EFW Support

First, I'sorry for my English ability is not good!

Endian Firewall Community work well with Proxy server, they bring great advantage to caching.
I see many questions about editing your Endian Firewall Community load balancer, I also tried setting to try but found that this mechanism works by Endian not improve speed Internet access for lost profit the memory buffer, proxy caching.

If you want to test your Endian Firewall Community, please make: You can modifications your Endian run banlancing

Step1. Create a script to run at startup, put in: /etc/rc.d/start/balancing99startup

# --- Begin balancing99startup ---
#!/bin/sh

/etc/init.d/balancingstartup start

exit 0
# --- End balancing99startup ---

Step2. Create test scenarios and change the default gateway, put in: /etc/rc.d/init.d/checkgateway(change)balancingstartup

Step2. Create test scenarios and change the default gateway, put in: /etc/rc.d/init.d/balancingstartup

# ---  Begin checkgateway ---
#!/bin/sh

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
CHECKGATEWAYLOG=/var/log/gatewaystatus

command="$1"

case "$command" in
start)
   echo "Starting modifications routing"
   if [ -f $CHECKGATEWAYLOG ]; then
      /bin/rm $CHECKGATEWAYLOG
   fi
   /usr/local/sbin/balancing & > /dev/null  2>&1
   echo $! > /usr/local/share/balancing.pid
   date +"----- Starting modifications routing ----- (%D %T)" >> $CHECKGATEWAYLOG

;;
stop)
   echo "Stoping modifications routing"
   if [ -f $CHECKGATEWAYLOG ]; then
      /bin/rm $CHECKGATEWAYLOG
   fi
   kill -9 $(cat /usr/local/share/balancing.pid) && rm /usr/local/share/balancing.pid
   date +"----- Stoping modifications routing ----- (%D %T)" >> $CHECKGATEWAYLOG

;;
*)
# --- echo "Usage /etc/init.d/checkgateway(change)balancingstartup start|stop"
echo "Usage /etc/init.d/balancingstartup start|stop"
;;
esac

# ---  End checkgateway ---

Step3. Scripting made simple load balancing, put in: /usr/local/sbin/balancing

# --- Create for 3 Wan, you can custom modifications ---

# ---  Begin balancing ---
#!/bin/bash

export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
PROG="balancing"
PROGDIR="/usr/local/sbin"
PROGSTATUS=000

# Configuration Variables

# ----- Begin Of Configuration -----

# Conventionally 0 indicates success in this script.

# Time between checks in seconds
SLEEPTIME=15

# IP Address or Domain name to ping. The script relies on the domain being
# Pingable and always available
# www.sf.net
CHECKHOST1=216.34.181.60
# www.yahoo.com
CHECKHOST2=209.131.36.158
# www.google.com
CHECKHOST3=208.67.216.231
# www.vnexpress.net
CHECKHOST4=210.245.0.22
# www.sourceforge.net
CHECKHOST5=216.34.181.60

# Total ping not available
CHECKNOTRETVAL=0

# If a ping detection does not receive normal response in standard time and the former state of the line is normal.
# When continuous ping detections do not receive normal responses, and the number exceed set number (default :3 ),
# then the state will change into "Break down ?off".
CHECKWEIGHT=3

# Ping timeout in seconds
TIMEOUT=3

# External interfaces (Change for your external interfaces)
EXTIF1=eth1
EXTIF2=eth2
EXTIF3=eth3

# IP address of external interfaces. This is not the gateway address. (Change for IP WAN your external interfaces)
IP1=192.168.1.254
IP2=192.168.2.254
IP3=192.168.3.254

# Gateway IP addresses. This is the first (hop) gateway, could be your router IP
# Address if it has been configured as the gateway. (Change for ip wan your gateway interfaces)
GW1=192.168.1.1
GW2=192.168.2.1
GW3=192.168.3.1

# Relative weights of routes. Keep this to a low integer value. I am using 1 for wan connection
WEIGHT1=1
WEIGHT2=1
WEIGHT3=1

