Why do we need a dedicated SYNC interface for failover?



  • Hello,

    For best performance purpose, pfSense recommended to have a dedicated network interface (SYNC) for syncing between the servers.

    My question is simple. What type of performance issue(s) will we encounter? From what I understand, the SYNC interface only does replication of the config files and allow the secondary server to take over (fail over feature). This mean it does not take up much traffic or bandwidth.

    It would be nice if I could just use the LAN interface for the synchronization. This seems like a better solution as opposed to taking up a dedicated NIC for the sole purpose of replication the config. This is helpful as it will save port on the switches. Many of the 1U servers (perfect for pfSense) also have limited slot to add extra NIC cards.

    Thank you very much in advance for your help.



  • You can, but if you have a crossover cable instead then the switch being rebooted/failing won't cause the firewalls to failover.



  • The sync transfer all state table between pfsenses. If you have a 100mbit card and need it all to lan, then sync on same interface will be a problem.



  • @marcelloc:

    The sync transfer all state table between pfsenses. If you have a 100mbit card and need it all to lan, then sync on same interface will be a problem.

    Thank you very much. I have a 1GB interface and LAN activities are usually for backup purpose.

    Even if the performance is affected, will this affect only the LAN interface or will it overall affect or slow down the firewall performance?

    Sorry for the newbie questions. What does it mean "transfer all state table between pfsenses"? How often it does this and what events/activities will cause the sync to make the transfer?


  • Netgate Administrator

    The state table is how pfSense (or any stateful firewall) keeps track of the connections going through it.
    The state table has to by continuously synchronized between the two boxes in a carp setup in order to preserve existing sessions in the event of a failover.
    If this doesn't happen then sessions such as VOIP calls, SSH, streaming etc would crash out. That would be  bad!

    Steve



  • @stephenw10:

    The state table is how pfSense (or any stateful firewall) keeps track of the connections going through it.
    The state table has to by continuously synchronized between the two boxes in a carp setup in order to preserve existing sessions in the event of a failover.
    If this doesn't happen then sessions such as VOIP calls, SSH, streaming etc would crash out. That would be  bad!

    Steve

    Thank you very much Steve!

    If I share the LAN interface and use it for CARP, will this affect only the performance of LAN interface or will it overall affect the entire firewall performance? Thanks again.



  • With 1g interface I think it will not be a problem.

    Just keep in mind that it's not the best setup for sync.



  • @marcelloc:

    With 1g interface I think it will not be a problem.

    Just keep in mind that it's not the best setup for sync.

    Thank you very much.

    I am curious though. If there's a performance issue will that affect only on the LAN interface (shared with CARP), or will it affect the entire firewall performance? Thanks for your help.


  • Rebel Alliance Developer Netgate

    If you must share an interface for that, at least isolate it to a VLAN. There are security implications to running it on a shared segment. Someone could insert states into the state table if they have direct access to the sync interface, as they would if it were shared on LAN, by sending a specially crafted packet.

    The bandwidth requirements alone normally are enough to necessitate a dedicated interface for the sync traffic, but that depends on how fast the state table changes.


Log in to reply