Site-to-site active-active setup



  • Hi all,

    I'm wondering does pfSense handle setup like this and what is needed for good implementation?
    I have to deploy fully redundant infrastructure with active-active setup of critical services, like:

    • large databases (approx. sum 200GB),
    • CIFS file share (10MB to 3GB daily block changes),
    • web servers,
    • Active Directory services,
    • and other important services,
      ..BUT..
    • some of them can be independent (like DHCP).

    Site-to-site distance is ~30km away. Link has to be estabilished over public network (unfortunatelly). It has to be redundant, too. There is a countdown: 3 months to start this project.

    Questions coming..

    • what hardware is needed to handle 1Gbit up and 1Gbit down traffic over OpenVPN?
    • is any method for pfSense to offload SSL?
    • what hardware is needed to handle 1Gbit up and 1Gbit down for different traffic shaper types: HFSC, PRIQ, CBQ?
    • don't know how BGP works with different link speeds (eg. 1Gbit/1Gbit vs 10/10Mbit)? ISP gives possibility to use BGP
    • is one overall Traffic Shaper ruleset good choice (for example: up to 80% total bandwidth for VPN, up to 5% for WWW) or better go with separate queues for each WAN link (for example: up to 80% of 1Gbit link for VPN, up to 20% of 16Mbit for VPN)?
    • it will grow to active-active + backup setup in short time (so this setup has to elastic enough to grow as needed in few months later).

    Current setup:

    • running as VM in KVM (2 vCPU, 2GB RAM, 10GB hdd space),
    • host for pfSense is running on following hardware:
      Intel Xeon X3430
      http://ark.intel.com/products/42927/
      6GB DDR3 1333MHz ECC RAM
      2 x 1Gbit (WAN + LAN)
      2 x 160GB HWRAID1 SATA
    • saturating well 16/16Mbit link with default Traffic Shaper rules,
    • perfectly working multiple OpenVPN instances (up to 10),
    • only one site is up.

    Special thanks to:
    1. pfSense authors
    http://www.pfsense.org/
    2. LibreOffice
    http://www.libreoffice.org/
    3. OSA Icon Library to draw this schema
    http://www.opensecurityarchitecture.org/cms/en/library/icon-library

    I belive pfSense can handle this same way as expensive Cisco hardware..
    Just point me into right direction.. :)



  • Sounds like a challenge to me. I saw someone on here, mention the best they have seen over OpenVPN is 300 and something MB per second over it. I know OpenVPN is limited to 1CPU processor and isnt multi Threaded.

    Have you thought BGP routing? And getting an AS number for true resillance for routing IPs?



  • Yes, we've considered BGP based on own AS number routing, however.. things have been changed since first post.
    There is now possibility to have DIRECT connection between sites, it's going to be at least 10Gbit over single mode fiber.
    Still need site-2-site VPN as primary and backup connection to encrypt data.

    OpenVPN is single threaded? Uh, so it sounds like multiple routing paths needed for multiple OpenVPN instances for 10Gbit traffic..
    Latency over 20-30 ms means active-passive setup only.



  • Could you use Pfsense with an MPLS network between the sites?



  • I have to check this.
    I'll also post new network diagram soon.
    Thanks for tips so far :)



  • I think this can be closed.
    Solution is direct single-mode fiber between sites.
    We'll go with 20Gbit or 40Gbit Etherchannel between pair of stacked Cisco switches at both ends (depends on how many fibers we'll get).
    We've just rebuilt the infrastructure in the primary location to support 10Gbit Ethernet.



  • Sounds sweet! Good luck with it!! 🙏



  • Sustained gigabit exchange over openvpn?
    I think you saved yourself a whole heap of headaches.