This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!


Using a Linux failover router

By Preston St. Pierre on April 13, 2005 (8:00:00 AM)

Share    Print    Comments   

Today, it's hard to imagine an organization operating without taking advantage of the vast resources and opportunities that the Internet provides. The Internet's role has become so significant that no organization can afford to have its Net connection going down for too long. Consequently, most organizations have some form of a secondary or backup connection ready (such as a leased line) in case their primary Net connection fails. However, the process of switching over from the primary to the backup connection, if done manually by the system administrator, can take some time, depending upon how ready the backup setup is and on the availability of the administrator at the right moment. The process can even become a costly affair if the organization must buy dedicated routers for the purpose of automatic switchover. But there is an easy and cost-effective alternative -- setting up a Linux failover router.

In this article we will look at setting up an existing Linux machine as a failover router to provide quick and automatic switchover from a dead Internet connection (the primary connection) to one that is operational (the secondary connection).

To begin, you'll need a PC with any recent GNU/Linux distro installed. You'll also need three network cards to put into this Linux box. Two of the three network cards, say eth0 and eth1, will connect to the Internet routers/gateways of your primary ISP (say ISP1) and secondary ISP (say ISP2). The third network card, say eth2, will connect to your internal LAN.

Setting up the network

Begin by setting up your network based on the configuration information available to you. You can make the configurations from the X Window GUI using the Network utility. To do so, open the Network utility from Main Menu > System Settings > Network. This will open up a network configuration window displaying a list of all the network cards installed on your system. Double-click on the network card you wish to configure, select the Statically Set IP Addresses option, and assign the IP address along with the subnet mask. There is also a Default Gateway Address field; tou can leave it blank for the time being, as it can be specified later on from the command line.

Assign the IP addresses provided to you by your ISPs to the two network cards, eth0 and eth1. In our setup, we assigned eth0= and eth1= (which are public IP addresses), along with the subnet mask

Assign a private IP address based on your internal LAN subnet to your third card. We assigned eth2=, where was the address range for our internal LAN setup. Save your changes and exit.

Now turn on IP packet forwarding on the Linux box by changing the value of net.ipv4.ip_forward to 1 in the /etc/sysctl.conf file and executing the command:

# sysctl -p

Next, you need to configure iptables by adding certain rules, so that your internal LAN can route packets to the Internet. For this, issue the following commands as root:

# iptables  -t  nat  -A  POSTROUTING  -o  eth0  -j  MASQUERADE

# iptables  -t  nat  -A  POSTROUTING  -o  eth1  -j  MASQUERADE

# iptables  -A  FORWARD  -s  -j  ACCEPT

# iptables  -A  FORWARD  -d  -j  ACCEPT

# iptables  -A  FORWARD  -s  !  -j DROP

The above commands turn on masquerading in the NAT table by appending a POSTROUTING rule (-A POSTROUTING) for all outgoing packets on the two Ethernet interfaces, eth0 and eth1. The next two lines accept forwarding of all packets to and from the network. The last line drops the packets that do not come from the network.

To make the iptables rules permanent, save them as follows:

# iptables-save > /etc/sysconfig/iptables

Now you must restart your network, as well as iptables:

# /etc/init.d/network  restart

# /etc/init.d/iptables  restart

To see if your new iptables rules have gone into effect, type iptables --L.

Enabling failover routing

After you have configured your network, the next step is to enable failover routing on your Linux box, so that if the first route dies the router will automatically switch over to the next route. To do so, you'll need to add the default gateway routes provided to you by your ISPs for both your network cards:

# route add default gw dev eth0

# route add default gw dev eth1

Here, is the gateway address given by ISP1 and is the gateway address given by ISP2. Replace them with the addresses available to you. These routes will disappear every time you reboot the system. In order to make these routes permanent add the above two commands in the /etc/rc.d/rc.local file, which is run at boot time.

Also make sure that all the computers on your internal LAN ( have their default gateway address set as the IP address of the eth3 Ethernet interface (i.e. of your failover router.

Finally, modify the /proc/sys/net/ipv4/route/gc_timeout file. This file contains a numerical value that denotes the time in seconds after which the kernel declares a route to be inactive and automatically switches to the other route if available. Open the file in any text editor and change its default value of 300 to some smaller value, say 10 or 15. Save the changes and exit.

Now your Linux machine is ready to serve as a failover router, automatically and quickly switching to the secondary route every time the primary route fails.

