Multiple interface failover... How to set up?

[jonheese]

Okay, I'm not sure if this question belongs here, so let me know if there's a better place to ask. Here goes:

I've got a trio of Win2k3 servers here in the office, along with a handful (~15) of workstations. Our T-1 connection to the office has been a little flaky recently, so we're going to get a DSL connection, to be used as a backup to the T-1, for the times when it's down.

So, each of the servers (and the ISA server for the WSs) will have 3 NICs, as follows:

NIC 1: Local subnet (i.e. 192.168.3.x)
NIC 2: Public IP from T-1 router
NIC 3: Public IP from DSL router

Now, what I want is automatic failover: Use the T-1 for outbound connections all the time, unless it goes down, at which point it should switch to the DSL connections, and switch back again when the T-1 comes back online.

Now, I know the theory of setting the metrics on each NIC appropriately so it will use the T-1 NIC by default, and will switch to the DSL NIC if the T-1 NIC goes down. The problem is that in this failure mode, the T-1 NIC link is still "up". That is, it still has physical link with the router (next hop), but the second hop is down...

Is there a way to do this?

I've tested this on one of the servers already, and it works perfectly if I unplug the T-1 NIC, or pull the power on the T-1 router, but if I just pull the T-1 line out of the T-1 router (killing the next hop, obviously), the server just keeps dumping packets into the abyss...

Any and all suggestions welcome.

Regards,
Jon Heese

 

[58sniper]

I've got to ask - WHY WHY WHY would you configure public IP addresses on your servers?

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP

 

[jonheese]

They are public servers that need to be accessible to our other offices around the world. They serve web content, Exchange RPC/HTTP, Sharepoint, Terminal Services, etc...

How would you have me grant access to these services? Through a NAT device? No thank you.

Regards,
Jon Heese

 

[58sniper]

A NAT device is FAR more secure. You've got your stuff flapping in the wind. Every port is accessible. At least behind a firewall you only need to open a handful of ports.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP

 

[jonheese]

Is this related to my question at all?

Not to be rude, but I don't need to be lectured on basic architecture; there are plenty of reasons to give each server a public IP, not the least of which is that all 3 of them need to be able to serve web content on port 80. This is something that was decided by my superiors and is not up for discussion.

Furthermore, every port is most certainly NOT "flapping in the wind". We have software firewalls in place that allow only the necessary ports to be accessed on each server. Seriously, I don't know why I'm even bothering to answer you on this...

Security is not the problem here, WAN link redundancy is. If you could please stick to the topic at hand, I'd appreciate it.

Regards,
Jon Heese

 

[58sniper]

My point is that behind a firewall is more secure, you can still have port 80 going to each server. It further makes the servers more efficient because they aren't running software based firewalls. A properly configured firewall and/or router can certainly provide the redundancy you seek, as well as provide enhanced security.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP

 

[jonheese]

OK, I'll keep this in mind as an option, but we'd prefer the simplest (and cheapest) solution possible.

Inserting a firewall device in front of the each server (which is what I'm assuming you're suggesting), is needless complication. We don't have a problem with efficiency or security, so adding 3 more expensive, power-consuming devices (and 3 more addressable private subnets) to the system is "robbing Peter to pay Paul", in my opinion.

Is there really no way to have the IP stack detect a downlevel outage and change the metric of the interface? I'd even consider something as simple as a ping script that enables and disables the interface as the link goes up and down... If I could be sure it was fool-proof.

Regards,
Jon Heese

 

[jonheese]

One more note: The guy in charge of making the final decision on purchases is notorious for getting the cheapest possible hardware to do the job, at the expense of reliability.

I don't want to have to support three Linksys RV042's in front of three perfectly good reliable servers unless absolutely necessary...

Regards,
Jon Heese

 

[PaulGillespie]

I don't have any info on how you would do it the way you propose but some of the better firewalls out there have dual wan ports for exactly the redundancy you are after.

 

[jonheese]

Right, but again, the scalability of that is far from what I'm after... Should I buy a dual-WAN firewall for each server? Plus one more for the ISA server? What if we add more servers in the future? More firewalls? It just seems inefficient to me...

