wan load balancing failover and dns

[BrettonWoods]

I have just had a period of confusion and to be honest I am still trying to work it out.

I have two wan connections to two different isp's.

I thought I had network load balancing and wan failover configured.

Firstly can you have both network load balancing and wan failover configured or is it one or the other?

I am really puzzled by the settings in the wan failover.

I can only ever get one test to save and this often dissapears after a reboot or configuration change.

I got myself into trouble as I had forgot the router password I had applied so out came a paper clip and I did a hard reset.

Its also a new router and new ISP who has told me they are going to send config details which I am still waiting for and just wiped by doing a hard reset.

So I had one router dead and another working.

But my wan traffic stopped completely?

I thought I might get a 50/50 chance with the equal weights but nothing.

Then I have another question in network > dns has that now gone as I am showing no root dns and have no option to add any?

I ended up disabling the dead wan and adding the router ip as a forwarder and the internet came back to life.

Have I missed an update and now we have to configure forwarders and the automatic dns from dhcp clients is not in use anymore?

Sorry about all the questions but it wasn't until a failure that I noticed it doesn't seem to work?

[BrettonWoods]

Where are the root dns entries now?

Anyone get similar to this ?

[ctek]

Hi Bretton,
I have a similar config.
2 lines with two routers before zentyal.
In network/dns i've added the two ISP's nameservers and open dns.
I've added the ip's from both ISP's to the domain and also to the host srv01.
Domain.com: ip 1 and ip 2.
srv01.domain.com: ip1 and ip2.

After this i've set up wan failover and load balancing with same weight on both gw.
and enabled "WAN failover" in Events
let me know if your config is different.
Regards
Bogdan

[BrettonWoods]

Exactly the same.

I have fibre on one and adsl on the over via two Isp's.

Just as a question are you nics set up as dhcp so all the dns and gateways are automatic?

I have given up with the wan failover just will not save.

The load balancing weights I had set at 1:5 in favour of the the fibre

Things actually went OK until I changed the IP on the adsl via the router DHCP.
The router has a function via DHCP to apply a wan static ip of one of five.

Since then the whole internet runs like a bat without wings.

Then my confusion about root dns which I thought should be the IP's of my two routers (gone as in above pic)
I have tried the forwarders even added multiwan routing so dns queries to the correct dns go through the correct gateway.

Its sort of back to a reinstall get the networking going first and then add all my clients again...

 

[christian]

Running 2.2, I'm (almost) not using load balancing because there is not enough feature, from my standpoint, in term of rule and granularity nor enough documentation about sticky connection management.
I've only few rules so that I access web sites stored by each of my providers using gateway pointing to it, otherwise everything goes through the fastest link (FTTH) and ADSL is used only as fail-over.

My configuration is very similar to what ctek describes:
DNS:
Zentyal (localhost)
2 DNS for each of my ISPs
2 OpenDNS servers

I do not use any forwarders
I also don't understand what would be the purpose of:

Domain.com: ip 1 and ip 2.
srv01.domain.com: ip1 and ip2.

if serv01 is your Zentyal server and if these IPs are either public IPs or even external IPs
My Zentyal server has only one single internal interface and this is the one I store in Zentyal DNS

Fail-over works almost well. The only real issue I face is that from time to time FTTH is seen as down (perhaps my test is not the most clever) so Zentyal switches to ADLS gateway but also deactivate FTTH gateway and never try to reactive and test it while if I do it manually, it works each and every time...

[BrettonWoods]

Thanks Christian.

I am just confused and it might be memory but I thought the root DNS from the DHCP clients on my two external nics showed in the Network > DNS module.

I just have a blank page and a message about forwarders in the above picture.

I get confused with versions and I am not sure if the multigateway rules where in v2. You would be able to tell me.

Your network knowledge is way better than mine so I would be interested in you thoughts on additions.

I got the ppp username and password from my fibre provider today.

I have deleted much of my firefighting and I am back up and running.

The wan failover doesn't work from experience. The config just dissapears on reboot and when set still doesn't seem to do much.

I might add the google 8.8.8.8 as a forwarder but I still don't have a display of my root dns and I think I used to have?

When I turned off the faulty gateway and ran just on the single adsl all was OK.

Its just made me question the balancing as even when set to 1:1 it failed consistently and even though I had one wan down I thought I would get a 50% chance of it working.

Solutions was to disable the downed wan.

[edit]
currently both wan failures look like they have saved ?!

have not rebooted yet.
 

[christian]

I am just confused and it might be memory but I thought the root DNS from the DHCP clients on my two external nics showed in the Network > DNS module.
I just have a blank page and a message about forwarders in the above picture.

