Re: decent loadbalancing with 2 different ISP's with minimum risks

From: James Couzens (
Date: 05/05/04

  • Next message: Victor Daniel a.k.a the MacNut: "Secure Form Script?"
    Date: Wed, 05 May 2004 10:15:02 -0700

    > Le sam 17/04/2004 à 06:46, Ravi a écrit :
    > > -vrrpd if using two gateways
    > VRRP is a failover protocol. I don't see how you can achieve load
    > balancing with.

    What you fellows seek is the Linux Virtual Server ("LVS") project which
    is currently available in both 2.4 and 2.6 linux kernels. LVS turns
    your router into a Layer-3, Layer-4, and Layer-5/7 switch. Setup is
    simplistic and the load balancing functionality is second to none. LVS
    can also be implemented in three different ways, DIRECTOR, NAT, and

    Should you wish to high availability I would recommend the keepalived
    project which offers VRRP support through its independent VRRPv2 stack
    for failover detection and execution, and handles individual service
    checks with the ability to pull individual services or fail over the
    entire server. There is also a keepalived fork which offers "threaded
    plugin" support which adds even more functionality.

    In short keepalived is userspace daemon for LVS cluster nodes
    healthchecks and LVS directors failover.

    Linux Virtual Server Project:

    HealthChecking for LVS & High Availability through keepalived:

    keepalived w/ Threaded-Health-Check support:

    Linux Kernel routing patch:

    - Static Routes (remain during failure)
    - Alternative Routes (multipath)
    - Dead Gateway Detection (removes multi-path routes during failure)
    - NAT (correct routing during use of multi-paths)

    Multi-path howto:

    Dead Gateway Detection explained:

    Dead Gateway Detection status:

    Julian Anastasov is my hero, grab myriads of other excellent patches
    from his website here, in addition to DGD patches for kernels other than

    Having spent a recent weekend with the OpenBSD team at their pf
    Hackathon, I was given an exceptional look into pf's current and future
    status. That being said, you can do load balancing through pf in
    addition to making use of the Common Address Redundancy Protocol
    ("CARP") which is a protocol not myred in the patent problems which have
    plauged VRRP. CARP has been developed by members of the OpenBSD team.
    You can find this all in the just recently released v3.5 (I managed to
    obtain a pre copy at CansecWest/Core04 <3) of OpenBSD available for
    download or purchase from their website.

    Firewall Failover with pfsync and CARP:

    CARP port to FreeBSD 5.x:

    Although the OpenBSD functionality is not near as mature, or feature
    rich, its well on its way to delivering much needed networking
    functionality to the BSD community. I'm currently in the middle of
    stress testing this code myself, but to date it delivers the goods, and
    I look forward to future enhancements and userland utilities to assist
    in management.



    James Couzens,
    ----------------------------------------------------------------- -- ANSI C Sender Policy Framework library -- ANSI C Sender Rewriting Scehem library

  • Next message: Victor Daniel a.k.a the MacNut: "Secure Form Script?"