On 05/02/2013 01:05 PM, Les Mikesell wrote: > On Thu, May 2, 2013 at 8:14 AM, Michael Mol <mikemol at gmail.com> > wrote: >> >> Ultimately, for this to work cleanly, anything which requires a >> public IP (be it a raw authoritative DNS server or a load balancer) >> will require an IP on both public subnets. > > No it doesn't, as long as you don't mind losing the source IP for > logging or configure your http proxy to pass it. You can use > separate front end proxies or load balancers on each public range, No, I really can't. And not for reasons I can change until this summer, at the earliest, nor can I discuss them without breach of NDA. > with its default gateway pointing toward the ISP handling it. DNS > service is simple enough to have standalone servers for each instance > you need. This would also require either resources or underlying authorizations I don't have. > Web browsers are actually very good at handling multiple IPs in DNS > responses and doing their own failover if some of the IPs don't > respond. It varies greatly by client software. And given the explosion of unreliable network connections (wifi, mobile), some of that failover logic's margin is already lost in dropped packets between the client and their local network gateway. > SMTP will retry following your MX priorities. Yup. MX is a no-brainer, as are NS and SIP/SRV. > For other services you might need to actively change DNS to drop IPs > if you know they have become unreachable, though. Yup. That's what I was planning on doing, more or less. Start with ordering IPs by route preference, drop IPs by link state. I just wish I could drive it by snooping OSPF... > >> The only blocker right now is getting CentOS to do source-policy >> routing properly. > > It's a black art Once you've read the docs and tried a few commands, it's pretty easy to wrap your head around it. My problem is that what I was able to get working by hand gets mangled by the processing logic for /etc/sysconfig/network-scripts/route-ethN. > - I'd give up the source IP logging first and rely on the back end > servers sending back to the proxy that received the request and only > has the default route to that one ISP. I'm not doing any special logging. That one firewall/routing device sits between the ISP routers and _all_ my internal machines. Everything sits behind it. There are reasons for this. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 555 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20130502/25c9e2a6/attachment-0005.sig>