eth0 } ...
- 10. vrrp_instance VIP_IPV6 { interface ha0 virtual_router_id 30 advert_int 0.5 priority 100 nopreempt authentication { auth_type PASS auth_pass secret } virtual_ipaddress { 2001:db8:1::1/64 dev eth0 2001:db8:2::1/64 dev eth1 }
- 11. conntrackd ● netfilter connection tracking ● state syncronization ● ignore IP list
- 12. bash# cat /etc/conntrackd/conntrackd.conf Mode FTFW { DisableExternalCache Off CommitTimeout 1800 PurgeTimeout 5 } UDP { IPv4_address 169.254.1.1 IPv4_Destination_Address 169.254.1.2 Port 3780 Interface ha0 } conntrackd
- 13. General { Filter From Userspace { Address Ignore { IPv4_address 127.0.0.1 IPv6_address ::1 IPv4_address 169.254.1.1 IPv4_address 169.254.1.2 IPv4_address 1.1.1.1 IPv4_address 2.2.2.1 conntrackd
- 14. troubleshooting ● ip ● conntrack -C | -S ● conntrackd -s
- 15. troubleshooting bash# conntrackd -s cache internal: current active connections: 1 connections created: 1 failed: 0 connections updated: 2 failed: 0 connections destroyed: 0 failed: 0 cache external: current active connections: 16597 connections created: 49986518 failed: 0 connections updated: 213445194 failed: 0 connections destroyed: 49969921 failed: 0
- 16. questions?