Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Watchguard XTM 5 series

    HA/CARP/VIPs
    3
    19
    3001
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Smoothrunnings last edited by

      Is there a how-to doc or extensive video on setting up two Watchguard XTM 5 series fireboxes to do failover? So if I was to turn off the PA (Active) box it would automatically make the (Passive) box active.

      Oh and can the 10/100Mbit port on the XTM 5 series be used for the heartbeat link?

      Thanks,

      1 Reply Last reply Reply Quote 0
      • dotdash
        dotdash last edited by

        There is no machine specific failover tutorial because the concepts are the same no matter the hardware. And yes, a 10/100 link is fine for the sync/heartbeat connection.

        1 Reply Last reply Reply Quote 0
        • S
          Smoothrunnings last edited by

          @dotdash:

          There is no machine specific failover tutorial because the concepts are the same no matter the hardware. And yes, a 10/100 link is fine for the sync/heartbeat connection.

          OK, so is there a good tutorial on setting up the firewall to failover then?

          Thanks,

          1 Reply Last reply Reply Quote 0
          • dotdash
            dotdash last edited by

            Good place to start is here: https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

            The book is the best source, the gold subscription is worth it for that alone.

            1 Reply Last reply Reply Quote 0
            • S
              Smoothrunnings last edited by

              @dotdash:

              Good place to start is here: https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

              The book is the best source, the gold subscription is worth it for that alone.

              When I go to the page above I only see the following:

              Configuring pfSense Hardware Redundancy (CARP
              There is currently no text in this page. You can search for this page title in other pages, or search the related logs, but you do not have permission to create this page.

              That whats note to steve who posted the same link. :)

              1 Reply Last reply Reply Quote 0
              • dotdash
                dotdash last edited by

                The link code stripped off the trailing )

                https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

                1 Reply Last reply Reply Quote 0
                • S
                  Smoothrunnings last edited by

                  @dotdash:

                  The link code stripped off the trailing )

                  https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

                  So the question I have is with this diagram. in the link above..It's a bit confusing. Why? Well I am familiar with Neverfail and how it works. (https://doc.pfsense.org/index.php/File:CARP_Setup.png)

                  Does the backup firewall LAN IP perminate or does it change when it fails over; and for the WAN since I used DHCP is there anyway to inject the MAC address from primary firewall into the secondary when fail-over occurs?

                  In a NF world the LAN IP of the secondary passive server is disabled, all data goes through the heartbeat. When primary active server fails it tells the secondary passive server and begins the fail-over to the secondary making is active and setting the primary to passive. During the process the LAN connection the primary is turned off while its turned on, on the secondary. This way the interruption is minimal.

                  Is what CARP does?

                  1 Reply Last reply Reply Quote 0
                  • dotdash
                    dotdash last edited by

                    Neverheard of Neverfail, but pfSense operates much like a Cisco failover cluster using HSRP/VRRP- All traffic is routed out via the virtual/carp addresses. The virtual addresses have unique macs and are advertised by the cluster member that is currently master.
                    They are labeled as 'cluster shares' on the picture.

                    1 Reply Last reply Reply Quote 0
                    • S
                      Smoothrunnings last edited by

                      So what happens when the the firewall fails over. Does it retain the IP address WAN off the other firewall?

                      1 Reply Last reply Reply Quote 0
                      • dotdash
                        dotdash last edited by

                        @Smoothrunnings:

                        So what happens when the the firewall fails over. Does it retain the IP address WAN off the other firewall?

                        Each firewall has an address, but they share a virtual address that is used for routing the traffic.
                        In the referenced diagram, the default gateway of lan computers is 192.168.1.3 and on the WAN, traffic is natted out 127.29.29.3.
                        Those IPs will float between the two nodes. The concepts are different than that Neverland thing, please review the whole document referenced.

                        1 Reply Last reply Reply Quote 0
                        • S
                          Smoothrunnings last edited by

                          @dotdash:

                          @Smoothrunnings:

                          So what happens when the the firewall fails over. Does it retain the IP address WAN off the other firewall?

                          Each firewall has an address, but they share a virtual address that is used for routing the traffic.
                          In the referenced diagram, the default gateway of lan computers is 192.168.1.3 and on the WAN, traffic is natted out 127.29.29.3.
                          Those IPs will float between the two nodes. The concepts are different than that Neverland thing, please review the whole document referenced.

                          So under CARP do the PRI and SEC FW's share the pub IP addresses?

                          1 Reply Last reply Reply Quote 0
                          • dotdash
                            dotdash last edited by

                            As previously explained, each firewall has a public address and they share the CARP Virtual IPs. Traffic should be routed via the Virtual IPs.

                            1 Reply Last reply Reply Quote 0
                            • chpalmer
                              chpalmer last edited by

                              @dotdash:

                              As previously explained, each firewall has a public address and they share the CARP Virtual IPs. Traffic should be routed via the Virtual IPs.

                              "Each has its own WAN address" might be a better way to explain that since the linked document seems to show the cluster double natted behind a DSL router combo..

                              One could assume from that drawing that the DSL router actually has the only public IP in that particular example.

                              Triggering snowflakes one by one..

                              1 Reply Last reply Reply Quote 0
                              • dotdash
                                dotdash last edited by

                                I assumed the document was using the 127 addresses as an example. It states you need three real addresses in the linked overview. Trying to run CARP behind NAT or float a single public greatly complicates matters and would not be recommended for someone still coming to grips with the basics. There are exceptions, but for a CARP cluster you need at least three public IP addresses.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  Smoothrunnings last edited by

                                  @chpalmer:

                                  @dotdash:

                                  As previously explained, each firewall has a public address and they share the CARP Virtual IPs. Traffic should be routed via the Virtual IPs.

                                  "Each has its own WAN address" might be a better way to explain that since the linked document seems to show the cluster double natted behind a DSL router combo..

                                  One could assume from that drawing that the DSL router actually has the only public IP in that particular example.

                                  When you say each has its own WAN address, do you mean from a virtual IP or from a public IP aspect?

                                  From what I have learned with CSICO firewalls (we have engineers at work) the slave box has its own WAN IP but when failover occurs everything from the master firewall is transferred to the slave including the MAC address so that the slave firewall in my case would get the same IP address from the ISP (as I am on DHCP for my WAN).

                                  The questions I have are the following:

                                  1. do I have to setup the same apps on my slave firewall as I have on my master? (ie. Haproxy, LCD Driver, OpenVPN, Ntopng, etc.)
                                  2. does the CARP heartbeat smart enough to update any chances I make to the local firewall and or it's apps that it updates them?

                                  1 Reply Last reply Reply Quote 0
                                  • dotdash
                                    dotdash last edited by

                                    @Smoothrunnings:

                                    From what I have learned with CSICO firewalls (we have engineers at work) the slave box has its own WAN IP but when failover occurs everything from the master firewall is transferred to the slave including the MAC address so that the slave firewall in my case would get the same IP address from the ISP (as I am on DHCP for my WAN).

                                    The questions I have are the following:

                                    1. do I have to setup the same apps on my slave firewall as I have on my master? (ie. Haproxy, LCD Driver, OpenVPN, Ntopng, etc.)
                                    2. does the CARP heartbeat smart enough to update any chances I make to the local firewall and or it's apps that it updates them?

                                    a. HA on Cisco is similar to HA on pfSense- Master and slave have a public IP on the WAN. They share one or more Virtual public IPs that have unique MACs. The Virtual IPs migrate between master and slave.

                                    1. Generally yes, you need the same packages on both boxes. LCDproc and Ntopng would be exceptions as they don't run critical services.
                                    2. XMLRPC will push any config changes from the master to the slave. If you updated a package on the master, you would need to update the slave also.
                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      Smoothrunnings last edited by

                                      @Smoothrunnings:

                                      @chpalmer:

                                      @dotdash:

                                      As previously explained, each firewall has a public address and they share the CARP Virtual IPs. Traffic should be routed via the Virtual IPs.

                                      "Each has its own WAN address" might be a better way to explain that since the linked document seems to show the cluster double natted behind a DSL router combo..

                                      One could assume from that drawing that the DSL router actually has the only public IP in that particular example.

                                      When you say each has its own WAN address, do you mean from a virtual IP or from a public IP aspect?

                                      From what I have learned with CSICO firewalls (we have engineers at work) the slave box has its own WAN IP but when failover occurs everything from the master firewall is transferred to the slave including the MAC address so that the slave firewall in my case would get the same IP address from the ISP (as I am on DHCP for my WAN).

                                      The questions I have are the following:

                                      1. do I have to setup the same apps on my slave firewall as I have on my master? (ie. Haproxy, LCD Driver, OpenVPN, Ntopng, etc.)
                                      2. does the CARP heartbeat smart enough to update any chances I make to the local firewall and or it's apps that it updates them?

                                      opps wrong post. :(

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Smoothrunnings last edited by

                                        @dotdash:

                                        a. HA on Cisco is similar to HA on pfSense- Master and slave have a public IP on the WAN. They share one or more Virtual public IPs that have unique MACs. The Virtual IPs migrate between master and slave.

                                        1. Generally yes, you need the same packages on both boxes. LCDproc and Ntopng would be exceptions as they don't run critical services.
                                        2. XMLRPC will push any config changes from the master to the slave. If you updated a package on the master, you would need to update the slave also.

                                        a. If what you are saying the WAN on both firewalls have their own public IPs, then how does the secondary assume the role of the primary when fail-over occurs?

                                        Thanks

                                        1 Reply Last reply Reply Quote 0
                                        • dotdash
                                          dotdash last edited by

                                          @Smoothrunnings:

                                          a. If what you are saying the WAN on both firewalls have their own public IPs, then how does the secondary assume the role of the primary when fail-over occurs?

                                          Thanks

                                          The secondary gains control of the Virtual (CARP) IPs, the LAN side and the Public side. If this isn't clear, please review the CARP man page, the HA documentation, etc. I feel like this discussion is going in circles.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post