Use iproute2

[ymolinet]

Hi all,

I'm new user of zentyal and I'm searching how to set this parameters in the web interface :

1. Add post-up and post-down command in network/interfaces
auto eth0
iface eth0 inet static
        address 88.190.X.X
        netmask 255.255.255.255
        network 88.190.X.X
        broadcast 88.190.X.X
        up route add -host 88.190.X.1 dev eth0
        up route add default gw 88.190.X.1

auto eth1
iface eth1 inet static
        address 88.190.X.Y
        netmask 255.255.255.255
        network 88.190.X.Y
        broadcast 88.190.X.Y
        up route add -host 88.190.X.1 dev eth1
        up route add default gw 88.190.X.1

2. Create a routing table for each interface
echo 200 ipsupp0 >> /etc/iproute2/rt_tables
echo 201 ipsupp1 >> /etc/iproute2/rt_tables

3. Add routing rules
ip rule add from 88.190.X.X table ipsupp0
ip rule add from 88.190.X.Y table ipsupp1

4. Add routes
ip route add default via 88.190.X.1 dev eth0 table ipsupp0
ip route add default via 88.190.X.1 dev eth1 table ipsupp1

This configuration is necessary to run zentyal in a VM (Proxmox) in french hoster environnement (ex OVH, ONLINE)
Thanks for your help.
Yannick

[christian]

I already replied in French section.
Please do not cross-post or, at least, (as I understand you may want to have you post visible in 2 different sections as this forum can support multiple languages), provide link to the original post 

[ymolinet]

ok. I'm adding a link to this post in the french post. English post could be more useful for many people.
Following your information in the french post, I'm working on "Advanced Service Configuration" http://doc.zentyal.org/en/develop.html#advanced-service-customisation

[christian]

Using Zentyal as firewall... which means you will have other servers/services behind ? I need to learn a bit more about what OVH provide 

Understanding better what you intend to achieve, I think you can even do it without any need to hook or whatever else similar but only use Zentyal GUI:
defining 2 gateways in Zentyal + configuring failover will, if I understand well, achieve out of the box why you target 
Cool isn't it?

[ymolinet]

In fact my provider is Online, not OVH, but the goal (and method) is the same.

I have a physical machine that run under ProxMox.
a vm act as firewall for each other VM connected on a virtual lan.
At the beginning, we used Pfsense for that.

The firewall need to have a virtual mac address provided by the hoster (Online) for each additionnal IP (ip failover). When you have only one ip failover, all is beautiful and work, even with pfsense. but, if you need more than one ip failover on the same computer, you need to add a net card to your firewall (because 1 IP = 1 mac).

For all ip failover, the default gateway is the default gateway of the physical machine. So you have a gateway on a different subnet of your ipfailover that is the same for each interface. Zentyal Web GUI do not allow to add a gateway that is on a different subnet and do not allow to add static route on an interface (vs gateway). At this time, I haven't found any solution to manage multirouting table from the GUI.

Pfsense work on BSD but is not compilated with the support of multi routing table.
so I need a firewall, working under linux, using iproute2 (for support of multi routing table), with Web GUI, OpenVPN support and CA Authoritory.
After a lot of search, I discover Zentyal and decide to test it.

[christian]

So give a try at why I suggest.
Zentyal documentation is not very useful if you look for more than the usual cookbook stuff ("where to click") but what it does behind the embedded "WAN failover" should really fit with your design, out-of-the-box.

[ymolinet]

do not confuce ip failover and wan failover. Wan Failover work by detecting an anaivalable gateway.
IP FailOver is more like additionnal IP Address provided by the hoster and availlable on all their datacenter.

In fact, you have 3 WAN interface, each have a public IP : 88.190.1.2/32, 88.190.10.54/32, 88.190.20.72/32 (example).
My physical machine have this ip 88.189.50.2/24, and the gateway is 88.189.50.1.
So gateway for 3 WAN interface (vm) is the same 88.189.50.1
Each WAN is available at the same time like multi wan ip address one a single interface.

1. Zentyal do not allow by the GUI to have a 255.255.255.255 mask, I have change a template as posted here : http://forum.zentyal.org/index.php?topic=2393.0
2. Zentyal do not allow by the GUI to add a gateway that is not reachable by the interface. 88.189.50.1 is not on the same network that 88.190.1.2/32, so I must create a muti routing table  (one for each interface) and add route to the gateway for each.
3. I have not found a method to create multi routing table in Zentyal.

After regarding the zentyal hooks, I think that the "postsetconf" method could do the trick on the network module.

[ymolinet]

After configuring a hook network.postsetconf, my routing table works as fine.
I see a rt_tables.mas in /usr/share/zentyal/stubs/network but I can't found any Web GUI to used it. At this time, I have added all instructions in the network.postsetconf.
Perhaps, it could be better to use Web GUI for rt_table ?

[christian]

I'm afraid that what you configure aside Zentyal GUI can't b directly used via Zentyal GUI, including for routing tables. However, I never tried

Indeed, I misunderstood your point about multiple IP. I had WAN failover in mind  and indeed, when adding interface to Zentyal, it must be reachable (which makes sense isn't it?

[ymolinet]

it's not WAN failover.
the name "IP failover" is perhaps a commercial terms for Online.

See it like a public IP that must be associated to a mac address and only one. So if you want a virtual server with multiple public ip, you must subscribe to "ip failover" and create an virtual netcard connected on your server for each.

French link to explain more : http://documentation.online.net/fr/serveur-dedie/reseau/ip-failover

[christian]

it's not WAN failover.

I understand now, reason why  wrote "I had WAN failover in mind"

What you call "IP failover" is known as "virtual IP" in cluster world, assuming you are looking for something like this.

the name "IP failover" is perhaps a commercial terms for Online.

it looks like indeed 

See it like a public IP that must be associated to a mac address and only one. So if you want a virtual server with multiple public ip, you must subscribe to "ip failover" and create an virtual netcard connected on your server for each.

Well, no or at least depending on what you want to achieve... and perhaps the only answer is "yes" in Online world.
Let me explain.
I won't comment design where goal is to have one virtual IP swinging between 2 different servers (like with real cluster), but you can easily define Zentyal server with multiple IPs for same NIC, just adding "virtual interface" in network menu.

This to explain that wording can be confusing  because what Online link you provided describes is clearly "virtual IP swinging between cluster nodes", except that this is done manually (as far as I understand). Thus you raise an interesting question because deploying Zentyal on cluster is pretty recurrent topic.

[ymolinet]

it is possible to create a cluster between two physical machine on Online network if they are in the same Datacenter. Online provide a private network to "join" many computers.
In addition, you can also payed for a SAN storage and ... create a cluster. So you are right, it's like a cluster.

my conf with network.postsetconf work as fine. I'm just enabled ping to WAN for test, and each reply correctly.

[ymolinet]

I think I have an issue with port forwarding.
Zential use the last interface set by network.postsetconf as default interface (why not?).
If I do a port forward (http to an internal web server) it's work.
If I use another WAN interface, it don't work. an idea ?

[christian]

If I use another WAN interface, it don't work.

What does this mean ? forwarding packets received on external interface to another external IP ? Is it what you mean ?

[ymolinet]

In my configuration, I have 3 WAN interfaces (WAN1, WAN2, WAN3)
Zentyal use WAN3 as default.
If I configure a port forward on WAN3 to internal web server, it's working. but I set port forward on WAN2 (the rule, just change 'interface') it's not working.

My first idea is that packets come back by the default (WAN3) interface instead of the original WAN.