OPNsense Forum
English Forums => High availability => Topic started by: sc0ttjm on July 30, 2021, 04:48:05 pm
-
Hi,
We have had shockingly bad service and support from OVHcloud in the UK, who are hosting a managed Bare Metal server for one of our biggest customers.
We are looking into providing this service to our customers ourselves in future by using a set of 3 XCP-NG Servers in a HA cluster with Shared Storage (SAN), Stacked Switches and Resiliency wherever we can (multiple PSU etc) in a local co-location Data Centre.
The weakest area in expertise for me is the Router/Firewall area.
I want to use set of 2 x OPNsense Hardware Firewalls in a HA Cluster to provide protection and connectivity for each customer.
Each customer will have a different WAN IP.
Can you offer any advice on how best to set this up or any tips or gotcha's to be aware of that you can point out to help? I have no experience yet of using multiple WAN IP's with OPNsense.
I was also thinking of having this Hardware HA cluster, then having a Virtual OPNsense firewall instance for each customer too but my concern is that when I've virtualised OPNsense before, IPSEC VPN Performance has been very poor one way.
Any advice would be greatly appreciated.
Thanks in advance for your time.
-
Hi there
Based on this information, it's a bit difficult to advice something.. Therefore some questions:
So you would like to offer the services to your customers, where all the equipment for this service is hosted in your two data center locations?
Do you plan offer the services over internet to your customers?
What kind of services you would like to offer? All web based (http/https) traffic?
Mutli-WAN and HA features works great in opnsense, but adds some complexity. The aim of Mutliple WAN connections is to add redundancy of one internet uplink fails. From the internet towards your network, you need probably DNS for traffic steering to control which traffic goes over which WAN link.
For HA, only active/passive configuration is possible and the nodes need to be in the same subnet due to CARP.
-
Hi @liceo, Thanks for your reply.
We're looking at hosting our customers infrastructure on a HA cluster.
Each customer typically has a Domain Controller onsite and a VPN to the Data Centre linking the 2 sites together.
Each customer will be completely segregated and have their own WAN IP address(es).
I'm just not sure how the firewall should be setup to keep them all separate.
When I say "all", we've not even started yet so will only have about 3 or 4 customer at first.
The idea is to add more storage and Hosts as it grows.