Preston St. Pierre is a computer information systems student at the University of the Fraser Valley in British Columbia, Canada.

Share    Print    Comments   


on Using a Linux failover router

Note: Comments are owned by the poster. We are not responsible for their content.

X Window System

Posted by: Anonymous Coward on April 13, 2005 07:10 PM
Many people dont have the X Window System on their routers.


Re:X Window System

Posted by: Anonymous Coward on April 14, 2005 10:41 AM
If you don't have X Windows System and you'r a gui sort of guy you can always install Webmin ( <a href="" title=""></a> ). For the Noobs and the lazy<nobr> <wbr></nobr>:)



Re:X Window System

Posted by: Administrator on April 14, 2005 12:15 AM
Yeah ur right..... But If u r able to understand the article and implement the same then I'm sure u know howto configure a NIC using ifconfig utility. Anyways thanx for pointing that out.

--Rohit Girhotra


Excellent Solution For Asterisk

Posted by: Anonymous Coward on April 14, 2005 04:20 AM
Right now I am trying to convince my boss to use an Asterisk box at a new location so that other stores can save on their long distance calls. The biggest problem that I have convincing him right now is the ability to have a good backup system incase our internet fails.

This provides an excellent solution to have both a DSL and Cable connection to the internet from two different providers to guarantee uptime.

It also makes me wonder though, how does one make use of both of these connections at once to increase transfer speeds?



Re:Excellent Solution For Asterisk

Posted by: Anonymous Coward on April 14, 2005 07:32 PM
You need a routing daemon.


Re:Excellent Solution For Asterisk

Posted by: Anonymous Coward on March 19, 2006 05:35 PM
There is a router appliance that can bound two lines to increase the speed by balancing connections through the two lines, and to provide failover.

It works great for data, but for Voip communication, it may fail the ongoing conversation so that you May need to make a new call, if one of the lines fails.

I bought mine from for about 370e but they don´t have it in a webshop, only by special order so you´d need to take contact with them first by email.


Re:Excellent Solution For Asterisk

Posted by: Administrator on April 15, 2005 09:38 PM
Bonding is what you are looking for there, it can take two interfaces and make them act as one. And from what I recall it will still work if one of the interfaces drops off.

This Failover is an odd solution to me, but I'm sure there are very good applications for it.


true failover?

Posted by: Anonymous Coward on April 14, 2005 09:47 PM
does this provide real failover? I would guess the failover will only work if the interface goes down completely. The failover will not work if for example your upstream router stops responding.

I guess you would need a routing deamon that can handle some routing protocol such as RIP, BGP, IGP, or OSPF, and the upstream router should be configured to talk to your router as well. Would that be possible with Linux?


Re:true failover?

Posted by: Anonymous Coward on April 14, 2005 11:18 PM
Don't know about Linux-based routers, but for Cisco routers, this would not provide truly automatic failover. You'd end up dropping about half your packets, since, as far as the router is concerned, that failed route is still in the routing tables. You'd need to somehow take out the failed route. Either you can log in to your router and do it, or yes, you would indeed use a routing protocol (the preferred solution). The routing protocol would be BGP, since it's only with BGP that the ISP can direct Internet traffic the way that they need to do. ISPs won't talk OSPF with you because then you become part of their autonomous system, and you could easily hose their entire network. BGP was designed specifically for multi-ISP customers in just this type of situation.

You might want to look at something like OpenBGPD (currently OpenBSD-only; portable version coming soon) or Zebra. You'd also have to talk with both of your ISP's, get an AS number from IANA, and learn what the heck you're doing with BGP. It's not anything like the intra-AS routing protocols you're probably accustomed to (RIP, OSPF, etc.).

Another option might be to use pf's failover capability and a single ISP connection, but again, that'd mean running one of the BSD's, with a preference to OpenBSD for security reasons. pf is able to provide stateful failover, very much like Cisco's PIX Firewall failover, but without the patent encumbrements and the overinflated price tag. However, this solution would be for use on a single ISP connection, which won't work for sites that must have 24/7/365.25 "guaranteed" Internet access.


Re:true failover?

Posted by: Anonymous Coward on May 11, 2005 08:30 PM
A Cisco router will happily take a route out of the routing table if the next hop goes away. Like this solution, it's limited to link status.

Also, you'd want to set a higher AD on your backup route since each flow has to go out the same interface otherwise NAT will break it.


Re:true failover?

