Mixed 32-bit and 64-bit HA Cluster?



  • Hi All,
    My main firewall is a Poweredge server running 2.2.2 64-bit, I would like to implement a failover firewall using a net6501 - which is 32-bit only.

    I won't be running any packages, the only services are routing and IPSEC.

    Are there any issues with this configuration?

    Cheers



  • I have run a 32bit primary and a 64bit secondary firewall for years without anything but hardware issues.
    It seems like pfsync is broken in 2.2.2. If you can setup and report your finding to pfsync not syncing states to backup (2.2.2) topic in CARP. I would appreciate that.
    If we can confirm there is a problem on multiple environments, perhaps we can get a bug opened in Redmine.



  • While it has worked for me in the past fine as we got into the more recent version we started having stability issue. Plus I think the future versions are not going to have a 32bit version at all. Check the PFS blogs I think that is where I saw that.

    So yes you can do it but would not recommended it, would find other hardware and stick with 64bit.



  • Thanks for the replies, I actually just finished setting up 2 VMs to test this - it fails to and from the backup fine and performance is good.

    I wasn't aware of the states issue, so I checked, and right enough it's not syncing to the backup.

    Does this mean that in the event of a failover, traffic would need to be reestablished? If that's the case, I can live with this until it's fixed.

    Unfortunately I've just ordered 3 net6501, so am stuck with them for a while!


  • Rebel Alliance Developer Netgate

    The usual reason on 2.2.x for states to not sync is that the interfaces are mismatched. States in 2.2.x are interface-bound, meaning the interface is a part of the state. For example if the primary node has igb(4) NICs and the secondary has em(4), the states can't sync.

    That can be worked around in a silly way by adding the NICs to single interface laggs so the states would be on lagg(4) interfaces on both.



  • This is a  change I was not expecting. What was the reason for that change? Did it used to be tagged with just the interface pseudo name (WAN, LAN … what ever?)



  • @podilarius:

    This is a  change I was not expecting. What was the reason for that change? Did it used to be tagged with just the interface pseudo name (WAN, LAN … what ever?)

    if-bound states were not used in previous versions.



  • Is there an advanced option we can enable to change it back to the original behavior?


  • Rebel Alliance Developer Netgate

    There is no way to adjust it.



  • This means that uptime though diversity won't work.
    If there is a bug in a particular driver for a particular NIC, it will exist on both FWs and potentially taking down an entire site.
    I don't see this shift as a good thing. I was hoping for a reason to see if the good of the change out weighs this simple thing.
    Thanks for all yours guys work on pfSense. It is an amazingly versatile product.


  • Rebel Alliance Developer Netgate

    See above: It can be worked around.

    If you were that adamant about redundancy you'd be using lagg/LACP interfaces already, and the problem doesn't exist when lagg interfaces are used.