As I don't run 3.x, I'm discovering this new (to me) DNS configuration approach.
To some extend, it makes sense because previous DNS configuration was confusing for lot of users as we have 2 different DNS roles:
- DNS client
- DNS server

So now this is clearer. 

On the other hand, what this tells, for those reading carefully, is that if you think about deploying Zentyal as internet gateway only, you will have, nevertheless, to deploy DNS server even if you don't need it 
DNS module is no more an optional but now mandatory module. Well, this is no more a module but part of core Zentyal.
This also makes sense if you think about Microsoft and plan to deploy DC. DNS server is mandatory here.

hehe, the new Zentyal minimum install is bigger and bigger isn't it   

I get confused with versions and I am not sure if the multigateway rules where in v2. You would be able to tell me.

Yes Zentyal 2.2 does bring rules here too although I can't compare.

I might add the google 8.8.8.8 as a forwarder but I still don't have a display of my root dns and I think I used to have?

You don't need it any more because of my above comment.
However, you should look at this post.
This guy has poor performances because of, to me, strange rules but also because DNS was swinging between the 2 gateways. We fixed it adding one rule for DNS.

[ctek]

Hi Christian,  Bretton
The zentyal server hostname is SRV01.
I've put both public ip's from the ISP to that host.
Also the same IP's i've used on the domain. all this is done in the DNS section.
This aproach is necessary so that the server will be reachable from intenet on both ISP. If i only let the local interface as set for the host this will create a whole bunch of issues. In fact the local ip does not appear in any setup and i do not want it to be propagated into the internet on a DNS query for my domain.

One of my interfaces (the Fiber one) is set with static IP, the other one is via PPPoE. I've had before a situation where the interfaces were connected to some home routers Dlink and Huawey but it still worked.

The rules for DNS sound ok in theory but i've seen that it does not play well in real life. Maybe some sort of BGP mode should be more suitable but this will be even more complex to implement.

Hope this will clarify more from this confusion with ambigous terms used Dns, Fowarders, local domain External domain etc

Regards
Bogdan

[christian]

Hope this will clarify more from this confusion with ambigous terms used Dns, Fowarders, local domain External domain etc

At least from my side it unfortunately doesn't clarify anything.
Your Zentyal server has 3 IPs:
- one internal interface with private (RFC1918) IP
- Two external interfaces, each with public IP provided by your ISP.

Reaching your server from internet can be done using 2 different implementations:
- name server for your own domain is Zentyal => in such case, Zentyal DNS is used
- name servers are hosted by your registrar and his is where you define IPs to be used to reach your Zentyal server.

If you are relying on your registrar infrastructure (I believe most of us do this), then what Zentyal DNS contains doesn't really matter (at least for what concerns access from internet).
If you rely on Zentyal DNS, there is a couple of things you have to keep in mind:
- there is no split view, split DNS or whatever the way you want to call it. To make it short, the whole Zentyal DNS content is visible from internet, including internal IPs. These are under RFC1918 so not directly reachable but this may ease some attack from internet.
- if you also run Samba, editing Zentyal DNS content will have no impact for what concerns Zentyal host itself. Samba will keep synchronize DNS on your behalf and expose all IPs in DNS.

I can't see your point neither relationship between DNS client and BGP. Could you please elaborate on this?

[ctek]

Hi Christian,
Right My zentyal has 3 IP's
1 LAN and 2 for WAN.

I do not rely on my ISP.
I do not use SAMBA and the lan IP does not show up on dig or nslookup.
The BGP implementation does not have anything to do with DNS but it has with load balance and wan fail-over.
To achieve real load balance you will have to make use of EiBGP or *BGP (take a brief look here http://blog.ipspace.net/2013/06/eibgp-load-balancing.html) so that the traffic will be correctly pointed to the interfaces. (this will fall into advanced routing and is not easily done with zentyal)

The only point where my ISP will be involved is with rDNS so that the reverse lookup will be corect.

The Wan fail-over aspect has two sides! Keep in mind that if you use Zential as a server and NOT as a gateway only the WAN (as an aggregate) has to be reachable on both ISP lines! Also that means that the domain will have to be set to "respond" for both IP's also the host (zentyal itself) will have to do the same.

The following setup in Zentyal DNS section is valid:

Domain.com ip: xxx.xxx.xxx.xxx; yyy.yyy.yyy.yyy;
HOSTS: srv01 ip: xxx.xxx.xxx.xxx; yyy.yyy.yyy.yyy;

if you query:
 nslookup srv01.domain.com

Non-authoritative answer:
Name:   srv01.domain.com
Address: xxx.xxx.xxx.xxx
Name:   srv01.domain.com
Address: yyy.yyy.yyy.yyy

so failover is achieved 
Hope this helps.