Posted by: Anonymous Coward on April 15, 2005 12:01 AM
As per my observation, a home-made linux based failover router is meant to serve only an internal LAN and does not require to communicate with the upstream routers, since it is the ISP's router that directly communicates with the upstream routers using some specific routing protocol. Therefore, if any upstream router dies or goes down, it will be the ISP's router that will detect it first and the effect of it will be experienced by the Linux failover router which, consequently, will switch to the second route.


Re:true failover?

Posted by: Anonymous Coward on April 17, 2005 01:16 AM
I'm afraid that's not how it works. In the setup you describe, until the Linux box detects one of these Ethernet interfaces are down, at the Ethernet level, it will continue to send packets out that interface. The Linux box you describe has ethernet connections to routers "upstream" of it. Typically that router is customer premise equipment provided by the ISP. You have an Ethernet connection to it. It then has a connection to the ISP, via DSL, another Ethernet interface, etc. If if looses its link layer connection (DSL, Ethernet, wireless, etc.) on its WAN, you are still going to have an Ethernet connection between the Linux box and the CPE. The Linux box does not know there is a problem and continues to route out that inteface, as the previous poster said it would.

The previous poster also noticed something about your setup but only impied it, when he said you would lose half your packets. The setup you describe will not send traffic out one connection, and fail over to the second. All have you done is create to equal weight default routes. The Linux box will route out both interfaces, not one or the other, unless it detects one of the Ethernet inerfaces down, as discussed above.

You've started on the right track, but you have a a ways to go.


Re:true failover?

Posted by: Anonymous Coward on November 19, 2006 03:29 AM
I haven't followed the discussion from the beginning, but I can share my experience with the Linux routing:
1) RUNNING flag previously didn't work with all of the ethernet drivers, but has been since working with every card I' had been using (consider using 2.6 kernel, not sure about the 2.4s). This is also the case with the vlan setups. Summa summarum, if you use newer 2.6 kernel, you want any troubles with either vlan setup or RUNNING flags, no matter which ethernet card you use.
2) When the cable is unplugged and ethernet loses the RUNNING flag, route which points to the interface being down, is still in the table. This is not satisfactory. However, you can always use Quagga with link-detect option, this works like a charm. I have BGP, and OSPF routers doing this in my ISP production network, works great. Zebra terminates the routes from the kernel for the problematic interface. You get Cisco functionality, with fraction of the cost.
3) With regard the OSPF and HA setups (multiple path), works great, just follow the Quagga docs.

Ognjen Seslija
Network Engineer


Re:true failover?

Posted by: Administrator on October 12, 2006 09:06 PM
I'm in agreement, the solution proposed is not appropriate for failover.

Basically, I am running OSPF on dual eth servers, to provide two optional paths to two cisco's, who in turn peer via bgp with our isps. There's a bit more to it, but that's the gist.

However, I have recently discovered a before unnoticed (doh) but MAJOR problem w/r to dual homing / resiliency with linux.

Quite simply, if the interface goes to a down state (ie the RUNNING flag goes away but the interface remains in ifconfig - eg if you unplug the wire), the ip network for that interface remains in the route table as directly connected.


Seriously, if you think about it, the device will black hole all traffic destined to the network on the down interface, even though it has an alternate path learned via a protocol.
Or more simply, it will route traffic to a network that is on a dead interface.

If anyone has any bright ideas (tried kernel netdev, etc, to no avail) pls advise !

Tried poking around with the netlink api, but gee, why should it be only I who has a linux router that works properly.<nobr> <wbr></nobr>:>


X Window Gui?

Posted by: Anonymous Coward on April 16, 2005 07:17 AM
I'm running X but don't have anything like what you described and neither will many readers who run fluxbox, fvwm, or many other window managers.

You should take more care to clarify exactly what software you're using, like Gnome, KDE, the Linux 2.4.x kernel (and that this article describes manipulating iptables).

Good luck in the future.


Re:X Window Gui?

Posted by: Administrator on April 16, 2005 11:47 AM
Thanx for the advice. will take care in the future.


This isn't such a hot idea

Posted by: Anonymous Coward on April 25, 2005 11:38 AM
I believe the author is counting on a total failure of eth0 to drop the primary route. Once eth0 goes down that route is withdrawn from the routing table leaving only the eth1 route. Linux without turning on IP: advanced router in the kernel will use only one gateway. I assume it uses the first one you config and once that disappears the second will be used.

        eth0 will hardly every fail completely. The only way it would is if it is directly connected to say a DSL device and the device became unplugged. That would completely drop eth0 and then the failover would happen. If only the connection upstream from the DSL device went down then the Linux box would happily send data to the up ether interface of the DSL, router, switch, etc.

