Looking for advice on GRE failover

Harry Duncan usr.src.linux at gmail.com
Fri Apr 3 12:57:34 UTC 2015 

Hi Guys,

I've been using FreeBSD as gateways and implementing vpn's using GRE
tunnels, but hit a new requirement which I'm struggling to find a solution
for, and thought I might share it here and get your advice on how to
proceed.

Two sites, sitea and siteb, both running freebsd gateway servers, both
currently on ADSL for wan, with a GRE tunnel tunnel between the sites,
secured by racoon, but now we need a highly available solution for the
intersite link. We use pf to firewall.

Site-a will have a dependency on infrastructure at site-b, but site-b will
not have any dependency on site-a

The physical solution will be to add another wan to each side, this time
based on a wireless broadband link from an alternate provider which, just
like the adsl these connections will be bridged into the server. What I
would 'like' to have is the following GRE tunnels:


site-a                          site-b
     wisp-a_.._.._.._.._.._wisp-b
           \        ______/
            \      /
             \----------
            _____/      \
           /             \
     adsl-a===============adsl-b



So, GRE tunnels would be:

Primary: wisp-a_.._.._.._.._.._wisp-b

Backup1: adsl-a________________wisp-b

Backup2: wisp-a----------------adsl-b

Backup3: adsl-a================adsl-b


What i need then is an automatic means to route traffic from site-a to
site-b over those 4 tunnels depending on the availability of the link, and
current best thinking is that the above order will apply, but that may vary
once the the wisp links go in.

First hit I came up with is Carp, but that would require separate devices
for each tunnel config and even still, I'm not sure I can make the device
unavailable if there is a link problem.

Second hit i came up with is lagg, but it appears to me that this will
require the actual interface to go down in order to change the route.

My preference is to have this as automated as possible but with an alerting
structure to monitor the links for manual intervention which I can easily
implement with something like nagios

So my question is, am I looking for another tool on FreeBSD to manage this,
or should I be looking at a tool to heartbeat the links and take the
interfaces down if the heartbeat fails thus allowing lagg to autofailover
to the next in the list, and then make it a manual alert response to bring
the preferred link back up.

any thoughts or advice or even advice on a different more appropriate list
for this question?

Thanks,

Harry.

More information about the freebsd-questions mailing list