Fencing ClearBOX with Bypass and Heartbeat
Getting Started
You will need 2 ClearBOX 300 servers installed with the default mode. We'll call them 'firewall1' and 'firewall2'. You will assign the NICs like this:
firewall1
- eth0: WAN (crossconnected to eth1 on firewall2)
- eth1: Not assigned (empty)
- eth2: LAN (crossconnected to eth3 on firewall2)
- eth3: Not assigned (empty)
- eth4: Heartbeat NIC (crossconnected to eth4 on firewall2)
- eth5: Management
firewall2
- eth0: WAN (connected to Internet)
- eth1: Not assigned (crossconnected to eth0 on firewall1)
- eth2: LAN (connected to LAN)
- eth3: Not assigned (crossconnected to eth2 on firewall1)
- eth4: Heartbeat NIC (crossconnected to eth4 on firewall1)
- eth5: Management
Nomenclature for networks
- 172.16.0.x (WAN)
- 192.168.1.x (LAN)
- 10.10.10.x (Heartbeat)
You will need to name the servers correctly.
vi /etc/hosts
In addition, they must know the names of the other host as it pertains to the heartbeat network.
firewall1 /etc/hosts
# Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 firewall1.clearos.lan system localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 10.10.10.2 firewall2.clearos.lan firewall2
firewall2 /etc/hosts
# Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 firewall2.clearos.lan system localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 10.10.10.1 firewall1.clearos.lan firewall1
Test.
Install heartbeat packages
From command line, download the heartbeat rpm packages by running the following commands in the directory of your choosing:
yum --enablerepo=clearos-core,clearos-epel install heartbeat
Then enable heartbeat to start on reboot
chkconfig --add heartbeat && chkconfig --list heartbeat
Configure heartbeat
Configure the following on firewall1
/etc/ha.d/ha.cf
logfile /var/log/ha-log logfacility local0 keepalive 1 deadtime 4 initdead 5 bcast eth4 udpport 694 auto_failback on node firewall1.clearos.lan node firewall2.clearos.lan
/etc/ha.d/haresources
firewall1.clearos.lan bypass
Propagate
Use the ha-propagate command to copy these setting to the partner of the HA cluster. This will also test you config.
/usr/share/heartbeat/ha_propagate
Bypass Service
We are using a service here that doesn't really exist. Here is the code for it:
/etc/init.d/bypass
#!/bin/bash # # Init file for bypass # # chkconfig: 2345 55 25 # description: Bypass enable daemon # # processname: # source function library . /etc/rc.d/init.d/functions RETVAL=0 prog="bypass" # Some functions to make the below more readable BYPASSDISABLE=/usr/sbin/bypassdisable BYPASSENABLE=/usr/sbin/bypassenable # not used PID_FILE=/var/run/bypass.pid runlevel=$(set -- $(runlevel); eval "echo \$$#" ) start() { echo -n $"Starting $prog: " $BYPASSDISABLE $OPTIONS && success || failure echo } stop() { echo -n $"Starting $prog: " $BYPASSENABLE $OPTIONS && success || failure echo } case "$1" in start) start ;; stop) stop ;; restart) stop start ;; esac exit $RETVAL
/usr/sbin/bypassdisable
#!/bin/sh echo 0 > /sys/bus/i2c/devices/0-0026/bypass0 echo 0 > /sys/bus/i2c/devices/0-0022/bypass0
/usr/sbin/bypassenable
#!/bin/sh echo 2 > /sys/bus/i2c/devices/0-0026/bypass0 echo 2 > /sys/bus/i2c/devices/0-0022/bypass0
Setting the BIOS for firewall2
You will want to configure the BIOS for firewall 2 to not activate the NIC but rather to default with the bypass activated.
Go to
- Set the Set Bypass Group 1 Status to: Next Boot: Non-Normal, BPE: Enable
- Set the Set Bypass Group 2 Status to: Next Boot: Non-Normal, BPE: Enable