Virtualize dedicated hardware for failover or not?
-
I am buying the following hardware:
- Asus Server grade motherboard socket 1155 with 5 x intel LAN : Asus P8B-E/4L
- i3 cpu 35 watt
- 4GB
- 1u supermicro rack
This wil act as router, firwall, load balancer and public ip -> private ip conversion towards by switch which hosts 2 ESXI machines.
Each ESXI wil have about 20 vm's. (Clustering a vm on host 1 with one on host 2 for high availibility)Question:
I have 2 possiblilities:
1. Just install PfSense and be done :)
or
2. Install ESXI. There within 2 vm's of PfSense in a failover (CARP) configuration.
What is advisable ??? Wil the 2nd option increase Reliability and not increase delay…
Both, reliability and performance (that's why dedicated hardware) are important for me.
Cheers!
-
2. Install ESXI. There within 2 vm's of PfSense in a failover (CARP) configuration.
seeing the hardware (and vswitch) will be the same what software failure would
effect one fp instance and not the other? what are we protected against? -
What extra's config #2 adds is:
- be safe incase of failure of pfsense (what are the chances???)
- management ( upgrade pfsense and testing). just let the 2nd vm take over while working on the first.
- other? …...
it also adds risks:
- esxi crash ( chances? )
- other? ....
-
I converted to vm's as I believe you gain the ease of restoring from a crash. If you backup your images, you can always restore from a working image. I know I backup my pfsense, then upgrade packages so that if it all dies, I can restore an older image. I also have more hardware than bandwidth. Meaning that I might lose some throughput running through a vm, but I don't need that much anyways.
Now, you added the complexity of having multuple vm's.. The only reason I would think to contemplate would be for high availability. So that you can down one, while the other is done. When would that happen though? Upgrade's maybe?
The only other reason I could see would be if you have many NIC's and have LARGE throughput. You could allocate 2 nics to one VM and 2 other NIC's to the other vm.
It's an interesting way of doing it. I never thought to run 2 pfsense vm's on the same machine. I don't think it would be more reliable, as I would say there are better chances of hardware failure, than a pfsense failure (very reliable in the few years I've been running it).Would be interested in other's thoughts…
-
Pretty much all our colo facilities run VM firewalls, but one per ESX host, not two on the same (lose most of the benefits with two on the same host). We do have one colo with only one server that runs two firewalls on the same host, primarily because we upgrade our firewalls a lot (they're all running 2.1) to track 2.1 snapshots and we need higher availability than we could possibly have otherwise, even though an upgrade is sub-1 minute downtime, that's too much. There's also much more risk inherent in running snapshots so that's a bit different from your average user's scenario.
-
@cmb, tester_02 : thanks for your feedback, it is appreciated.
So i conclude that the reliability stays the same almost, but flexibility to upgrade and or try other/new features goes up.
thanks