Maybe I'm just daft, but I still think there's got to be a "better" solution...

Regards,
Jon Heese

 

[PaulGillespie]

Could you not use the driver of the NICs to put them in a team for load balancing or redundancy (redundancy in your case)?

You might need to invest in some proper server NICs from Intel, Broadcom or 3COM or whatever but the drivers that come with these will allow you to team them. Not sure what NICs you have now but there may already be a driver for your NICs that'll do this.

 

[jonheese]

Oooh, now there's an idea that sounds viable... I'll look into it. Thanks!

Regards,
Jon Heese

 

[jonheese]

Question: Do you think that a NIC like that will be smart enough to detect a down-level outage? That is, it would still have physical link to the T-1 router, and could ping the it, but couldn't get packets out past that point...

I'm looking at the Intel PRO/1000 PT Dual Port Server NICs as an option here, and I'll probably be calling Intel to get some more information and find out for sure whether they are smart enough to do what we want here...

Regards,
Jon Heese

 

[58sniper]

And a single firewall would suffice in my solution.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP

 

[jonheese]

Can you please explain how a single firewall will do what I need, Pat?

Regards,
Jon Heese

 

[jonheese]

I'm specifically wondering how to differentiate between the services (i.e. Web, Terminal Services, etc.) being served on the same port across all three machines if they're only accessible behind a NAT device.

Example:

If I want to hit a website on server1, I go to "

http://<public-ip-of-the-firewall/".

But what if I want to hit a website on server2 or server3? Alternate public ports are not an option.

Regards,
Jon Heese

 

[58sniper]

That all depends on the make & model of the firewall. We use Cisco ASA devices. We can specify multiple public IP addresses be be allowed port 80 traffic through to individual private machines. I have a single client, a large church, that has almost a dozen web services, all on different internal servers, accessible through various external public IP addresses over port 443.

We have an external A record, such as mail, intranet, vpn, etc. that forwards through the firewall to the correct resources.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP

 

[jonheese]

Sounds interesting, but also out of the price range of this company. What kind of price range are we talking for one such device? Model number?

My experience with Cisco devices is limited to the PIX 501, so I am far from an expert when it comes to configuring such a device. Is this something I should be able to tackle?

I know that both I and my supervisors would be more comfortable with a solution that doesn't involve thousands of dollars in purchases and added device complication if the same outcome can be achieved with a handful of dual-port NICs and some Intel driver trickery...

Regards,
Jon Heese

 

[cajuntank]

I price is such a concern on setting this up correctly, then look at a Linksys RV042; CDW has them for $180.00. This is by no means enterprise level solutions but it's what you need to do this anywhere close to standards.

"The Linksys 10/100 4-Port VPN Router is an advanced Internet-sharing network solution for your small business needs. Like any router, it lets multiple computers in your office share an Internet connection. But the unique dual Internet ports on the 10/100 4-Port VPN Router let you connect a second Internet line as a backup to insure that you're never disconnected. Or, use both Internet ports at the same time, and let the router balance your office's requirements between them for maximum bandwidth efficiency."

Bla bla bla... you can read the rest on their site... I'm sure Netgear and DLink have something simular... we are only talking about 15 stations.

 

[jonheese]

Yes, I've worked with the RV082 and RV042 before; see my previous post above about it.

I'm not sure that this really addresses the issue though...

Remember that I have 4 (1 ISA and 3 web/TS/Exchange) servers and ~15 workstations here... Each of the servers must be publicly addressable, and the workstations only need outbound access to the web.

Wouldn't I have to purchase and set up 4 RV042's here: 1 for the ISA server (and by proxy, the 15 WSs), and 1 for each of the 3 servers?

If this is really the only way to do this, I may just resort to a ping script that monitors the T-1 by pinging a host down a static route and switches the default gateway of the machines based on the ping output...

This would be much simpler than setting up another router for each server, and accomplish the same goal for free...

Regards,
Jon Heese