Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:user-guide:network:high-availability [2018/02/17 21:26] – ↷ Page moved from doc:recipes:high-availability to docs:user-guide:network:high-availability bobafetthotmaildocs:guide-user:network:high-availability [2022/08/31 20:55] – Fixed error in uci file header preventing use of alt config file nathhad
Line 1: Line 1:
-:!: most of this assumes you're familiar with openwrt and basic networking concepts :!: +:!: most of this assumes you're familiar with openwrtbasic networking concepts and are able to tinker around the command-line :!:
- +
-:!: TODO(risk): in progress :!:+
  
 ====== High availability ====== ====== High availability ======
  
-//High availability// is a term that can be used to refer to systems that are designed to remain functional despite some hardware and/or software failures and/or planned maintenance (e.g. upgrades). Actual measured availability (e.g. percentage of time or requests that succeed) can vary.+//High availability// is a term that can be used to refer to systems that are designed to remain functional despite some hardware and/or software failures and/or despite planned maintenance (e.g. upgrades). Actual measured availability (e.g. percentage of time or requests that succeed) can vary.
  
-In this howto, we'll be describing a simple router setup, in an active/backup configuration. +This page describes a simple two router setup, in an active/backup configuration. 
-The devices will share a virtual ip address that hosts on the lan can use as a gateway to reach the internet.+The two devices will share a virtual ip address that hosts on the lan can use as a gateway to reach the internet.
 In case the active router fails or is rebooted, a backup router will take over. In case the active router fails or is rebooted, a backup router will take over.
  
-We will be using keepalived to implement healthchecking and ip failover, and conntrack-tools to implement firewall/nat syncing.+We're using keepalived to implement healthchecking and ip failover, and conntrack-tools to implement firewall/nat syncing.
  
 Most of openwrt configuration required (but not all) is doable from luci web ui as well. Most of openwrt configuration required (but not all) is doable from luci web ui as well.
Line 20: Line 18:
   * DHCP dynamic WAN IP is possible with keepalived, but requires extra scripting and is not going to be described here.   * DHCP dynamic WAN IP is possible with keepalived, but requires extra scripting and is not going to be described here.
   * VPNs and tunnel setups and failing those over is not covered.   * VPNs and tunnel setups and failing those over is not covered.
-  * Failing over PPPoE WAN is not implement, best bet: let the modem do PPPoE and setup your virtual wan ip to DMZ.+  * Failing over PPPoE WAN is not implemented here, best bet: let the modem do PPPoE and setup your virtual wan ip to DMZ.
  
  
Line 47: Line 45:
 **keepalived** is a linux daemon that uses VRRP (Virtual Router Redundancy Protocol) to healthcheck and elect a router on the network that will serve a particular IP. We'll be using a small subset of its features in our use case. **keepalived** is a linux daemon that uses VRRP (Virtual Router Redundancy Protocol) to healthcheck and elect a router on the network that will serve a particular IP. We'll be using a small subset of its features in our use case.
  
-''opkg update +''opkg update && opkg install keepalived''
-opkg install keepalived''+
  
 The following configuration in ''/etc/keepalived/keepalived.conf'' assumes routers are symmetrical, ie. they're of the same priority, they start up in backup mode and they will not preemept the other router until they establish other router is gone. The following configuration in ''/etc/keepalived/keepalived.conf'' assumes routers are symmetrical, ie. they're of the same priority, they start up in backup mode and they will not preemept the other router until they establish other router is gone.
Line 102: Line 99:
 </code> </code>
  
 +To ensure `/etc/init.d/keepalived` script starts the daemon pointed at your config.
 +
 +write the following in `/etc/config/keepalived` :
 +
 +<code>
 +config globals                                                                             
 +   option alt_config_file          "/etc/keepalived/keepalived.conf"
 +</code>
 +
 +This will tell the keepalived service to use the configuration file you wrote at /etc/keepalived/keepalived.conf 
  
 ==== 4. Configure conntrackd ==== ==== 4. Configure conntrackd ====
Line 176: Line 183:
 </code> </code>
  
-==== 3. Configure dhcp ====+==== 5. Configure dhcp ====
  
 You'll want DHCP (dnsmasq) to serve 192.168.0.4 (vip address) to hosts on the lan, both as their gateway and DNS. You'll want DHCP (dnsmasq) to serve 192.168.0.4 (vip address) to hosts on the lan, both as their gateway and DNS.
Line 192: Line 199:
 dhcp_option 3 is gateway, dhcp_option 6 is DNS. dhcp_option 3 is gateway, dhcp_option 6 is DNS.
  