# Broadband providers name; use your own names here.
NAME1=WAN1
NAME2=WAN2
NAME3=WAN3

# No of repeats of success or failure before changing status of connection
SUCCESSREPEATCOUNT=3
FAILUREREPEATCOUNT=1

# Do not change anything below this line

# Last link status indicates the macro status of the link we determined. This is down initially to force routing change upfront. Don't change these values.
LASTLINKSTATUS1=1
LASTLINKSTATUS2=1
LASTLINKSTATUS3=1

# Last ping status. Don't change these values.
LASTPINGSTATUS1=1
LASTPINGSTATUS2=1
LASTPINGSTATUS3=1

# Current ping status. Don't change these values.
CURRENTPINGSTATUS1=1
CURRENTPINGSTATUS2=1
CURRENTPINGSTATUS3=1

# Change link status indicates that the link needs to be changed. Don't change these values.
CHANGELINKSTATUS1=1
CHANGELINKSTATUS2=1
CHANGELINKSTATUS3=1

# Count of repeated up status or down status. Don't change these values.
COUNT1=0
COUNT2=0
COUNT3=0

# Log last load balancing routing status
CHECKGATEWAYLOG=/var/log/gatewaystatus

# ----- End Of Configuration -----

# Check all wan link status

while : ; do

for CHECKHOSTS in {$CHECKHOST1,$CHECKHOST2,$CHECKHOST3,$CHECKHOST4,$CHECKHOST5}
   do
      ping -W $TIMEOUT -I $IP1 -c 1 $CHECKHOSTS > /dev/null  2>&1
      RETVAL=$?
      if [ $RETVAL -ne 0 ]; then
          CHECKNOTRETVAL=`expr $CHECKNOTRETVAL + 1`
      fi
   done

if [ $CHECKNOTRETVAL -ge $CHECKWEIGHT ]; then
   RETVAL=1
else
   RETVAL=0
fi

CHECKNOTRETVAL=0

if [ $RETVAL -ne 0 ]; then
   echo Warning !!! $NAME1 Down
   echo $PROGSTATUS
   CURRENTPINGSTATUS1=1
else
   CURRENTPINGSTATUS1=0
fi

if [ $LASTPINGSTATUS1 -ne $CURRENTPINGSTATUS1 ]; then
   echo Ping status changed for $NAME1 from $LASTPINGSTATUS1 to $CURRENTPINGSTATUS1
   COUNT1=1
else
   if [ $LASTPINGSTATUS1 -ne $LASTLINKSTATUS1 ]; then
      COUNT1=`expr $COUNT1 + 1`
   fi
fi

if [[ $COUNT1 -ge $SUCCESSREPEATCOUNT || ($LASTLINKSTATUS1 -eq 0 && $COUNT1 -ge $FAILUREREPEATCOUNT) ]]; then
   echo Uptime status will be changed for $NAME1 from $LASTLINKSTATUS1
   CHANGELINKSTATUS1=0
   COUNT1=0
if [ $LASTLINKSTATUS1 -eq 1 ]; then
   LASTLINKSTATUS1=0
else
   LASTLINKSTATUS1=1
fi
else
   CHANGELINKSTATUS1=1
fi

LASTPINGSTATUS1=$CURRENTPINGSTATUS1

for CHECKHOSTS in {$CHECKHOST1,$CHECKHOST2,$CHECKHOST3,$CHECKHOST4,$CHECKHOST5}
   do
     ping -W $TIMEOUT -I $IP2 -c 1 $CHECKHOSTS > /dev/null  2>&1
     RETVAL=$?
     if [ $RETVAL -ne 0 ]; then
        CHECKNOTRETVAL=`expr $CHECKNOTRETVAL + 1`
     fi
   done

if [ $CHECKNOTRETVAL -ge $CHECKWEIGHT ]; then
   RETVAL=1
else
   RETVAL=0
fi

CHECKNOTRETVAL=0

if [ $RETVAL -ne 0 ]; then
   echo Warning !!! $NAME2 Down
   echo $PROGSTATUS
   CURRENTPINGSTATUS2=1
else
   CURRENTPINGSTATUS2=0
fi

if [ $LASTPINGSTATUS2 -ne $CURRENTPINGSTATUS2 ]; then
   echo Ping status changed for $NAME2 from $LASTPINGSTATUS2 to $CURRENTPINGSTATUS2
   COUNT2=1
else
if [ $LASTPINGSTATUS2 -ne $LASTLINKSTATUS2 ]; then
   COUNT2=`expr $COUNT2 + 1`
fi
fi

if [[ $COUNT2 -ge $SUCCESSREPEATCOUNT || ($LASTLINKSTATUS2 -eq 0 && $COUNT2 -ge $FAILUREREPEATCOUNT) ]]; then
   echo Uptime status will be changed for $NAME2 from $LASTLINKSTATUS2
   CHANGELINKSTATUS2=0
   COUNT2=0
if [ $LASTLINKSTATUS2 -eq 1 ]; then
   LASTLINKSTATUS2=0
else
   LASTLINKSTATUS2=1
fi
else
   CHANGELINKSTATUS2=1
fi

LASTPINGSTATUS2=$CURRENTPINGSTATUS2

for CHECKHOSTS in {$CHECKHOST1,$CHECKHOST2,$CHECKHOST3,$CHECKHOST4,$CHECKHOST5}
   do
     ping -W $TIMEOUT -I $IP3 -c 1 $CHECKHOSTS > /dev/null  2>&1
     RETVAL=$?
     if [ $RETVAL -ne 0 ]; then
        CHECKNOTRETVAL=`expr $CHECKNOTRETVAL + 1`
     fi
   done

if [ $CHECKNOTRETVAL -ge $CHECKWEIGHT ]; then
   RETVAL=1
else
   RETVAL=0
fi

CHECKNOTRETVAL=0

if [ $RETVAL -ne 0 ]; then
   echo Warning !!! $NAME3 Down
   echo $PROGSTATUS
   CURRENTPINGSTATUS3=1
else
   CURRENTPINGSTATUS3=0
fi

if [ $LASTPINGSTATUS3 -ne $CURRENTPINGSTATUS3 ]; then
   echo Ping status changed for $NAME3 from $LASTPINGSTATUS3 to $CURRENTPINGSTATUS3
   COUNT3=1
else
if [ $LASTPINGSTATUS3 -ne $LASTLINKSTATUS3 ]; then
   COUNT3=`expr $COUNT3 + 1`
fi
fi

if [[ $COUNT3 -ge $SUCCESSREPEATCOUNT || ($LASTLINKSTATUS3 -eq 0 && $COUNT3 -ge $FAILUREREPEATCOUNT) ]]; then
   echo Uptime status will be changed for $NAME3 from $LASTLINKSTATUS3
   CHANGELINKSTATUS3=0
   COUNT3=0
if [ $LASTLINKSTATUS3 -eq 1 ]; then
   LASTLINKSTATUS3=0
else
   LASTLINKSTATUS3=1
fi
else
   CHANGELINKSTATUS3=1
fi

