OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion (Moderator: fabian) »
  • High availability
« previous next »
  • Print
Pages: [1]

Author Topic: High availability  (Read 2943 times)

peksi

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
High availability
« on: May 15, 2017, 07:52:39 am »
Just joined the forum as I am seriously considering OpnSense as my next routing firewall solution. I've used Linux with iptables (fwbuilder GUI), routes and openvpn with LDAP backend since pre 2000 and it has worked like a rock.

I would like to install my next firewall as a virtual guest keeping another instance as hot standby in another host. Is that possible to do? Do you think it is a smart thing to do that way? I've seen large organizations do that with their Sophos etc.

What technologies in OpnSense would you consider the most solid and best suitable for production use?
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 950
  • Karma: 122
    • View Profile
Re: High availability
« Reply #1 on: May 15, 2017, 08:35:34 am »
OPNsense has its own HA: https://docs.opnsense.org/manual/hacarp.html and there are options for virtual machines in general. VMware and Microsoft offer hardware failover but that's based on at least two physical machines with shared storage and has licence costs.

You need to consider what you're guarding against. If it is a configuration change, you don't need to do anything; OPNsense keeps older configurations and you can simply go back to a date when things worked from the console. If it is off-site backup, you can upload your config to Google drive out of the box. You will need to take into account that restoring a backup involves a clean build with import of your last config. You can meet a shorter RTO if you take regular clones of your VM; like ghettovcb for ESXi.

Bart...
Logged

peksi

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: High availability
« Reply #2 on: May 15, 2017, 11:15:31 am »
Looks promising. Does it have any fencing?
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 950
  • Karma: 122
    • View Profile
Re: High availability
« Reply #3 on: May 15, 2017, 01:57:00 pm »
I'm not aware of any. CARP doesn't mandate it
Logged

peksi

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: High availability
« Reply #4 on: May 16, 2017, 08:15:21 am »
Maybe it is solved in some other way. I have no experience in CARP but there must be some system that can handle a defunct virtual server to kill it and let secondary node take over?

With HA one problem (at least mine) is when a defunct service gets so badly stuck it won't shut down and keeps the IP / resource occupied. That's where the fencing comes in and kills the system to make way for backup node to become active. With virtual guests I need to run a daemon with the hosts that can be called to kill zombie guests.
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 950
  • Karma: 122
    • View Profile
Re: High availability
« Reply #5 on: May 16, 2017, 09:48:26 am »
I've only used CARP in a sandbox. It uses virtual IP's and heartbeat, but as you say, a node could get to a state where it still heartbeats but doesn't route.
Logged

peksi

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: High availability
« Reply #6 on: May 16, 2017, 12:06:42 pm »
There exists technologies to kill a nonresponsive virtual guest such as fence_kvm. Maybe that would be a development idea.
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 950
  • Karma: 122
    • View Profile
Re: High availability
« Reply #7 on: May 17, 2017, 09:00:13 am »
The best place for feature requests is github https://github.com/opnsense/core/blob/master/CONTRIBUTING.md

Bart...
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion (Moderator: fabian) »
  • High availability
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2019 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2