3. SG-3100: HA or not?

SG-3100: HA or not?

  • S

    I have to select hardware for a new customer, right now they use a 3-NIC-appliance (APU, I assume) and run 4 subnets on it (WAN, LAN, one "P-LAN" for VOIP, and one VLAN for guests).

    They like the idea of HA: 2 appliances, CARP, you know.

    Now I wonder if 2x SG-3100 might do the trick? If I configure VOIP and Guest-LAN as VLANs on the physical LAN-NIC, I could run the SYNC on the third NIC ?

    Or better configure these 4 switch-ports as the NIC with the VLANs on it?

    Or is all that a bad idea and we should either forget HA for now or buy bigger hardware?

    You notice: I am a bit confused and could need some help on this ;-)

    0
  • Rebel Alliance Developer Netgate

    Because the "LAN" ports on the SG-3100 are connected internally to a switch, that makes failover tricky for that particular segment. CARP heartbeats will still work, but it won't see a physical link loss and demote itself if there is a physical problem with that segment. A complete hardware failure would still cut over, as would a link loss on the WAN/OPT ports if they are setup for CARP. In the rare case that a LAN switch problem did affect them they could just power off the primary node or login and force it into maintenance mode.

    Alternately, as you suggested, you could use the LAN switchports for pfSync/XMLRPC, and the WAN/OPT ports to connect to your other switches, and that could work, but you'd have the other switchports sitting there unused.

    0
    S
     1 Reply
  • S

    @jimp thanks for the feedback.
    Both options sound sub-optimal to me ;-) although I don't need that "internal switch feature" on the SG-3100.
    And the 1gig bandwidth should be enough for VLANs and LAN together (we talk about a 24MBit/s upstream currently ... maybe 50 or 100 next year ...).

    0
  • Rebel Alliance Developer Netgate

    We do have some additional products coming very soon now, so if your client doesn't mind holding off a wee bit, you will most likely find a better fit. Can't say more than that yet. :)

    0
    S
     2 Replies
  • S

    @jimp sounds like it's worth some waiting ;-) thanks for the hint
    I just have to live with pfsense-2.2.6 there for now ... maybe do an upgrade to 2.3.5 at least, but that's a bit scary : the box is 500km away and it won't impress the new customer if I take them offline ;-)

    0
  • S

    @jimp can you say "weeks" or "months" or "years" at least? ;-)

    0
  • Rebel Alliance Developer Netgate

    Really soon now :-)

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy