Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
High availability
« previous
next »
Print
Pages: [
1
]
Author
Topic: High availability (Read 6866 times)
peksi
Newbie
Posts: 8
Karma: 0
High availability
«
on:
May 15, 2017, 07:52:39 am »
Just joined the forum as I am seriously considering OpnSense as my next routing firewall solution. I've used Linux with iptables (fwbuilder GUI), routes and openvpn with LDAP backend since pre 2000 and it has worked like a rock.
I would like to install my next firewall as a virtual guest keeping another instance as hot standby in another host. Is that possible to do? Do you think it is a smart thing to do that way? I've seen large organizations do that with their Sophos etc.
What technologies in OpnSense would you consider the most solid and best suitable for production use?
Logged
bartjsmit
Hero Member
Posts: 2014
Karma: 194
Re: High availability
«
Reply #1 on:
May 15, 2017, 08:35:34 am »
OPNsense has its own HA:
https://docs.opnsense.org/manual/hacarp.html
and there are options for virtual machines in general. VMware and Microsoft offer hardware failover but that's based on at least two physical machines with shared storage and has licence costs.
You need to consider what you're guarding against. If it is a configuration change, you don't need to do anything; OPNsense keeps older configurations and you can simply go back to a date when things worked from the console. If it is off-site backup, you can upload your config to Google drive out of the box. You will need to take into account that restoring a backup involves a clean build with import of your last config. You can meet a shorter RTO if you take regular clones of your VM; like ghettovcb for ESXi.
Bart...
Logged
peksi
Newbie
Posts: 8
Karma: 0
Re: High availability
«
Reply #2 on:
May 15, 2017, 11:15:31 am »
Looks promising. Does it have any fencing?
Logged
bartjsmit
Hero Member
Posts: 2014
Karma: 194
Re: High availability
«
Reply #3 on:
May 15, 2017, 01:57:00 pm »
I'm not aware of any. CARP doesn't mandate it
Logged
peksi
Newbie
Posts: 8
Karma: 0
Re: High availability
«
Reply #4 on:
May 16, 2017, 08:15:21 am »
Maybe it is solved in some other way. I have no experience in CARP but there must be some system that can handle a defunct virtual server to kill it and let secondary node take over?
With HA one problem (at least mine) is when a defunct service gets so badly stuck it won't shut down and keeps the IP / resource occupied. That's where the fencing comes in and kills the system to make way for backup node to become active. With virtual guests I need to run a daemon with the hosts that can be called to kill zombie guests.
Logged
bartjsmit
Hero Member
Posts: 2014
Karma: 194
Re: High availability
«
Reply #5 on:
May 16, 2017, 09:48:26 am »
I've only used CARP in a sandbox. It uses virtual IP's and heartbeat, but as you say, a node could get to a state where it still heartbeats but doesn't route.
Logged
peksi
Newbie
Posts: 8
Karma: 0
Re: High availability
«
Reply #6 on:
May 16, 2017, 12:06:42 pm »
There exists technologies to kill a nonresponsive virtual guest such as fence_kvm. Maybe that would be a development idea.
Logged
bartjsmit
Hero Member
Posts: 2014
Karma: 194
Re: High availability
«
Reply #7 on:
May 17, 2017, 09:00:13 am »
The best place for feature requests is github
https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
Bart...
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
High availability