hardware needs to move to a cluster
-
Greetings.
A customer runs pfSense-Plus-26.03 on a Netgate 4200. So there are 4 pNICs in it and we use all of them:
- WAN
- WAN2
- LAN (transports some VLANs also)
- DMZ
Now we consider changing to different hardware and buy 2 identical appliances to set up a HA-cluster.
I know, I need one more pNIC per appliance for SYNC.
And I assume I have to add some switching to the cluster as well:
2 cables into the LAN switch, 2 into the DMZ, right?For the WAN side(s) I assume I will need some unmanaged switch maybe, if the ISP router only has one ethernet port. This (cheap) switch will then become a new SPOF, right?
Do I forget anything? I just want to come up with a first draft of what we need and if it all is worth the effort.
Plan B would be to come up with a regular process to keep a cold standby appliance updated (OS and TLS-certs ...).
-
@sgw that sounds right. There’s an example at https://docs.netgate.com/pfsense/en/latest/recipes/high-availability-multi-wan.html#multi-wan-ha-with-dmz-diagram
I have set up HA but have never needed to think about using a VLAN for sync. That would make that switch a SPOF I suppose. Usually I just connect the two sync ports with a patch cable.
-
@SteveITS been at that diagram, thanks. But it doesn't actually show the real cabling and physical ports etc ... I want to come up with a draft showing how many switches and ports and cables are needed etc
Just to check if the existing switches provide enough free ports etc
Maybe I wasn't clear: I don't plan SYNC as VLAN, no. It will be realized as a direct connection between 2 physical NICs, as usual.
I just have to provide HA for the VLANs that exist on the LAN interface right now. That gives more work as I have to do the "3 IPs game" in each VLAN ... but it won't need extra hardware.
-
@sgw They kind of do, but the bottom half has the crossed lines connecting to a line on the other side, not the bricks (firewall). What you described sounded right when I read it. I'd just draw it out on paper. Basically, for each interface, you need two ports and a switch.
@sgw said in hardware needs to move to a cluster:
I don't plan SYNC as VLAN, no
I was just brainstorming sorry if I was confusing.
-
@SteveITS started to draw my first diagram, and listing VLANs etc
In 2 days I will discuss this with the customer and then we'll decide.
I assume Wireguard tunnels shouldn't be an issue? We run a site-to-site tunnel to another ... site ;-) and maybe another one gets added later this year.
That's why we need to increase the reliability: more sites, more users active.
OpenVPN: I already saw this solved somewhere.
-
@sgw there’s this note:
https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/limitations.html#high-availability -
@SteveITS Thanks! I had looked for something like that under "recipes" but didn't see that one.
-
In my case I will have to add switches between the node-interfaces and the WAN-interfaces to be able to connect TWO pfSenses to ONE WAN-router.
These switches become new SPOFs, right?
It ain't easy ;-)
I think I might set these up as groups of switch-ports of an existing premium switch (add VLAN, three ports grouped ...), to not overengineer this and reduce cabling and the number of power supplies.
-
I also wonder if pfSense CE would be enough to run such a cluster.
AFAI see there is a difference regarding CARP (multicast vs. unicast) but I assume that won't matter in my case (2 hardware appliances directly connected by SYNC cable).
The requirements in terms of number and type of NICs might need some other hardware than from Netgate direct. Sure, I could buy pfSense Plus licenses.
-
@sgw You can run HA with pfSense CE.
-
@SteveITS great, thanks (sorry for the late reply)
Currently the project waits for some dependencies and decisions.
As soon as I get the go I might start preparing the config.Obviously I have a working pfSense config in place, I will start to think about how to migrate that to a cluster config.
I might start with 2 VMs and follow something like this recipe (?)
