Multi-Wan High availability question

bp81

I have a situation where I want to provide high availability at a site. The site has two ISPs, one of which provides a /29 subnet, however, the secondary / backup ISP does not (provides single IP address).

Assuming I am willing to give up having the secondary ISP functional on the failover router, can I still setup HA? I understand that in this scenario if I failover to the secondary router I won't have multi-wan redundancy, also that any connections on the primary that were using the secondary WAN at the time of failover will be lost and have to be re-established on the primary ISP through the secondary router.

Is there a way this configuration can work? I ask because I am not sure it's practical for us to get a /29 subnet from the secondary ISP. I have read that you can conceivably use a double NAT situation to do this with a single WAN IP address, but I would prefer to avoid such a thing if possible.

viragomann

@bp81 said in Multi-Wan High availability question:

I have read that you can conceivably use a double NAT situation to do this with a single WAN IP address

Where?

You can configure the secondary WAN interface of both as a private network (RFC1918 IPs) and hook up the single public IP from the ISP as CARP-VIP on it.

This way, in case the primary WAN fails, the backup node cannot access the internet, because the single WAN IP is occupied by the master. But this should be acceptable.

bp81

@viragomann said in Multi-Wan High availability question:

@bp81 said in Multi-Wan High availability question:

I have read that you can conceivably use a double NAT situation to do this with a single WAN IP address

Where?

You can configure the secondary WAN interface of both as a private network (RFC1918 IPs) and hook up the single public IP from the ISP as CARP-VIP on it.

This way, in case the primary WAN fails, the backup node cannot access the internet, because the single WAN IP is occupied by the master. But this should be acceptable.

Would it work if both routers had the primary WAN configured with public IP addresses as described in Netgate’s documentation, but use private IP + public CARP VIP for the secondary WAN?

Also, my original question. Can I setup HA failover with the understanding that I’m going to lose states associated with the secondary WAN and just force those connections to be remade on thr backup router if failover occurs?

viragomann

@bp81 said in Multi-Wan High availability question:

Would it work if both routers had the primary WAN configured with public IP addresses as described in Netgate’s documentation, but use private IP + public CARP VIP for the secondary WAN?

This setup I was talking about. The only issue is that in case the primary WAN is down, only the HA master can access the internet over the secondary WAN.

Also, my original question. Can I setup HA failover with the understanding that I’m going to lose states associated with the secondary WAN and just force those connections to be remade on thr backup router if failover occurs?

So that the secondary WAN is only connected to the primary router?. Surely that's possible. But makes no sense to me, since there is a way to have both WANs on both routers.

bp81

@viragomann said in Multi-Wan High availability question:

@bp81 said in Multi-Wan High availability question:

Would it work if both routers had the primary WAN configured with public IP addresses as described in Netgate’s documentation, but use private IP + public CARP VIP for the secondary WAN?

This setup I was talking about. The only issue is that in case the primary WAN is down, only the HA master can access the internet over the secondary WAN.

Also, my original question. Can I setup HA failover with the understanding that I’m going to lose states associated with the secondary WAN and just force those connections to be remade on thr backup router if failover occurs?

So that the secondary WAN is only connected to the primary router?. Surely that's possible. But makes no sense to me, since there is a way to have both WANs on both routers.

This is very helpful information, thank you.

One last question. I think I know the answer but I want to clarify it for certain. In the setup you suggest I’m using 3 public IPs for the primary WAN. I’m using two private IPs and one public IP for secondary WAN. The consequence of this is that the secondary router will have internet access only through the primary WAN. If failover occurs from primary router to secondary router, my assumption is that the secondary would then be able to access the internet over secondary WAN since it would then be using the CARP public IP address.

Since in this setup my secondary router can still use the primary WAN to get updates, this seems like an acceptable configuration for my needs.

viragomann

@bp81
Exactly. You configure the secondary WANs as private network, so that they can talk together. Then you hook up the CARP VIP on this interface on the master and add the WAN gateway in System > Routing > Gateways to this interface.

Internet access over the secondary WAN has only the router which has the master role. I.e. in case of failover to the secondary box it takes over the WAN2 CARP and gets access to the internet over WAN2.

In normal state when the secondary box is backup it can access the internet over WAN1. So WAN1 GW has to be set as default gateway.

There is also a workaround to get internet on the backup router over a single WAN connection and a single IP over the master, but that makes no sense in a Multi-WAN setup.