Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    SG-3100: HA or not?

    Official Netgate® Hardware
    6
    13
    1243
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sgw last edited by

      I have to select hardware for a new customer, right now they use a 3-NIC-appliance (APU, I assume) and run 4 subnets on it (WAN, LAN, one "P-LAN" for VOIP, and one VLAN for guests).

      They like the idea of HA: 2 appliances, CARP, you know.

      Now I wonder if 2x SG-3100 might do the trick? If I configure VOIP and Guest-LAN as VLANs on the physical LAN-NIC, I could run the SYNC on the third NIC ?

      Or better configure these 4 switch-ports as the NIC with the VLANs on it?

      Or is all that a bad idea and we should either forget HA for now or buy bigger hardware?

      You notice: I am a bit confused and could need some help on this ;-)

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        Because the "LAN" ports on the SG-3100 are connected internally to a switch, that makes failover tricky for that particular segment. CARP heartbeats will still work, but it won't see a physical link loss and demote itself if there is a physical problem with that segment. A complete hardware failure would still cut over, as would a link loss on the WAN/OPT ports if they are setup for CARP. In the rare case that a LAN switch problem did affect them they could just power off the primary node or login and force it into maintenance mode.

        Alternately, as you suggested, you could use the LAN switchports for pfSync/XMLRPC, and the WAN/OPT ports to connect to your other switches, and that could work, but you'd have the other switchports sitting there unused.

        S T 2 Replies Last reply Reply Quote 0
        • S
          sgw @jimp last edited by

          @jimp thanks for the feedback.
          Both options sound sub-optimal to me ;-) although I don't need that "internal switch feature" on the SG-3100.
          And the 1gig bandwidth should be enough for VLANs and LAN together (we talk about a 24MBit/s upstream currently ... maybe 50 or 100 next year ...).

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            We do have some additional products coming very soon now, so if your client doesn't mind holding off a wee bit, you will most likely find a better fit. Can't say more than that yet. :)

            S C 3 Replies Last reply Reply Quote 0
            • S
              sgw @jimp last edited by

              @jimp sounds like it's worth some waiting ;-) thanks for the hint
              I just have to live with pfsense-2.2.6 there for now ... maybe do an upgrade to 2.3.5 at least, but that's a bit scary : the box is 500km away and it won't impress the new customer if I take them offline ;-)

              1 Reply Last reply Reply Quote 0
              • S
                sgw @jimp last edited by

                @jimp can you say "weeks" or "months" or "years" at least? ;-)

                1 Reply Last reply Reply Quote 0
                • jimp
                  jimp Rebel Alliance Developer Netgate last edited by

                  Really soon now :-)

                  1 Reply Last reply Reply Quote 0
                  • T
                    teamits @jimp last edited by

                    @jimp said in SG-3100: HA or not?:

                    Because the "LAN" ports on the SG-3100 are connected internally to a switch, that makes failover tricky for that particular segment. CARP heartbeats will still work, but it won't see a physical link loss and demote itself

                    Does configuring the integrated switch ports in 2.4.4 as per https://www.netgate.com/resources/videos/configuring-netgate-appliance-integrated-switches-on-pfsense-244.html "fix" this? In the sense of it correctly seeing the LAN link loss. It seems like it should from the video but I didn't specifically see it discuss HA/CARP.

                    jimp 1 Reply Last reply Reply Quote 0
                    • jimp
                      jimp Rebel Alliance Developer Netgate @teamits last edited by

                      @teamits said in SG-3100: HA or not?:

                      Does configuring the integrated switch ports in 2.4.4 as per https://www.netgate.com/resources/videos/configuring-netgate-appliance-integrated-switches-on-pfsense-244.html "fix" this? In the sense of it correctly seeing the LAN link loss. It seems like it should from the video but I didn't specifically see it discuss HA/CARP.

                      Not quite. pfSense sees the interface event and takes some actions, but the CARP VIP itself does not see a failure and demote itself. We have some ideas on how to work around that, but nothing has been worked out quite yet.

                      1 Reply Last reply Reply Quote 1
                      • M
                        msf2000 last edited by

                        Seems like your original idea of using the OPT1 interface for the heartbeat/sync is the best approach. Use the LAN switch for everything else. That's how i would do it.

                        1 Reply Last reply Reply Quote 0
                        • Derelict
                          Derelict LAYER 8 Netgate last edited by

                          @msf2000 said in SG-3100: HA or not?:

                          Seems like your original idea of using the OPT1 interface for the heartbeat/sync is the best approach. Use the LAN switch for everything else. That's how i would do it.

                          Actually it would be better to use a switch port/VLAN for HA SYNC becuse it does not factor into the HA decision to fail over if the link there goes down since it has no CARP VIP. CARP heartbeats do not traverse the dedicated SYNC interface.

                          Please see this for a complete explanation:

                          https://forum.netgate.com/post/719523

                          1 Reply Last reply Reply Quote 0
                          • C
                            covex @jimp last edited by

                            @jimp so what were those products that were supposed come out soon?

                            1 Reply Last reply Reply Quote 0
                            • jimp
                              jimp Rebel Alliance Developer Netgate last edited by

                              From 7 months ago? Probably the SG-1100 or maybe the SG-5100 as well.

                              1 Reply Last reply Reply Quote 0

                              Products

                              • Platform Overview
                              • TNSR
                              • pfSense
                              • Appliances

                              Services

                              • Training
                              • Professional Services

                              Support

                              • Subscription Plans
                              • Contact Support
                              • Product Lifecycle
                              • Documentation

                              News

                              • Media Coverage
                              • Press
                              • Events

                              Resources

                              • Blog
                              • FAQ
                              • Find a Partner
                              • Resource Library
                              • Security Information

                              Company

                              • About Us
                              • Careers
                              • Partners
                              • Contact Us
                              • Legal
                              Our Mission

                              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                              Subscribe to our Newsletter

                              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                              © 2020 Rubicon Communications, LLC | Privacy Policy