4. HA Cluster and cellular failover

HA Cluster and cellular failover


  • Hello all,

    I'm in the planning phase of a system where resilience is required for internet as it will be mission critical. I wondered if a HA Cluster and cellular failover are possible.

    The idea would be like the following diagram with either one cellular modem on the primary firewall or a cellular modem on both firewalls.
    https://docs.netgate.com/pfsense/en/latest/book/highavailability/layer-2-redundancy.html

    But is it possible to set up a HA Cluster with cellular failover?

    This is probably obvious but for the sake of clarity, the WAN IP Address Assignments would change when using the backup cellular connection. Also, the cellular connection would not meet the prerequisites for a HA Cluster, namely in terms of WAN IP Address Assignments.

    So I guess, it would boil down to telling a firewall that if the WAN goes down, stop using the HA configuration and then use cellular modem for internet.

    If a HA Cluster with cellular failover is possible, could there be a cellular modem on both the primary and secondary firewall? Or to put it more confusingly, is failover possible for cellular failover? If it is possible, is it advisable? As I would imagine that for it to achieve automatic failover it would boil down to, if WAN goes down, stop using HA configuration and use cellular modem on primary firewall for internet. If internet is down on the cellular modem on the primary firewall then use the cellular modem on secondary firewall.

    Given that the area in question only has one reliable telco, so only cellular (LTE) for backup, if a HA Cluster with cellular failover is not possible, what would be more resilient a HA Cluster or a single firewall with cellular backup? I imagine this boils down to what is more reliable, internet or the hardware. In my experience the hardware is more reliable but I'd still be interested in having your feedback.

    Thanks for any advice or answers.

    0
  • LAYER 8 Rebel Alliance

    It should be no problem to use a LTE router between both nodes in RFC1918 address space to work around the IP problem (Primary firewall WAN, Secondary firewall WAN, Shared CARP VIP).
    Generally speaking using RFC1918 on WAN is not ideal but works. ;-)
    But be careful if you want to put public services on this LTE, at least in Germany this is not working out of the box, they almost always use Carrier-grade NAT.

    -Rico

    1

  • Perfect!

    Thanks, very much appreciated. That will fit my needs very nicely.

    Out of curiosity, can you recommend any particular model of cellular modem allowing for custom NAT?

    0
  • LAYER 8 Rebel Alliance

    AVM FRITZ!Box 6890 LTE.
    You can replace the stock antennas with roof mount. :-)

    -Rico

    1

  • Brilliant! Thank you very much!

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy