Netgate 6100 - Is this an acceptable design? WAN Bridge & Firewall on Same device.
-
Hello All,
Trying to deploy this at a datacenter for a web hosting company. I wanted to ask if this design is an acceptable approach or if I'm just asking for trouble. We recently bought 2 x 6100 and they want them configured in an HA config. The firewalls will function as the main FW's for their little network plus a transparent firewall for any servers on their WAN network (they want to block inbound smtp). Using Draw-io I was able to create an overview of how this will be connected.
-
Using HA with bridges is generally considered a bad idea if you can avoid it. You would be relying on STP to prevent a loop there somewhere.
Steve
-
Hi Steve, So this setup "may" cause a loop or "will" cause a loop? is there anything I should do from the switch side to prevent this?
Thanks for the help.
-
Well it depends what the colo drops are connected to but I'd expect them to be in the same layer 2. Thus if the bridges in both HA nodes are also connected to the same layer 2 on the back end there will be a loop. In that sort of setup STP usually disconnects one of those links to prevent it. Assuming STP is enabled on the upstream switch.
-
Hi Steve,
What if the colo uplinks are configured in a LACP config and the bridge I plan to use is in a Transparent Firewall methodology?
-
Hmm, well that could be interesting. I have seen one other example of sync'd pfSense nodes in LACP links like that. It did work but.... that was some versions ago. They were not using any routed traffic with HA/CARP at the same time.
So it's hard to recommend something like that. But it would not be a loop, it could work.I will also say it would be hard to support that if you ever needed TAC assistance.
-
Good Morning Steve - In respect of HA, Will the firewall failover to the secondary firewall if the uplink goes down or does HA only take effect if the Firewall suffers a Hardware failure?
Thanks,
JG -
It would usually demote itself, causing a failover, if any interface that has a CARP VIP on it loses link. That can be affected if the interface is a bridge though for example. The bridge itself never goes down.
