In this article we will look at setting up an existing Linux machine as a failover router to provide quick and automatic switchover from a dead Internet connection (the primary connection) to one that is operational (the secondary connection).
To begin, you'll need a PC with any recent GNU/Linux distro installed. You'll also need three network cards to put into this Linux box. Two of the three network cards, say eth0 and eth1, will connect to the Internet routers/gateways of your primary ISP (say ISP1) and secondary ISP (say ISP2). The third network card, say eth2, will connect to your internal LAN.
Setting up the network
Begin by setting up your network based on the configuration information available to you. You can make the configurations from the X Window GUI using the Network utility. To do so, open the Network utility from Main Menu > System Settings > Network. This will open up a network configuration window displaying a list of all the network cards installed on your system. Double-click on the network card you wish to configure, select the Statically Set IP Addresses option, and assign the IP address along with the subnet mask. There is also a Default Gateway Address field; tou can leave it blank for the time being, as it can be specified later on from the command line.
Assign the IP addresses provided to you by your ISPs to the two network cards, eth0 and eth1. In our setup, we assigned eth0=18.104.22.168 and eth1=22.214.171.124 (which are public IP addresses), along with the subnet mask 255.255.255.224.
Assign a private IP address based on your internal LAN subnet to your third card. We assigned eth2=10.0.0.1, where 10.0.0.0/24 was the address range for our internal LAN setup. Save your changes and exit.
Now turn on IP packet forwarding on the Linux box by changing the value of
1 in the /etc/sysctl.conf file and executing the command:
# sysctl -p
Next, you need to configure iptables by adding certain rules, so that your internal LAN can route packets to the Internet. For this, issue the following commands as root:
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE # iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT # iptables -A FORWARD -d 10.0.0.0/24 -j ACCEPT # iptables -A FORWARD -s ! 10.0.0.0/24 -j DROP
The above commands turn on masquerading in the NAT table by appending a POSTROUTING rule (
-A POSTROUTING) for all outgoing packets on the two Ethernet interfaces, eth0 and eth1. The next two lines accept forwarding of all packets to and from the 10.0.0.0/24 network. The last line drops the packets that do not come from the 10.0.0.0/24 network.
To make the iptables rules permanent, save them as follows:
# iptables-save > /etc/sysconfig/iptables
Now you must restart your network, as well as iptables:
# /etc/init.d/network restart # /etc/init.d/iptables restart
To see if your new iptables rules have gone into effect, type
Enabling failover routing
After you have configured your network, the next step is to enable failover routing on your Linux box, so that if the first route dies the router will automatically switch over to the next route. To do so, you'll need to add the default gateway routes provided to you by your ISPs for both your network cards:
# route add default gw 126.96.36.199 dev eth0 # route add default gw 188.8.131.52 dev eth1
Here, 184.108.40.206 is the gateway address given by ISP1 and 220.127.116.11 is the gateway address given by ISP2. Replace them with the addresses available to you. These routes will disappear every time you reboot the system. In order to make these routes permanent add the above two commands in the /etc/rc.d/rc.local file, which is run at boot time.
Also make sure that all the computers on your internal LAN (10.0.0.0/24) have their default gateway address set as the IP address of the eth3 Ethernet interface (i.e. 10.0.0.1) of your failover router.
Finally, modify the /proc/sys/net/ipv4/route/gc_timeout file. This file contains a numerical value that denotes the time in seconds after which the kernel declares a route to be inactive and automatically switches to the other route if available. Open the file in any text editor and change its default value of 300 to some smaller value, say 10 or 15. Save the changes and exit.
Now your Linux machine is ready to serve as a failover router, automatically and quickly switching to the secondary route every time the primary route fails.