SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0002526: fail-over between 2 static Ethernet interfaces with the same DNS resolvers (same provider) does not work - MantisBT
MantisBT - Endian Firewall
View Issue Details
0002526Endian FirewallNetwork related (VPN, uplinks)public2009-12-11 19:562012-05-10 14:51
nasir 
peter-endian 
normalmajorhave not tried
confirmedopen 
2.3 
future 
0002526: fail-over between 2 static Ethernet interfaces with the same DNS resolvers (same provider) does not work
the setup is 2 Ethernet interfaces as main and uplink1 are working fine when they are activated and deactivated through the web interface.
But when the main link Ethernet port is disconnected (VMWARE ESXi vm) the link is reported dead but the backup link uplink1 is not used properly as reports from the main link ip address are returned as destination unreachable.

after looking around I found that if I delete one rule from the policy router
199: from all fwmark 0x7e0/0x7f8 lookup uplink-main
I can restore connectivity through the backup link.
ip rule ---> when both links are up

0: from all lookup local
10: from all to 63.210.62.24/29 lookup main
10: from all to 63.210.32.0/24 lookup main
10: from all to 192.168.177.0/24 lookup main
10: from all to 192.168.155.0/24 lookup main
199: from all fwmark 0x7e0/0x7f8 lookup uplink-main
199: from all fwmark 0x7d8/0x7f8 lookup uplink-uplink1
200: from 63.210.62.30 lookup uplink-main
200: from 63.210.32.129 lookup uplink-uplink1
32766: from all lookup main
32767: from all lookup default


ip rule ---> when main link is dead

0: from all lookup local
10: from all to 63.210.62.24/29 lookup main
10: from all to 63.210.32.0/24 lookup main
10: from all to 192.168.177.0/24 lookup main
10: from all to 192.168.155.0/24 lookup main
199: from all fwmark 0x7e0/0x7f8 lookup uplink-main
199: from all fwmark 0x7d8/0x7f8 lookup uplink-uplink1
200: from 63.210.62.30 lookup uplink-main
200: from 63.210.32.129 lookup uplink-uplink1
32766: from all lookup main
32767: from all lookup default

ip rule ---> when main link is

0: from all lookup local
10: from all to 63.210.62.24/29 lookup main
10: from all to 63.210.32.0/24 lookup main
10: from all to 192.168.177.0/24 lookup main
10: from all to 192.168.155.0/24 lookup main
199: from all fwmark 0x7d8/0x7f8 lookup uplink-uplink1
200: from 63.210.32.129 lookup uplink-uplink1
32766: from all lookup main
32767: from all lookup default from the web
purple
Issue History
2009-12-11 19:56nasirNew Issue
2009-12-12 00:14nasirNote Added: 0003549
2010-01-23 18:22toeyhackNote Added: 0003696
2010-03-05 15:58peter-endianNote Added: 0003956
2010-03-05 15:58peter-endianStatusnew => confirmed
2010-09-07 14:45luca-endianTag Attached: purple
2010-09-21 19:11peter-endianTarget Version => future
2010-09-21 19:11peter-endianSummaryfail-over between 2 static Ethernet interfaces dos not work => fail-over between 2 static Ethernet interfaces with the same DNS resolvers (same provider) does not work
2011-02-02 09:49luca-endianCustomer Occurencies => 4-6
2011-02-03 14:52lorenzo-endianAssigned To => peter-endian
2011-02-03 14:52lorenzo-endianSeverityminor => major
2012-05-10 14:51DanohNote Added: 0007860

Notes
(0003549)
nasir   
2009-12-12 00:14   
After further tests, I found that the problem is only with dns resolution, and the issue is that you can not use the same dns servers for the main and the backup link as they are marked with a fwmask that force them to replay through the main link which is dead.
I believe this has to be addressed as using the same dns servers is very likely if you use 2 uplinks from the same ISP.
(0003696)
toeyhack   
2010-01-23 18:22   
Hi,I also found same problem. How can I do if I use 2 uplink from same ISP ??
Can I solve this problem by use another DNS IP address ( DNS IP of another isp ) for the second uplink ??
(0003956)
peter-endian   
2010-03-05 15:58   
you can use every dns resolver you want as long as they allow you to use it

those dns policyrouting rules are created in order that dns requests don't exit through the wrong uplink. many provider don't let you use their dns resolver if you don't come from an ip address of their network.

having 2 uplinks of the same provider is a good point. we should make this enforcement optional
additionally you can use one resolver on the main uplink and the other on the uplink1.
(0007860)
Danoh   
2012-05-10 14:51   
This needs to be resolved. This is a BIG problem for those who use OpenDNS - we can't use OpenDNS's nameservers on both the Main and Backup uplinks.

Please fix this, it coming up on 3 years.