Best regards
Bogdan

[christian]

I think I understand some of the points your describe but still can't put everything in a perspective that makes sense to me. I'm not meaning you're wrong but this makes me totally puzzled.
I feel confusion is because we don't see "fail-over" from the same viewpoint.

If you don't use Zentyal as a gateway but as a server to be accessed from internet, then Zentyal "WAN fail-over" is not for you as this feature doesn't aim, if I understand well, at providing high availability "from internet" but high availability "from intranet to internet".
On top of this, I fully agree that Zentyal is not the wisest choice in case you need some control on routing but I also still don't understand why BGP would help if you don't use Zentyal as gateway (as of course, you do know that BGP stands for Border Gateway Protocol)

This being said, of course if your Zentyal server is only used as server on internet, as you don't use Samba, you can control what DNS exposes by not creating in this DNS any entry for internal servers or services.

[BrettonWoods]

Bogdan I think there was some confusion over ISP.

I think christian was talking about your domain name register where ever you hold your DNS entries.

Sorry but before going into the technicals, just make my simple mind a little more at ease.

Is the main objective to do some sort of round robin load balancing for two nics and isp's for a singular site.

I noticed you have set your rDNS so I am presuming email and the two nics and isp's are also for redundancy?

 

[christian]

The only point where my ISP will be involved is with rDNS so that the reverse lookup will be corect.

This is another aspect I don't understand. Again, this is perhaps feasible but I just don't understand howto 
How can you have PTR handled by your ISP (I suppose you mean registrar or perhaps both are the same) with DNS managed on your side by Zentyal.

[BrettonWoods]

I think I understand some of the points your describe but still can't put everything in a perspective that makes sense to me. I'm not meaning you're wrong but this makes me totally puzzled.
I feel confusion is because we don't see "fail-over" from the same viewpoint.

If you don't use Zentyal as a gateway but as a server to be accessed from internet, then Zentyal "WAN fail-over" is not for you as this feature doesn't aim, if I understand well, at providing high availability "from internet" but high availability "from intranet to internet".
On top of this, I fully agree that Zentyal is not the wisest choice in case you need some control on routing but I also still don't understand why BGP would help if you don't use Zentyal as gateway (as of course, you do know that BGP stands for Border Gateway Protocol)

This being said, of course if your Zentyal server is only used as server on internet, as you don't use Samba, you can control what DNS exposes by not creating in this DNS any entry for internal servers or services.

I have a bit of it all, in that samba is used with two nics also serving mail and internet sites.
I really dont like the bind9 implementation for samba. samba has an internal simple dns that works.
I am forced to use a bind9 server publicly but cant split my information into reverse and forward zones which does have implications.

When it comes to your dns queries then as christain said with your domain registry you can assign the domain pointers mx records blah to both ips.
So in a way this is load balanced i am not sure who to implement a round robin method but it will pull from the first and if fails try the second.

my problem when i did lose a wan was also for some reason my failover rule dissapeared and the failover didnt work.

 

[ctek]

ufff...

Ok let me explain a little.
The "outside":

the domain is declared at TLD with the two IP's as nameservers for my domain.
I have two ISP's that have given me two public IP's.

Zentyal is used for the following roles:
DNS; Mail; Webserver; Gateway;

at the network section of zentyal i've declared:

Eth 1 - IP from isp1
Eth 2 - IP from isp2
Eth 0 - Lan ip;

Enabled the wan failover monitor;
Declared the primary gateway from isp1;
Enable load balance on external interfaces with 50/50;

On the DNS section of zentyal:
Create the domain.com;
Add both ip's from ISP to the domain.com;
Add the forwarders from my ISP;

in the host section of the domain (SRV01) i've added the two IP's
In alias section i've added the proper aliases.

Then configured the firewall and that was it ... more or less:)

But now i have wan fail over for my lan subnet.
and the server is reachable from each ISP because it is responding with two IP when domain is asked.

For the rDNS i've asked the IPS's help so that the ip's alocated to me will resove properly on their end. so for example a traceroute will resolve to the proper ip/name from my ISP. (i'm not well versed in rDNS and  FCrDNS so that's why i've asked for their help)

I know what BGP stands for and is not so easily to implement. A few years i've did (with outside help of course since i'm not all-knowing ) a BGP configuration with  AS and everything, but that was when i needed proper load balancing between 4 ISP and it was for a small  neighborhood and I was the local ISP. But this is not the case and Zentyal is perfect for rr loadbalance.
I have both HA for reaching the servers on different isp and wan failover for LAN side.

The round robin is done internaly by zentyal you however can specify if you want, how much of the total queries can be on put  on one interface and how much on the other.

My DNS setup is done correct (i hope:) ) on my end but the rdns i've asked for help on my ISP (not registrar since it is registered ar TLD)

Best regards
Bogdan