Updates when using a single WAN VIP, and a option to fix it?
-
Hi all
I made a video to try explain my question as im not sure if a long text field would be enough detail
https://youtu.be/g6A16rl9sFcBut for those who prefer text, heres an attempt at writing my question
Im setting up a failover network (partly for learning and partly so i can have as much up time on my network as possible as i run a few game servers for friends)
So far I have gotten it mostly working fine using a private ip network on my WAN with my public IP as the VIP
(screenshot: https://imgur.com/WwbPtfC )
I then had a update to pfsense and realized i dont know how it handles updates
In theory you are supposed to have 3 public IP addresses, so each router can get updates via its own link, but in this setup, i can only update which ever router has the VIP for the wan, so to update my second router i have to fail that one to be master then update it
during this update the router reboots, so its fails over to the other router (as expected)
what I didnt check is if during the update any network loss happens
EG
router 1 downloads the update, then starts updating,
as its updating services are obviously being stopped and started, meaning network would be lost if that was the only routerdoes it fail over to router 2 during the update?
and if so, I assume router 1 doesn't then need internet to update once its downloaded?But following on from that to update router 2, i have to force a failover so that one gets public internet,
meaning when that one then starts its update and goes "offline" do I have to fail back manually, or do I loose internet until router 2 comes back online?
and following on from that, is there a way to loop the WAN "internal" ip back to the other router to trick it into thinking it has internet?
I tried to explain this in my video alot better then i do here -
-
@kom Thanks, but i think this assumes that both routers have internet connectivity at the time of update
as it says update the secondary first, then update the primary
but I can only do that if I fail my network over to the secondary so it can get connectivity to download the update -
@pomtom44 Oh right, I forgot about that. I'm not sure will be able to do it without the extra IPs that you typically only get with a business account. Unless people are paying you for access, I would think they can tolerate a half-hour of downtime 3-4 times per year. Or you could try wacky things like forcing the second node to use the sync interface on the primary node as its gateway for the duration of the upgrade then revert back. That's crazy enough to work if you have the rules to allow it on each Sync.
-
@kom Thats kind of what i explain in the video version of my question
routing the "internal" WAN IP back as a lan interface on the other router, so each router has a network link though the other router
I just dont know how it would like having a random setup like that(and yeah i know they can deal with down time, its more of a learning question for me, with the excuse of the game servers as a reason why / end goal)
-
@pomtom44 So then try it and let us know if it works. The worst that can happen is explosions.
-
@pomtom44 said in Updates when using a single WAN VIP, and a option to fix it?:
mostly working fine using a private ip network on my WAN with my public IP as the VIP
If I'm following, this should be fine as long as they can get to the Internet. We have a client set up that way as Comcast still allows their 10.1.10.x subnet to work on a "bridged" router. The update is just outgoing HTTPS requests. I've always failed over manually (update backup, enter CARP maintenance on primary, update primary, undo maintenance mode). Pretty sure that's how the docs suggest. (been a while since I've read them)
-
@steveits
That parts okay, the problem is the failing over with a single public IP as only one router can get updates at a time
the docs assume both routers have internet
EG update the secondary first
but for me the only way I can update the secondary is if I make it failover manually, meaning when it starts updating i loose internet as the primary is in failover and the secondary is rebooting
(did you watch the video as i explain it alot better in that) -
@kom thats my plan,
i was just checking if there was any reason this would be a big NO NO before i did
as if it was already documented as not working then theres no point in trying it haha -
@pomtom44 No I didn't watch the video, I was heading out at the time. If you don't have Internet that way then you're kind of stuck. Around here Comcast works in that type of config. AT&T does too although they have "passthrough" not bridging at least on home connections and I haven't tried HA that way. FWIW, Comcast charges I think $4 more for 8 (5 usable) static IPs over the fee for 1 static IP.
-
@steveits fair enough
most ISP's here dont give more then 1 static IP unless you upgrade to a business account, in which case you pretty much have to add another 0 to the end of your billthats why I was asking about looping the internal WAN back to the other router, so both routers have internet though each other, and then the CARP VIP is the public out point
-
@kom Update
Cant set a interface on the LAN with the same IP range as the WAN
So unable to create a fake loopback setup -
@pomtom44 Hmm that's too bad. Oh well, no 5-nines of uptime for you.
-
@kom I am going to run a proof of concept test where i trick the networks by putting a small inline router in place, so some sort of voodoo double nat spaghetti mess, but it should work in my head?
-
@pomtom44 I'll be interested to hear how it works out. If you're running game servers and need good uptime, why not look at renting a cheap VPS?
-
@kom I run a ton of personal stuff at home as well
Mainly CCTV and file servers,
so for me its way more cost effective to run the game servers on the hardware I already have
(If I was making money from this then yes id put the money back into a VPS)
Also some of the game servers I run take a bit of grunt to run, so running on my own hardware is much cheaper