SG-3100: HA or not?

sgw

I have to select hardware for a new customer, right now they use a 3-NIC-appliance (APU, I assume) and run 4 subnets on it (WAN, LAN, one "P-LAN" for VOIP, and one VLAN for guests).

They like the idea of HA: 2 appliances, CARP, you know.

Now I wonder if 2x SG-3100 might do the trick? If I configure VOIP and Guest-LAN as VLANs on the physical LAN-NIC, I could run the SYNC on the third NIC ?

Or better configure these 4 switch-ports as the NIC with the VLANs on it?

Or is all that a bad idea and we should either forget HA for now or buy bigger hardware?

You notice: I am a bit confused and could need some help on this ;-)

jimp

Because the "LAN" ports on the SG-3100 are connected internally to a switch, that makes failover tricky for that particular segment. CARP heartbeats will still work, but it won't see a physical link loss and demote itself if there is a physical problem with that segment. A complete hardware failure would still cut over, as would a link loss on the WAN/OPT ports if they are setup for CARP. In the rare case that a LAN switch problem did affect them they could just power off the primary node or login and force it into maintenance mode.

Alternately, as you suggested, you could use the LAN switchports for pfSync/XMLRPC, and the WAN/OPT ports to connect to your other switches, and that could work, but you'd have the other switchports sitting there unused.

sgw

@jimp thanks for the feedback.
Both options sound sub-optimal to me ;-) although I don't need that "internal switch feature" on the SG-3100.
And the 1gig bandwidth should be enough for VLANs and LAN together (we talk about a 24MBit/s upstream currently ... maybe 50 or 100 next year ...).

jimp

We do have some additional products coming very soon now, so if your client doesn't mind holding off a wee bit, you will most likely find a better fit. Can't say more than that yet. :)

sgw

@jimp sounds like it's worth some waiting ;-) thanks for the hint
I just have to live with pfsense-2.2.6 there for now ... maybe do an upgrade to 2.3.5 at least, but that's a bit scary : the box is 500km away and it won't impress the new customer if I take them offline ;-)

sgw

@jimp can you say "weeks" or "months" or "years" at least? ;-)

jimp

Really soon now :-)

SteveITS

@jimp said in SG-3100: HA or not?:

Because the "LAN" ports on the SG-3100 are connected internally to a switch, that makes failover tricky for that particular segment. CARP heartbeats will still work, but it won't see a physical link loss and demote itself

Does configuring the integrated switch ports in 2.4.4 as per https://www.netgate.com/resources/videos/configuring-netgate-appliance-integrated-switches-on-pfsense-244.html "fix" this? In the sense of it correctly seeing the LAN link loss. It seems like it should from the video but I didn't specifically see it discuss HA/CARP.

jimp

@teamits said in SG-3100: HA or not?:

Does configuring the integrated switch ports in 2.4.4 as per https://www.netgate.com/resources/videos/configuring-netgate-appliance-integrated-switches-on-pfsense-244.html "fix" this? In the sense of it correctly seeing the LAN link loss. It seems like it should from the video but I didn't specifically see it discuss HA/CARP.

Not quite. pfSense sees the interface event and takes some actions, but the CARP VIP itself does not see a failure and demote itself. We have some ideas on how to work around that, but nothing has been worked out quite yet.

msf2000

Seems like your original idea of using the OPT1 interface for the heartbeat/sync is the best approach. Use the LAN switch for everything else. That's how i would do it.

Derelict

@msf2000 said in SG-3100: HA or not?:

Seems like your original idea of using the OPT1 interface for the heartbeat/sync is the best approach. Use the LAN switch for everything else. That's how i would do it.

Actually it would be better to use a switch port/VLAN for HA SYNC becuse it does not factor into the HA decision to fail over if the link there goes down since it has no CARP VIP. CARP heartbeats do not traverse the dedicated SYNC interface.

Please see this for a complete explanation:

https://forum.netgate.com/post/719523

covex

@jimp so what were those products that were supposed come out soon?

jimp

From 7 months ago? Probably the SG-1100 or maybe the SG-5100 as well.