Redundant Firewall Questions



  • I have some questions related to implementing hardware redundancy that is not covered in the document below.

    http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

    1. Configuring redundancy with tunnels. While this is a general question, the one I can specifically test is a gif tunnel as I have IPv6 provided by Hurricane Electric via a gif tunnel. When the gif tunnel is created the IP entered in the "gif tunnel local address" field is always listed in the ndp table and the IPv6 route table. This remains true even if I change the IP in the pfSense IPv6 WAN interface. This means that making a carp entry would not make sense.

    If there is a failover from the primary firewall to the secondary firewall, does pfSense automatically close the tunnel connection on the primary firewall and open the tunnel the secondary firewall? Is there anything special I need to do to make this happen?

    1. I have some questions about multiple WANs and hardware redundancy. Typically, if an interface fails on the primary firewall all the interfaces failover to the secondary firewall. Is it possible to make it so that more than one WAN has to fail before there is a failover to the secondary firewall.

    2. I have a situation where I have two ISPs, but only one will support being connected to two firewalls allowing for a unique IP on each firewall and a shared carp IP. The other ISP is DHCP only.

    Is it possible to have the DHCP ISP only on the primary and the other ISP on both, allowing for failover when the shared ISP fails?

    If this is possible, I assume I will not enable an interface for the DHCP ISP on the secondary firewall. How will gateway groups be effected when the primary firewall has a gateway that the secondary firewall does not have? This gateway is created dynamically via DHCP via an interface that will not be on the secondary firewall, at least I assume that will be the case.


  • Rebel Alliance Developer Netgate

    1. gif doesn't have any special handling for CARP. You would need to terminate the tunnel to the CARP IP, but I'm not sure how well that might actually work in practice. I'm not aware of anyone who has tried that yet. The places I've needed CARP+IPv6 have all had native connectivity.

    2. No, but most WAN failures are not interface failures, but connectivity/gateway failures where the interface does not go down. WAN failures of that nature do not and cannot trigger a CARP failover, link loss on an interface or a loss of connectivity between the master and slave can.

    3. Sort of. It can work, but we don't technically "support" that configuration. You would have to disable synchronization of gateways and firewall rules that refer to the failover gateways. It may be better to put a small router on that DHCP line and have private IPs on that segment so you can still do CARP. Setup port forwards/1:1/DMZ in that router to point the traffic back to your CARP VIP. Ugly, but not nearly as ugly as manually managing all of the lopsided things you'd have with mismatched interfaces and WANs.



  • @jimp:

    1. gif doesn't have any special handling for CARP. You would need to terminate the tunnel to the CARP IP, but I'm not sure how well that might actually work in practice. I'm not aware of anyone who has tried that yet. The places I've needed CARP+IPv6 have all had native connectivity.

    Well the first question is will the gif tunnel close of fw1 and initiate on fw2 when there is a failover from fw1 to fw2. When I actually have the abaily to get my ISP running on both firewalls I will test this. If only ISPs would start offering IPv6!

    @jimp:

    1. No, but most WAN failures are not interface failures, but connectivity/gateway failures where the interface does not go down. WAN failures of that nature do not and cannot trigger a CARP failover, link loss on an interface or a loss of connectivity between the master and slave can.

    Often when there are two firewall, each is connected to a different switch. Are you telling me that if the switch connected to fw1 looses it's uplink, but the switch connected to fw2 is fine, there will be no failover? Then again I can't think of a situation where that would happen with out the firewalls being able to communicate with each other unless you have a bad network design with loops.

    @jimp:

    1. Sort of. It can work, but we don't technically "support" that configuration. You would have to disable synchronization of gateways and firewall rules that refer to the failover gateways. It may be better to put a small router on that DHCP line and have private IPs on that segment so you can still do CARP. Setup port forwards/1:1/DMZ in that router to point the traffic back to your CARP VIP. Ugly, but not nearly as ugly as manually managing all of the lopsided things you'd have with mismatched interfaces and WANs.

    The router idea is not terrible, but what I wanted to avoid. Do you know of good NAT router that is fast and does not have all the unneeded junk like a firewall since I have pfsense for that? Maybe I'll get something basic that can run ddwrt and I'll turn off everything but NAT, hmm. If only Verizon FIOS was not such a pain regarding static IPs!


  • Rebel Alliance Developer Netgate

    @Rhongomiant:

    Well the first question is will the gif tunnel close of fw1 and initiate on fw2 when there is a failover from fw1 to fw2. When I actually have the abaily to get my ISP running on both firewalls I will test this. If only ISPs would start offering IPv6!

    There is no open or close with GIF tunnel, they just pass packets with the proper encapsulation, there isn't any tunnel setup as with a VPN.

    In theory, the traffic would only go to/from the master, but that also assumes the slave itself wouldn't send any IPv6 traffic uninitiated. It may "just work", but I'm not aware of anyone who has tried it yet.

    @Rhongomiant:

    Often when there are two firewall, each is connected to a different switch. Are you telling me that if the switch connected to fw1 looses it's uplink, but the switch connected to fw2 is fine, there will be no failover? Then again I can't think of a situation where that would happen with out the firewalls being able to communicate with each other unless you have a bad network design with loops.

    If FW1 and FW2 can communicate with each other on the segment, then no failover will happen. If they lose communication, the slave will attempt to take over, but unless FW1 loses interface link, it wouldn't demote itself.

    In your case "Often" isn't really correct these days - more often than your scenario, at least with our customers, firewalls are connected to both switches using LACP (LAGG in pfSense) so each firewall has a connection to each switch in a stack.

    @Rhongomiant:

    The router idea is not terrible, but what I wanted to avoid. Do you know of good NAT router that is fast and does not have all the unneeded junk like a firewall since I have pfsense for that? Maybe I'll get something basic that can run ddwrt and I'll turn off everything but NAT, hmm. If only Verizon FIOS was not such a pain regarding static IPs!

    I'm not aware of any specific models, but anything that would do decent throughput and could run DD-WRT should suffice. Some people just use their existing modem/router for that since those tend to be simplistic, but if what you have is purely a modem, then some other NAT device would be needed there.