-==== 5. Sysupgrade backup add dirs ====+Now we need to configure synchronization of the dhcp leases. Both devices will have a dhcp server and both will assign dynamic IPs to clients. But each will only update its own dhcp lease list. 
 + 
 +Dnsmasq stores current leases in a text file called **/tmp/dhcp.leases** by default in OpenWrt (it's also a configuration option you can change from UCI or Luci web interface (**Network -> DHCP and DNS -> Resolv and Hosts files -> Lease File** ) 
 + 
 +This is what it looks like on my OpenWrt router VM 
 +<code> 
 +root@VM-router:~# cat /tmp/dhcp.leases 
 +1633703346 00:1c:42:0f:b1:c7 192.168.222.244 hostname1 01:00:1c:42:0f:b1:c7 
 +1633703352 c4:41:1e:68:97:62 192.168.222.243 hostname2 01:c4:41:1e:68:97:62 
 +1633703161 c0:10:b1:2c:e4:e6 192.168.123.148 * 01:c0:10:b1:2c:e4:e6 
 +1633703141 e8:f4:08:1f:9c:67 192.168.123.69 hostname3 01:e8:f4:08:1f:9c:67 
 +</code> 
 +The first number is a timestamp (seconds since Unix "beginning of time" date which is somewhere in 1970, so it should be consistent with another device if the clocks are set correctly), then there is mac address of the device, then IP, then hostname (I redacted the hostnames of my devices above), then it seems another mac address but I'm not sure of what that is. 
 + 
 +So we add a simple and dumb script that just merges the files on both devices every X time, and it assumes that dnsmasq will automatically drop the entries when their lease is up. 
 + 
 +We must do the following on both routers. 
 + 
 +Import the public SSH key of the router 1 in router 2 (and the reverse) so they can scp to each other without writing the password 
 +this to read the current public key [[docs:guide-user:security:dropbear.public-key.auth#extras]] 
 +and this to write the key [[docs:guide-user:security:dropbear.public-key.auth#web_interface_instructions]] 
 + 
 +Then copy the following script to **/bin/dnsmasq-lease-sync.sh** and edit the IP address (so it can point to the other router) 
 + 
 +<code> 
 +#!/bin/sh 
 +#syncs contents of dnsmasq dhcp leases 
 + 
 +other_router=192.168.11.254 
 + 
 +scp root@$other_router:/tmp/dhcp.leases /tmp/dhcp_lease_temp 
 + 
 +cat /tmp/dhcp.leases /tmp/dhcp_lease_temp | sort -u > /tmp/dhcp_lease_new 
 + 
 +mv /tmp/dhcp_lease_new /tmp/dhcp.leases 
 +</code> 
 + 
 +then make it executable 
 +<code> 
 +chmod u+x /bin/dnsmasq-lease-sync.sh 
 +</code> 
 +Then add a scheduled task to execute this script every minute and enable cron (scheduled tasks) service. (can be done from luci as well [[docs:guide-user:base-system:cron]]) 
 + 
 +<code> 
 +echo '*/1 * * * *  /bin/dnsmasq-lease-sync.sh' >>  /etc/crontabs/root 
 +echo 'root' >> /etc/crontabs/cron.update 
 +service cron start 
 +</code> 
 + 
 +==== 6. Sysupgrade backup add dirs ====
  
 Add the following directories to ''/etc/sysupgrade.conf''. (can be done from luci as well). Add the following directories to ''/etc/sysupgrade.conf''. (can be done from luci as well).
Line 199: Line 255:
 /etc/keepalived/ /etc/keepalived/
 /etc/conntrackd/ /etc/conntrackd/
 +/bin/dnsmasq-lease-sync.sh
 </code> </code>
  
  • Last modified: 2023/02/04 18:31
  • by nathhad