        It would also work if you're terminating connections directly into the Linux box... using a ds-1 card or something like that. Again this assumes that the connections fail totally. A ds-1 usually will, but in offices you're sometimes handed ether which terminates on a switch. That switch will be up, but the router or upstream connection has failed.

It's an interesting little hack assuming I'm right about what he's doing with it, but I wouldn't go around recommending it with mentioning its shortcomings.



What about this?

Posted by: Anonymous Coward on June 11, 2005 08:04 PM
I'm no expert script programmer but what about running a little shell script that sends a ping to the upstream router say every 15 minutes and if there is no reply then disable the NIC?


Re:What about this?

Posted by: Anonymous Coward on March 30, 2006 11:42 PM
can u eleborate abt u'r script..
how will u do that,,,


Re:This isn't such a hot idea

Posted by: Anonymous Coward on July 19, 2005 05:14 PM
I dont's not like we r hooking up an expensive Cisco router that is meant to do one thing n do it good.

I suggest additional hardware be installed in such a configuration that eth0 deliberately and surely fails whenever it fails to relay data to it's required route.

Just a thought upon your's.

Sunny Gaurav Bharel
Linux Systems Administrator
HCL Infinet Ltd.


Pain relief

Posted by: Anonymous Coward on May 28, 2006 02:00 PM
<tt>[URL=] Pain relief [/URL]
[URL=] Back Pain [/URL]
[URL=] Pain relief [/URL]
[URL=http://painreliefmedic.friendpages.c<nobr>o<wbr></nobr> m] Pain relief [/URL]
[URL=<nobr>i<wbr></nobr> nrelief.htm] Nerve pain relief [/URL]</tt>


Re:This isn't such a hot idea

Posted by: Anonymous Coward on August 25, 2006 03:04 PM
If you are not a linux geek, than for your the best option is Nitix, it has got auto switching feature for Multiple ISP Support called "Double Vision"

You test the trial version. it's 40MB only.


Credit Where It's Due?

Posted by: Anonymous Coward on June 10, 2006 07:07 AM
This piece appears to be copied almost (but not quite) word for word from a 2003 piece called:

Creating a Failover Router
Sanjay Majumder

Which can be found at:

<a href="" title=""><nobr>p<wbr></nobr> /</a>


A very poor copy

Posted by: Anonymous Coward on October 01, 2006 12:59 PM
This is a very cheap copy of the article published by Sanjay Majumder on September 19 2003. You can find it here.<nobr>p<wbr></nobr>

Some people, like the one that make this copy, do not know what is the meaning of decency and respect for the work of others who kindly share their knowledment. They, not only are ignorants, but also very stupids.


Re:config is not working for me

Posted by: Anonymous Coward on May 04, 2007 03:10 PM
Yeah, this can't work as 2 default GW are unacceptable and do drive linux mad.
The solution here is to a) separate interfaces into different routing tables and b) mark incoming packets with iptables.
Working on this now.


config is not working for me

Posted by: Administrator on April 22, 2007 12:14 AM
i have follow all the setup stated but it seems not working.... im using fc6 and installed 3 NIC eth0 connected to isp-1 eth1 connected to isp2 and eth2 is for lan<nobr> <wbr></nobr>.... all the setup stated by author is followed but still not working once i turn off the modem connected to isp1 the isp2 connection is not bringing up any other solution please.... i really need it our office because of very poor internet connection in our place....



Using a Linux failover router

Posted by: Anonymous [ip:] on February 21, 2008 12:07 PM
I have something like this set up, with one little addition, i have a script running as a daemon, polling the remote gateways MAC every few seconds, if a gateway fails to answer 3 times, it will trigger a script that clear the dead route from the routing table and clear the routing cache for routes that goes through the faulty gateway. this works very well, and mostly nobody but me notice if a connection goes down. the script will add the route back to the routing table when the faulty gateway is restored. originally i had a setup just like the one described here, it works well if you dont have loadbalaning set up, but just use one route at the time. if you have loadbalancing you would need a script like mine to ensure true failover.
unlike BGP and other multigateway protocols, this method will of course loose connections when one gateway goes down, this cant be avoided unless you have control over both ends on the redundant network (your ISPs routers too).


This story has been archived. Comments can no longer be posted.

Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya