We have a Failover IP Routed to our Virtual Servers but we have problems once the FreePBX Firewall is enabled.
Our Network
eth0:
Public ip
Netmask 22
Default GW
eth0:1
Failover IP
Netmask 32
To get the traffic outside with the failover ip we have to use this routing command
ip route replace default via “our default gateway ip” src “our failover ip”
This works until the moment the CLI says “Firewall service now starting.”
After that the outgoing ip is the default gateway and not anymore the failover ip.
Does anyone have any suggestion why the “src failover ip” does not work with enabled firewall and what i have to do as workaround?
Can you try making sure that interface is setup for the same zone as your default IP by going to Connectivity->Firewall->Networks
Conflicting entries in your Firewall Config vs manual routing tables can be a nightmare to work out. Is the virtual server in question on the same network as your primary?
Both servers are Cloud Hosted Virtual Servers with each 1 Fixed Dedicated IP address.
The Failover IP is just a routed Address and can be switched to any of our cloud servers.
The route for the servers to use the failover IP is:
ip route change default via “default_GW” src “Failover_IP”
This route gets blocked by firewall because of this entry:
/var/www/html/admin/modules/firewall/drivers/Iptables.class.php
Line 1158 "-t nat -A POSTROUTING -m mark --mark 0x3/0x3 -j MASQUERADE", // if 1&2 are set, masq
After starting the firewall i cann remove the line with the command: iptables -t nat -D POSTROUTING -m mark --mark 0x3/0x3 -j MASQUERADE
Then the route works correctly.
The Interfaces are all in the same Zone because the Failover IP is just a Virtual Interfaces belonging to eth0
My workaround solution for now: (but it gets overwritten after a Firewall restart)
I notice Asterisk/FreePBX firewall is not top dog in handling manual routing/custom ip solutions. The way I handle mine is I set BOTH my WAN connections up in my DNS zone file (1 pri, 1 failover) and let the router issues address rules in conjunction with my checkpoint. My setup utilizes FreePBX’s openVPN services and I set all VPN traffic to local to minimize firewall issues. That, along with TLS network-wide ensures (for me at least) a very secure network with minimum conflicts from the software firewall. I have a cloud-based mirrored server that kicks in should my physical WAN connections both fail. I setup that failure route thru SIPSTATION and a secondary DNS nameserver offsite.
If the above doesn’t apply maybe try this:
Check to make sure your interfaces in FreePBX Sysadmin are set up properly.
Make sure both IP address can reach your GUI (plus port if you have custom ports setup)
If the servers are virtual and mirrored, you may have to ‘spoof’ the mac address of the failover to match it’s records for the primary machine. If you have a hardware firewall, those route based on MAC address most of the time.
If nothing works, make sure BOTH ip addresses are correctly setup under Interfaces.
I need to use the failover ip to go outside, else my phones have no sound after switching the failover ip to another server.
I cannot use any extra firewall, i have to use the built in FreePBX Firewall.
The Provider just routes the failover IP to the Dedicated ip of the server.
Failover IP -> Public IP of ServerA or ServerB
It can be switched with a XML Command between the Servers.
But i cannot assign the Failover IP to a Server with a gateway directly.
The main reason for the ticket was the feature to let me add my additional iptables. Then i saw that this feature exists already. So i changed it instead of closing
Please do not remove rules from iptables, as you’ll probably end up confusing yourself even worse.
They are all thoroughly documented in the source. That changes the source IP of packets that are routed through the machine. I think you may have your network setup wrong if that is blocking things.
My goal is that the machines do not use the default gateway as outgoing ip, they should use the routed failover ip as source nat.
with is iptable rule i cannot use any other outgoing ip as the default gateway of the interface
The Datacenters Failover IP is only a routed ip normally applying with this routing, but works only without this iptables entry.
ip route replace default via “our default gateway ip” src “our failover ip”
That rule is only triggered on traffic that is routed through the machine. Have a read on POSTROUTING. This is why I say you have configured something incorrectly.
Saying that, if you want to delete it, feel free, you can add it to the custom rules.
Do you have an idea. How can a trigger the traffic over the failover ip without changing this? The Server is reachable but i have no sound on the phones.
I already forced asterisk to use the failover ip.
Second problem when i do not route over failover ip
The Let’s Encrypt certs will not update anymore as the request comes from the dedicated ip of the server
You’re really going to have to spend some time with tcpdump to resolve your problems. The source IP of the request for letsencrypt has nothing to do with the DNS lookup that LetsEncrypt does to validate the domain ownership. This sounds like you’re confused about how it all works.
