Is 1.0.beta12 safe and stable for production use?

Home Page Forums Network Management ZeroShell Is 1.0.beta12 safe and stable for production use?

This topic contains 9 replies, has 0 voices, and was last updated by  snowch 9 years, 11 months ago.

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #41902

    snowch
    Member

    Is 1.0.beta12 safe and stable for production use? I always get nervous using beta software especially for security concerns.

    Many thanks in advance,

    Chris

    #48714

    yum
    Member

    I use it as a firewall, NAT, DNS cache, DHCP server and traffic shaper for about 50 users without problems. The difference since beta11 is DSCP and ability to use custom iptables arguments via web interface (this is what I have discovered). Just make a backup, burn new iso and reboot ZeroShell to upgrade from beta11.

    #48715

    mark_orion
    Member

    @snowch wrote:

    Is 1.0.beta12 safe and stable for production use? I always get nervous using beta software especially for security concerns.

    Many thanks in advance,

    Chris

    I understand your concerns. I would consider beta12 as pretty solid. I am using beta12 in an environment with about 120 Users and load balancing over three gateways – no crashes and no trouble. The whole thing works like a charm.
    enjoy Zeroshell,
    Mark

    #48716

    jacobsa
    Member

    @ Mark_orion, Do you ever get the scenario when you are load balancing that you need to create custom rules for certain sites to only travel via one link?

    I have certain HTTPS sites that just simply dont work properly when I load balance behind NetBalancer and need to make a specific rule to that IP.

    For example, zeroshell.net I have to do the same, as I find I am constantly being kicked out of the forums because of the changing IP…

    #48717

    ppalias
    Member

    @jacobsa wrote:

    @ Mark_orion, Do you ever get the scenario when you are load balancing that you need to create custom rules for certain sites to only travel via one link?

    I have certain HTTPS sites that just simply dont work properly when I load balance behind NetBalancer and need to make a specific rule to that IP.

    For example, zeroshell.net I have to do the same, as I find I am constantly being kicked out of the forums because of the changing IP…

    Network -> Router -> Manage
    Add a static route for the site. However I think that something has to be done on ZS to prevent such load balancing situations. For example balancing should not be done on packet base, rather on connection base.

    #48718

    jacobsa
    Member

    Yeah that is what I have been doing to resolve the issues, just wondered if anyone else has seen that problem, or if it was just me going crazy. 🙂

    Anything in the pipeline for this fulvio?

    #48719

    mark_orion
    Member

    @jacobsa wrote:

    Yeah that is what I have been doing to resolve the issues, just wondered if anyone else has seen that problem, or if it was just me going crazy. 🙂
    Anything in the pipeline for this fulvio?

    The feature is actually there. You have to set a manual balancing rule:
    – Go to NetBalancer / Balancing rules
    – Add a new rule ( a popup for the rule comes up)
    – In the “Packet Matching” section you enter the servers IP as destination IP
    – In the “Protocol Matching” section you choose “TCP” and enter 443 (HTTPS) as destination port.
    – In the “Target Gateway” section you set the gateway you want to use.
    Thats it! The rule should be active immediately after you saved the changes.

    #48720

    ppalias
    Member

    When you want to choose a gateway based on the destination address it can be done either by adding a static route or by adding a balancing rule. On the other hand if the rule is something like source address, port, L7 packet match, then you have to use a balancing rule.

    #48721

    jacobsa
    Member

    One other thing I have found with Net Balancer, that I cannot seem to resolve is external services in seem to drop packets. Not sure if you guys can test this on your services for me, but I can replicate it on a number of different Zeroshell beta12 boxes I have out there, with different services (pppoe links & static IP services).

    For example:

    Run a constant ping to both public IP’s of the two Net Balanced connections from another third party site, external to the Zeroshell in question.

    When Netbalancer is in Load Balance & Fail Over, no matter what my weighting scenario is, I seem to lose a considerable amount of packets on the same pppoe link (4-5% over a decent time span) INBOUND only, where my other link is always fine. When I say inbound only, if I configure a rule to force traffic out via the link in question from an internal PC, I can confirm its going via that link, and never see the packet loss. Only inbound.

    In all of my configurations it seemst to be a PPPOE link that always feels it, not the static IP service. I have changed weights, re-configured the PPPOE connections so they are in a different order (ppp0, ppp1, etc), but the problem remains. I can produce this on both a beta11 & 12 release I have out there right now. Even if I configure the link in question with a higher weight, it still see’s the packet loss inbound.

    I have confirmed it is not just UDP packets as well, as I have tested with inbound TCP services (SMTP server, telnet, etc), and they suffer as well.

    If I change the NetBalancer configuration to Failover only, the packet loss instantly goes away.

    I even went as far as making a NetBalancer rule saying anything on the ppp0 link inbound use the ppp0 link outbound in an attempt to fix it, but no help. 🙂

    This is a real pain when you are monitoring links for customers using a ICMP ping test. As I keep getting notified they are down, when they are not, its just this issue I have found.

    I can re-produce this for any of you if you wish to see it. It is happening as I type this on the same link I am using. 🙂

    If you guys could test your own links and see if you see the issue, or throw me any ideas to resolve that would be great.

    Cheers,

    Aaron

    #48722

    ppalias
    Member

    I can confirm that there is something wrong with the “Load Balance and Failover”. I have 2 servers in my internal network and a openvpn server on the ZS. The servers are working with port forward.
    If I don’t apply 3 netbalancing rules, then none is working in a proper way, due to packet loss. When I apply the 3 rules everything works fine.
    I sense that something goes wrong with the NAT translations and the load balancer. When you have an incoming connection over a specific interface the reply has to be sent back on the same interface, not based on policy based rules.
    So in a nutshell I think that netbalancer rules should be applied only if there is non existing connection (or NAT translation).

    #48723

    jacobsa
    Member

    I am glad I am not the only one experiencing this, and I can now confirm with you that this is a bug.

    My only issue is, that I cannot create balancing rules for the Zeroshell itself to respond to ICMP requests for network monitoring. 🙂

    Any world fulvio?

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.