Secondary WAN and High Availability
-
I am in the process of trying to select equipment for a conversion of our router/firewall appliances to Netgate. I want to position myself so that we can add secondary WAN and high availability at a later time.
My read is that secondary WAN + High Availability would make it necessary to have four interfaces. 2x WAN, 1x LAN, 1x HA Sync.
One of the appliances we are looking at for some of our smaller locations is the SG-3100, which has three interfaces: WAN, OPT1, and a LAN interface with a 4 port integrated switch. Obviously, I'm an interface short. My question is, can I define a vlan solely for HA sync and attach it to one of the switch ports of the LAN interface on an SG-3100 and still achieve my end goals?
-
@bp81 said in Secondary WAN and High Availability:
My read is that secondary WAN + High Availability would make it necessary to have four interfaces. 2x WAN, 1x LAN, 1x HA Sync.
I'm wondering, where you got this from.
HA or CARP has nothing to do with the number of interfaces. However, it's recommended to use a separate interface for sync when syncing states.But each interface has to have a unique IP + the shared CARP VIP. So you should have at least 3 public WAN IPs for running CARP HA.
-
@bp81 Yes you can make a port a discrete port...see https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/switch-overview.html
-
@viragomann said in Secondary WAN and High Availability:
@bp81 said in Secondary WAN and High Availability:
My read is that secondary WAN + High Availability would make it necessary to have four interfaces. 2x WAN, 1x LAN, 1x HA Sync.
I'm wondering, where you got this from.
HA or CARP has nothing to do with the number of interfaces. However, it's recommended to use a separate interface for sync when syncing states.But each interface has to have a unique IP + the shared CARP VIP. So you should have at least 3 public WAN IPs for running CARP HA.
The three public WAN IPs are not an issue. Most of our locations already have more than that, and in the places we don't have them, getting them is a phone call and a minimal cost.
I am basing my count of interfaces on the recommended configuration provided by Netgate's knowledge base. A router in HA configuration with two WAN connections will, by necessity, have two WAN interfaces. The device will, by necessity, have one LAN interface. While I understand you could run sync through a switch on your LAN technically, there are obvious reasons why a direct link between the primary and the backup for sync is the better configuration.
I prefer better configurations.
The ultimate point of this question is in reference to the ability of the SG3100 to accomodate this. It only has three physical interfaces, but the SG5100 and 6100, while they have the physical interfaces, are significant overkill for some of our smaller locations in terms of hardware performance. I'd prefer to economize on the less expensive units, IF they can work in a dual WAN + HA configuration as I described.
-
@bp81 said in Secondary WAN and High Availability:
I am basing my count of interfaces on the recommended configuration provided by Netgate's knowledge base. A router in HA configuration with two WAN connections will, by necessity, have two WAN interfaces.
So do you have two different WAN connections on that location?
While I understand you could run sync through a switch on your LAN technically, there are obvious reasons why a direct link between the primary and the backup for sync is the better configuration.
Absolutely agree. As I mentioned, when you intend to sync states for full HA usage, you should use a separate interface.
-
@viragomann said in Secondary WAN and High Availability:
@bp81 said in Secondary WAN and High Availability:
I am basing my count of interfaces on the recommended configuration provided by Netgate's knowledge base. A router in HA configuration with two WAN connections will, by necessity, have two WAN interfaces.
So do you have two different WAN connections on that location?
While I understand you could run sync through a switch on your LAN technically, there are obvious reasons why a direct link between the primary and the backup for sync is the better configuration.
Absolutely agree. As I mentioned, when you intend to sync states for full HA usage, you should use a separate interface.
Yes, I have two separate WAN connections at the location in question, each with sufficient public IP addressing for an HA configuration.
-
@bp81 said in Secondary WAN and High Availability:
Yes, I have two separate WAN connections at the location in question, each with sufficient public IP addressing for an HA configuration.
So yes, then you need four interfaces. However, you can also use VLANs for the both WANs together with a VLAN-capable switch.
For running CARP on VLAN interfaces, you have to configure the VLAN interfaces on both nodes first and then add a CARP VIP on the master. -
@viragomann said in Secondary WAN and High Availability:
@bp81 said in Secondary WAN and High Availability:
Yes, I have two separate WAN connections at the location in question, each with sufficient public IP addressing for an HA configuration.
So yes, then you need four interfaces. However, you can also use VLANs for the both WANs together with a VLAN-capable switch.
For running CARP on VLAN interfaces, you have to configure the VLAN interfaces on both nodes first and then add a CARP VIP on the master.Maybe I'm missing something, but are you suggesting that a vlan capable perimeter switch could be setup to serve both WANs across a single connection / single WAN interface on the router? If so, this would be outside anything I've tried to do but is interesting.
-
@bp81
Exactly. That is what VLANs are meant for, running multiple L2 networks on a single hardware. -
@viragomann said in Secondary WAN and High Availability:
@bp81
Exactly. That is what VLANs are meant for, running multiple L2 networks on a single hardware.Yeah, I suppose that does make sense, it just never occurred to me to do it. I'm running an HA configuration now with a competing product using separate physical interfaces, but the router I'm using has 8 interfaces, so it's not as if I needed a vlan for this purpose to economize on limited interfaces either.