HA SYNC Question



  • hello

    I've wondering how to configure dedicated link for HA SYNC
    I have a few 10G and 1G adapters and I also have 2 more expatiation slots available What if I put 2 adapters 1 to each server and direct attach them to dedicate this link for HA SYNC only

    any suggestions how to configure it or just plug them and give that link a static IP with the same subnet

    My HA SYNC is currently on the VLAN there is not much traffic yet because is still in the LAB environment, but when I plug it into production it might consume some traffic witch I thing won't be much of problem because I have 2x40G in LACP but still for security dedicated link to HA can be useful

    thank you



  • I agree, a dedicated physical link is best for HA. The traffic is minimal, just put matching adapters in each box, put them on the same subnet (you could use a /30), and add rules to allow traffic.



  • We just plug them together with a patch cable also. Plus that way if the switch in the middle fails the backup router won't try to become master Having a switch in the middle is an unnecessary point of failure.


  • Netgate

    Plus that way if the switch in the middle fails the backup router won't try to become master.

    The SYNC interface has no bearing on who is master and who isn't. There aren't CARP VIPs on it so it doesn't factor into that decision.

    See the sticky I wrote on all of this up there in the category ^.



  • @derelict said in HA SYNC Question:

    he SYNC interface has no bearing on who is master

    d'oh! of course not sure what I was thinking. Still, we just use a patch cable as it is still one less thing to fail. :)


  • Netgate

    So do I. ;)



  • @derelict it is not about failing it more about security Of what I know HA is syncing with none encrypted traffic and all of that traffic flowing around my core switch it is not a good idea

    Thank you



  • @xlameee In general even an unmanaged switch should only be sending traffic to the correct ports so unless someone's spoofing IPs (while guessing your sync subnet) or spoofing the routers' MAC addresses I'm not sure it's really much of an issue...and if they are doing that then there are other issues on your network 😀. A direct patch cable connection would remove any concern.


  • Netgate

    I might be foolish but I trust VLANs.

    The states that are represented by the pfsync traffic are running around in your switch already.