wan load balancing failover and dns

[christian]

Cool, now I do understand your set up. This was only a matter of wording 
I do have exactly the same, almost 100% 

If I understand well what you have and what you did, your Zentyal DNS is only used by internal users. All the external stuff is handled by DNS on ISPs side, including MX and PTR. There is nothing surprising neither wrong. I've the same here and that's very standard design.

Thus there is no need to declare your external Zentyal IPs in your local (Zentyal) DNS.
You also don't need split DNS because your DNS is not seen (in fact rather not used) from internet.

If your webserver is used from internet, high availability is partially achieved as you have two public IPs and external clients will get one IP then the other in round-robin mode, meaning this is not 100% achieved, e.g. for external web clients it may fail if one or you ADSL link is done.

This is somewhat different with mail because assuming you set same weight in MX records, in case MTA can't be reached at first IP, second MX will be used.

The round robin is done internaly by zentyal you however can specify if you want, how much of the total queries can be on put  on one interface and how much on the other.

Regarding this point, I would have loved some documentation from Zentyal describing the sticky connection. I'm not using it this way as my FTTH link is way faster than the ADSL one but I would not be surprised if balancing everything over the 2 equivalent links doesn't exhibit some side effects with web based applications e.q when connection to application server is seen from 2 different source IPs.

[BrettonWoods]

I dont think it would matter as its one ip (client) and apache would be listening on both ip's.

I cant see how you can do the round robin thing though as the client would just try the first dns if fail second.
As christian said with mail as which ip is hit is external to zentyal.

Glad you are talking about this as I have a very similar setup and the second isp is a new addition.

I dont know enough about apache session states to say if this will be a problem, i will probably do my usual suck it and see methodology.

going outwards have you ever tested the wan failover as in 3.2 i am not sure it works.

ps the rdns pointer is mainly for mail as many mail servers run a dns check of the source and reject to stop spam and aliases.

its just a matter for the owner of the ip not to return something like my provider  host81-148-01.btopenworld.com. which is still to be sent a rdns pointer request.

if you do a tracert to google.co.uk or what ever the second hop should return your domain name i think and not the isp. I cant remember it might still return the host. http://remote.12dt.com/lookup.php

I have to ask as I dont know but dns requests are they always returned in the same order with multiple ip's?

[ctek]

Christian, Bretton, if you could join me in a skype session would be great since this is a more in depth discussion and maybe we can make some sort of documentation or recipie or how-to so that other users can benefit from it.

if you can PM me your skype id's i will be glad to continue this talk.

Best regards
Bogdan

[christian]

I dont think it would matter as its one ip (client) and apache would be listening on both ip's.

Problem I try to describe is not this one    or I don't understand your point.
If Zentyal doesn't bring any "sticky connection" stuff, when internal client using web browser accesses external web server, say web based application, this server sees connection from public IP. In case you have 2 different IPs, depending on how your application is written, it will see client's connection as 2 different connections, which may prevent application to work smoothly.

iproute brings some "sticky connection" but my understanding of how this impact load balancing efficiency is quite poor.

I cant see how you can do the round robin thing though as the client would just try the first dns if fail second.

For incoming flow:
This works for mail transfer.
This doesn't work for web browsing.
Say external browser or proxy tries to reach your server behind 2 different IPs. URL is resolved, returns one IP. Bad luck, this is the one matching your link that is down... connection fails..  there is no retry. If you ask another time (after you got the error message, you might be luck as DNS should return back the other IP.

For outgoing flow:
there is no round robin stuff but iproute

[christian]

if you can PM me your skype id's i will be glad to continue this talk.

No.... 
Not because I don't want but your mail address is not available so I can't send you any PM 

Furthermore, I frankly don't see any area we have not yet covered, except perhaps debate about the best way to test WAN availability.

[ctek]

Regarding the dns, only the reverse is done by My ISP the rest is done by me local

Testing the wan.... hmm
Well that would be, to have it get http headers with at least 75% rate

Regards
Bogdan 

[christian]

Regarding the dns, only the reverse is done by My ISP the rest is done by me local

Can you explain this ? I'm totally clueless about how this could work 

[BrettonWoods]

you where right about wording when i mentioned about one ip client I was talking about external client to zentyal.
I am presuming this will work as apache is listening on both ip's and looking for a server name header which will be the same.

going out through multiwan and to different ips might have problems but i think session states rather ips are more common.
I dont know as its common to use a browser session state. How much that will impact I dont know.

I think its good to talk on the forum and keep it public. I often go off on a wrong tangent and dont mind being wrong.
If we keep it on the forum then others can use it if useful.

christian do you get any problems with web auth and the balancing?

[christian]

christian do you get any problems with web auth and the balancing?

No because I do not load balance 
One link is 100Mb/s while the other is 20Mb/s
I only use rules in order to access sites that are expecting (hard coded) one of my 2 IPs otherwise purpose if fail-over and HA for incoming flow.

[ctek]

Regarding the dns, only the reverse is done by My ISP the rest is done by me local

Can you explain this ? I'm totally clueless about how this could work 

ok Christian I've made public my email address to the profile. I can show you the config and this i think should be more explanatory than i can put into words.
This is why i wanted to create a short how-to and maybe a "good practice" example.
For obvious reasons i can't make the screens available on the forum 

[BrettonWoods]

No because I do not load balance 
One link is 100Mb/s while the other is 20Mb/s
I only use rules in order to access sites that are expecting (hard coded) one of my 2 IPs otherwise purpose if fail-over and HA for incoming flow.

I have 50Mbs & 10Mbs so I will give it a go and report back. So I have a weight of 5:1 only testing will tell I guess.