LASTPINGSTATUS3=$CURRENTPINGSTATUS3

# Custom policy-based routing

if [[ $CHANGELINKSTATUS1 -eq 0 || $CHANGELINKSTATUS2 -eq 0 || $CHANGELINKSTATUS3 -eq 0 ]]; then
   if [[ $LASTLINKSTATUS1 -eq 1 && $LASTLINKSTATUS2 -eq 1 && $LASTLINKSTATUS3 -eq 0  ]]; then
      ip route flush cache
      sleep $SLEEPTIME
      echo Custom policy-based routing To 1 Wan - Switching To $NAME3
      date +"----- Custom policy-based routing :: 1 Wan - $NAME3 (%D %T) -----" >> $CHECKGATEWAYLOG
      PROGSTATUS=003
      echo $PROGSTATUS
      ip route replace default scope global via $GW2 dev $EXTIF2
      ip route show | awk '{print}' >> $CHECKGATEWAYLOG
   elif [[ $LASTLINKSTATUS1 -eq 1 && $LASTLINKSTATUS2 -eq 0 && $LASTLINKSTATUS3 -eq 1 ]]; then
      ip route flush cache
      sleep $SLEEPTIME
      echo Custom policy-based routing To 1 Wan - Switching To $NAME2
      date +"----- Custom policy-based routing :: 1 Wan - $NAME2 (%D %T) -----" >> $CHECKGATEWAYLOG
      PROGSTATUS=002
      echo $PROGSTATUS
      ip route replace default scope global via $GW2 dev $EXTIF2
      ip route show | awk '{print}' >> $CHECKGATEWAYLOG
   elif [[ $LASTLINKSTATUS1 -eq 0 && $LASTLINKSTATUS2 -eq 1 && $LASTLINKSTATUS3 -eq 1 ]]; then
      ip route flush cache
      sleep $SLEEPTIME
      echo Custom policy-based routing To 1 Wan - Switching To $NAME1
      date +"----- Custom policy-based routing :: 1 Wan - $NAME1 (%D %T) -----" >> $CHECKGATEWAYLOG
      PROGSTATUS=001
      echo $PROGSTATUS
      ip route replace default scope global via $GW1 dev $EXTIF1
      ip route show | awk '{print}' >> $CHECKGATEWAYLOG
   elif [[ $LASTLINKSTATUS1 -eq 1 && $LASTLINKSTATUS2 -eq 0 && $LASTLINKSTATUS3 -eq 0 ]]; then
      ip route flush cache
      sleep $SLEEPTIME
      echo Custom policy-based routing To 2 Wan - Switching To $NAME2, $NAME3
      date +"----- Custom policy-based routing :: 2 Wan - $NAME2, $NAME3 (%D %T) -----" >> $CHECKGATEWAYLOG
      PROGSTATUS=023
      echo $PROGSTATUS
      ip route replace default scope global nexthop via $GW2 dev $EXTIF2 weight $WEIGHT2 nexthop via $GW3 dev $EXTIF3 weight $WEIGHT3
      ip route show | awk '{print}' >> $CHECKGATEWAYLOG
   elif [[ $LASTLINKSTATUS1 -eq 0 && $LASTLINKSTATUS2 -eq 0 && $LASTLINKSTATUS3 -eq 1 ]]; then
      ip route flush cache
      sleep $SLEEPTIME
      echo Custom policy-based routing To 2 Wan - Switching To $NAME1, $NAME2
      date +"----- Custom policy-based routing :: 2 Wan - $NAME1, $NAME2 (%D %T) -----" >> $CHECKGATEWAYLOG
      PROGSTATUS=012
      echo $PROGSTATUS
      ip route replace default scope global nexthop via $GW1 dev $EXTIF1 weight $WEIGHT1 nexthop via $GW2 dev $EXTIF2 weight $WEIGHT2
      ip route show | awk '{print}' >> $CHECKGATEWAYLOG
   elif [[ $LASTLINKSTATUS1 -eq 0 && $LASTLINKSTATUS2 -eq 1 && $LASTLINKSTATUS3 -eq 0 ]]; then
      ip route flush cache
      sleep $SLEEPTIME
      echo Custom policy-based routing To 2 Wan - Switching To $NAME1, $NAME3
      date +"----- Custom policy-based routing :: 2 Wan - $NAME1, $NAME3 (%D %T) -----" >> $CHECKGATEWAYLOG
      PROGSTATUS=013
      echo $PROGSTATUS
      ip route replace default scope global nexthop via $GW1 dev $EXTIF1 weight $WEIGHT1 nexthop via $GW3 dev $EXTIF3 weight $WEIGHT3
      ip route show | awk '{print}' >> $CHECKGATEWAYLOG
   elif [[ $LASTLINKSTATUS1 -eq 0 && $LASTLINKSTATUS2 -eq 0 && $LASTLINKSTATUS3 -eq 0 ]]; then
      ip route flush cache
      sleep $SLEEPTIME
      echo Custom policy-based routing To 3 Wan - Switching To $NAME1, $NAME2, $NAME3
      date +"----- Custom policy-based routing :: 3 Wan - $NAME1, $NAME2, $NAME3 (%D %T) -----" >> $CHECKGATEWAYLOG
      PROGSTATUS=123
      echo $PROGSTATUS
      ip route replace default scope global nexthop via $GW1 dev $EXTIF1 weight $WEIGHT1 nexthop via $GW2 dev $EXTIF2 weight $WEIGHT2 nexthop via $GW3 dev $EXTIF3 weight $WEIGHT3
      ip route show | awk '{print}' >> $CHECKGATEWAYLOG
   fi
   ip route flush cache
fi
sleep $SLEEPTIME
done

