Overview
This article explains various special cases in High availability configuration regarding managing Wi-fi and PPPoE, auto-creation of routes, and traffic rules. Additionally, it provides clarifications about DHCP settings, HA validation, and Virtual IP.
Prerequisites
SSH access to the Kerio Control
/opt/kerio/winroute
is the current directory
Solution
1-Wifi
Kerio Control will disable Wifi on slave whenever HA validation completes. It will enable Wifi again when the master goes down or HA disabled. This behavior can be controlled from the configuration.
To disable control managing wifi, execute: ./tinydbclient "update HaConfig
set ManageWifi=0"
2-PPPoE
Kerio Control will hang up all PPPoE interfaces in a slave when HA validation completes. It will dial them automatically when the master goes down or HA disabled. This behavior can be controlled from the configuration.
To disable control managing PPPoE, execute: ./tinydbclient "update HaConfig
set ManageSlaveDial=0"
3-Routes
In slave, when there is no ethernet interface in "Internet Interfaces" and since control disables all PPPoE on slave, to make sure that slave have internet access for its updates like IPS, Anti-Virus, we are creating a new static route, that will redirect all traffic to sync interface, so master will deliver these updates for slave. This behavior can be controlled from the configuration.
To disable adding a route, execute: ./tinydbclient "update HaConfig set AutoCreateRoute=0"
4-Traffic Rules
Kerio Control will create a traffic rule for ucarp traffic automatically whenever HA enabled. It will contain interfaces selected in virtual IP list as the source, 224.0.0.18 as the destination and VRRP as a service service
To disable creating route automatically, execute : ./tinydbclient "update
HaConfig set AutoCreateRule=0"
5-DHCP Settings
Kerio Control will update the gateway in the DHCP scope of selected virtual IP interface (if there is such a scope) so any machine getting IP from control using that interface will see virtual IP as the gateway. Also whenever HA completes, the slave will not respond DHCP request coming to that interface, so only master DHCP scopes are active. The slave will continue to lease the IP address either master goes down or HA disabled. You can see relevant logs in the Debug log with "High Availability" messages.
Additional Notes:
- It doesn't matter if you first configure master or slave. They will complete their validation separately
- Even there is a problem with validation, control will continue sending the same data for validation. So if you fix a problem not related to HA configuration (like updating interface names, or adding a traffic rule) you don't need to disable/enable HA since it will complete validation automatically
- You can assign virtual IP to any ethernet interface (including VLANs). Actually, HA doesn't care about the interface group or consequence of adding virtual IP. It just runs a script to add virtual IP when a machine becomes active and removes that IP when it is passive.
Confirmation
Based on the configuration modification, the changes are being tracked in the Config logs, i.e. disabling Wifi management:
[18/Sep/2020 10:28:11] LocalPluginUserForRPC - update HaConfig set ManageWifi=0