OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Julien on July 08, 2018, 11:19:03 pm

Title: Design Datacenter with two hardware
Post by: Julien on July 08, 2018, 11:19:03 pm

Dear All,
We are designing a Datacenter and want to use OPN two hardware with failover senario.
We offerted 4 WAN IP with 1GB speed on each WAN
WAN1 .   1.1.1.1
WAN2 .   1.1.1.2
WAN3 .   1.1.1.3
WAn4 .   1.1.1.4

WAN1 and WAN2 will be connected on the main OPN hardware , WAN1 will be offering a VPN site to site and also VPN for users using two factor authentication. also will be the ip for the internet
WAN2 will be the mx records of the internal mail server.

i want to configure the second hardware WAN3/WAN4 as a failover in case the first hardware is down remote users will still be able to work.

Can someone please advies how to configure this ? i've read the HA CARPS can do the job but not sure if it does apply in my senario.

Thank you

Title: Re: Design Datacenter with two hardware
Post by: bartjsmit on July 09, 2018, 08:59:17 am

Hi Julien,

Which VPN are you using? OpenVPN has features to do active/active load balancing between hosts:

--remote-random-hostname will prevent clients from caching the server DNS record
--remote-random will scramble the remotes list that the clients go through

You can spread the load on your MTA's with DNS MX records.

For IPSec you'll likely need CARP. In either case, your routing is going to be interesting ;-)

Bart...

Title: Re: Design Datacenter with two hardware
Post by: Julien on July 09, 2018, 04:32:50 pm

Hi Bart
Thank you for your answer.
We are using OPENVPN as VPN server for both site to site and remote users.
Can you explain more what do you mean with your below ?

--remote-random-hostname will prevent clients from caching the server DNS record
--remote-random will scramble the remotes list that the clients go through

Thank you Bart

Title: Re: Design Datacenter with two hardware
Post by: bartjsmit on July 09, 2018, 07:20:50 pm

Hi Julien,

A OpenVPN client connection can be configured with multiple 'remote' lines. Normal behaviour is for it to attempt a connection starting with the first line, and work its way down until it connects.

The remote-random option will randomise this sequence, and the remote-random-hostname will add a random subdomain to the FQDN of the server, to stop the client's resolver from caching the server's name to allow for DNS load balancing.

These are client options which you'll need to add to each user's profile. Naturally, the OpenVPN man page is compulsory reading  8)

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

Bart...

Title: Re: Design Datacenter with two hardware
Post by: Julien on July 09, 2018, 10:11:32 pm

Wow i didnt know this possible.
We can configure the 3 WAN to use the OPNVPN. this amazing.

i'll check this out thank you for the info.