# ---  End balancing ---

### Luck for you ###

   
PS:
I wish if others are able to use static routes using different uplinks gateway - "Custom policy-based routing with static routes"

If anyone has ideas about this?

------------------------------------------------

Thanks schnoerkel for the advice of my mistakes.

Please correct the following:

Step1. Create a script to run at startup, put in: /etc/rc.d/start/balancing99startup

purposes; program called the boot Endian Firewall


Step2. Create test scenarios and change the default gateway, put in: /etc/rc.d/init.d/balancingstartup

purposes; permanent check the status of links wan (checkgateway)

Step3. Scripting made simple load balancing, put in: /usr/local/sbin/balancing

Hi haiau,

the script "/etc/init.d/balancingstartup" does not exist, it should be "/etc/init.d/checkgateway" in te script "balancing99startup" step 1 ?


or need to create a sript "balancingstartup" created

with "checkgateway", it works perfectly.


schnoerkel

Thanks for the advice of my mistakes.

Please correct the following:

Step1. Create a script to run at startup, put in: /etc/rc.d/start/balancing99startup

purposes; program called the boot Endian Firewall


Step2. Create test scenarios and change the default gateway, put in: /etc/rc.d/init.d/balancingstartup

purposes; permanent check the status of links wan (checkgateway)

Step3. Scripting made simple load balancing, put in: /usr/local/sbin/balancing

Hi haiau,

endian 2.3rc1

no internet available if only a wan

no failover works with the script.

can anyone confirm, you can use the recheck,

Thanks

Schnoerkel

I tested the EFW 2.3RC1, but the failover feature does not work on version 2.2 and 2.3RC1, I have to go back to using version 2.2RC3. I'll try to check this script.

i use this script with 2.3 release loadbalance work but haveing some ploblem, smtp can't use firewall log say allow but can't connect to smtp server.if i stop script and use for original smtp can sent email.

Hey everyone...
I have made some modifications on the script for only 2 wan connections (which is the normal enviroment).

I have Efw 2.3 Released on Oct 27/2009.
which says it self has support for multiwan failover, it doesnt matter for me load balancig at this moment.

the script doesn't work for me...

anyway, doing some tests, i find this... I do configure 2 uplinks, Main and Backup...
both of them enabled and started at boot and managed(checkboxes selected)
from outside both IP responses to ping as I permit ICMP for testing...

but whe i phisically disconnect the cable or simply turnoff Modem1 (main uplink)
on the logs I see ifplugd detects the disconnection and then, i should change the ip routes, but looking "ip route" output, still have the gw for MainUplink...

but if I manually disable (by clicking on enable/disable checkbox) the mainuplink, the routes and everything changes to backup uplink! and everything works perfectly!

seems something is wrong or missing on the steps scripts(efw) must do to have failover working!!!

any suggestion???

You can refer to more information about the error in:

1. http://bugs.endian.com/view.php?id=2213
2. http://bugs.endian.com/view.php?id=1438
3. http://bugs.endian.com/view.php?id=2526
4. http://bugs.endian.com/view_all_bug_page.php
5. http://bugs.endian.com/roadmap_page.php

Does the failover system work if Endian does the dialing instead of the modem?

Any updates on this? Does it work on 2.5.1?

This topic seems to be VERY popular!  :P

I'm trying to add load balancing to EFW 2.5.1 Community and I'm in the middle of the way.

I managed to get it working adding a new script like this one:

and manually running it from shell.

So that the command "ip route" show me the two hop with weighted links.

But at this point I cannot made it start automatically at boot...

How can I made the script run at startup on EFW 2.5.1 ?? It should run after everything else has terminated, because running manually from the shell after every re-boot it does work!

As far as I know the only thing you need to do is add policies and it takes care of the rest. We've never installed any scripts or done anything from the command-line.

We've been running two connections since 2.4 and had no problems.

Ok, so I have no idea of what policies I have to add in order to allows both WAN in a "round robin" mood.

Can you help me ? :)

 :D :D :D :D
I managed to get the script running at startup !!! And now it seems to work !!

I simply edited the file  /etc/rc.d/rc.ipac in this way:
As you see I added the line
 /etc/rc.d/init.d/dual_wan_balance.sh
before the exit 0
So that it launch my script from /etc/rc.d/init.d/

I added some beep and sleep to my script be sure it get launched and now on every reboot it starts!

So my dual_wan_balance.sh is now

Now the next thing is to get acpi working  ???

Ok guys, there's just another problem!!
Whenever one the wan uplinks goes down, the route with weights is no more valid.

So I modified a bit more my script just to check my two WAN connection (using ping), then, when I know which WAN is alive I could modify the route policy according to the WANs status.

Here's the script: (I've not parameterized it, but anyone more expert than me could)

The great thing is that adding the call to that script in the file  /etc/rc.d/rc.ipac make it run every time that a device get inactive or active, so it reacts automatically to the status of the links!!

At this point is necessary to disable the failover for the uplinks in the UI of EFW. (because failover is embedded in my script and enabling from UI makes a weird behaviour).

I gave up on Endian, I went with pfSense, its so much faster, A LOT MORE features, and best of all... multiple WAN load-balacing built in!

pfSense eh? I tried ipCop before endian and I found the endian GUI more user friendly and complete.

perhaps I'll give a trial to pfSense too...

I've pfSense but load balancing doesn't work very well
in Endian Firewall isn't yet available? nor in Hardware Appliance ?
thanks

About the load balancing itself, I just do static routing. It works for my needs, and I don't feel like tweaking EFW for that.
New EFW still doesn't have any load balancing option (or I don't see it).
You would be changing the template that recreates the rules, and adding there the weights, this way probably the uplinks watchdog keeps working.
I.e. Endian must create the routing table somewhere, and they updates these routes when some uplink goes down. So tweaking the route creation script would give load balancing with uplink watchdog.
But I don't tested that, it isn't among my priorities. I prefer static, predecible bandwith allocation between WAN links.

[post jacking]
mmiat, I'm interested on your thoughts about pfSense. I know you used Endian Firewall quite a lot, bugs aside ¿do you think pfSense is better?.
I don't find pfSense user-friendly  at all. I just feel it... weird.  I don't like the packaging idea on a firewall, I prefer a full featured firewall with services disabled. This way all talks about the same.
IPFire seems nice, but it has many flaws (bugs, custom made packages that can backfires them, runs on 32bit...)

On a future I plan to recompile the whole Endian Firewall feature set over a stock CentOS 7 64 bits (or Centos 6 64 bits). In 2016 having 32 bit as the main kernel is just plain useless. Almost every computer has 64 bits and more than 3GB RAM,
This way 90% of packages will be vanilla from RedHat/CentOS, with full support for new hardware and virtualization, and we don't have problems with compiling things or weird stuff, and packages will be easier to update (almost a yum update).
 But it's only a idea, maybe there is no room for an Endian fork because majority of people moved to another distros years ago. And it's a task that takes months.

I still use Endian, I've tried to use pfSense for load balancing because Endian doesn't do it, but it doesn't work well so I can think I can continue use Endian.
I've tried ipFire too, but it can't use multiple wan

so, for now, I think Endian is better

Dear Concern,
Why do need virtual hop setting for load balancing and failover?