PfSense HA on OVH dedicated servers



  • Hi
    I am in the process of creating a new virtualized infrastructure with OVH dedicated servers and vRack. Our local on-premise infrastructure already uses pfSense, so the easiest solution would be to continue doing so.
    Currently I have 2 identical physical servers (in two different datacenters) connected to the same vRack interface and the idea was to create a virtual pfSense node on each physical server and have these connected in HA. However on the configuration screen it is noted that HA only works with multicast, which is not supported on the OVH network.

    The idea was that I wanted to prevent service interuption if a pfSense node, or physical node, is down for a longer period of time.

    How can I get a working HA between multiple pfSense virtual nodes using OVH?

    Btw. we are using Proxmox VE for our virtualization infrastructure.



  • Hi,
    We have used CARP on OVH's vRack with no problems. Well, no problems other than OVH being unreliable that is…

    I was concerned they might block multicast etc, but it has always worked perfectly well for us. Who told you it wouldn't work? We were able to configure multiple VLANs on the same vRack by adding multiple NICs and setting the VLAN tag in VMWare.

    No problems with CARP or config Sync.



  • @robwalker:

    Hi,
    We have used CARP on OVH's vRack with no problems. Well, no problems other than OVH being unreliable that is…

    I was concerned they might block multicast etc, but it has always worked perfectly well for us. Who told you it wouldn't work? We were able to configure multiple VLANs on the same vRack by adding multiple NICs and setting the VLAN tag in VMWare.

    No problems with CARP or config Sync.

    Hello,

    We have 2 x hardware pfSenses servers on the same vRack - now would like to setup a hardware redundancy for them  I've never done it before but after some extensive reading I guess I understand it good enough to implement…

    What procedure did follow to get a CARP IP from the same subnet as firewall's WAN IP's? Just asked support to allocate another IP?
    Anything else needs to be changed in OVH settings to make it working?

    Thanks!



  • Got an answer from OVH that CARP is not possible for their hardware dedicated servers due to network design.

    I've solved this using OVH Control Panel API - https://api.ovh.com

    1. buy some OVH failover IP's (one or subnet block ) and assign them to "master" firewall in OVH Control Panel

    2. create identical "IP alias(es)" for OVH failover IP's attached to WAN interfaces on both "master" and "backup" firewalls.
          Yes, create identical IP Aliases - no IP conflict will ever happen.

    3. wrote a Python script that moves above OVH failover IP's to "backup" server in case "master" firewall stops responding for let's say 10 seconds
          Script can work on backup server on any other Linux/Windows server anywhere.

    Works just fine - API failover IP move takes about 50-55 seconds to finish.
    So, if scripts timeout for your "master" firewall is set to 10 seconds - you are looking at max 60-65 seconds outage for your services.

    Boom.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy