Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance
Hi, Op 11 okt 2010, om 21:22 heeft Jim Cheetham het volgende geschreven: > > You'd be better off explicitly floating the idea of an R&D test rig, > where you can play with things in order to prove which will be best for > production later ... > > -jim On that point, I rebuilt and duplicated my entire work network from the inside vlan router to the external carp in ESX with pfSense. Makes testing, upgrading and debugging a cinch. The Free ESX variant is good enough for that. It lets you create virtual switches which is good enough to duplicate the entire setup. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance
Hi again, Op 11 okt 2010, om 20:23 heeft Andy Graybeal het volgende geschreven: > > Andrew, > From reading the PFSense book, I have now gathered that, like you just said, > having two ADSL providers is not a good way to go about redundancy. In my > case, one ADSL connection is free.. and I'm already in a 2 year contract with > the other ADSL provider. Note the different provider part. We have 2 50/50 business fiber connections from KPN which is the dutch ATT equivalent. Murphy works wonders when their entire PPPoA infrastructure fell over that took out all their FTTO and Business DSL. We also have 350 shops with that particular business DSL. Our only remaining connection at that point was a 6mbit sdsl from a different provider. Lucky us. Not so good for the shops where payment traffic halted. Bugger that. Shoot murhpy. > We don't have the luxury of fiber in my area, but cable is, we even have an > option for some type of radio and cell. I did kick myself this morning while > reading the book when I came to that section. Thank you for pointing it out; > it's duly noted and won't be forgotten. I'll chalk it up to newbness. You > were very kind in your message pointing it out like you did, not making me > feel worse than I already do. Cable is fine, our PR office in amsterdam has a 60/6 fiber for the VPN connection the main office and a 2nd business DSL wan from said provider for backup. > I admit, I've been lucky so far... the problems must have been on the > premises of the ISPs when the internet has gone down independently of > one-another a week a part recently. I had to manually switch our network > over, obviously. Not so lucky on my part, over the past 2 years they have backhoe'd through our sdsl (8 years ago) which was fixed in 4 hours. Which happened when we were getting our first fiber. Then through out existing fiber last year when laying a empty fiber pipe for a connection we already had. That was a bit harder to fix when they had to blow 2 kilometers of new fiber from the local PoP. We had to get by on 2 dsl connections for 2 days. Sucks having just 2mbit of upstream with 250 users and 350 shops. Then we got bit where their PPPoA service died a horrible death and 150 (then) shops were offline for almost 3 days. Heavy losses occured over those days. > Another funny thing, when our internet is down our credit card machines roll > over to using their modems.. which as I understand it doesn't make any > difference when the Hungry Backhoe strikes. We prefer IP traffic for everything, it's easy to bend the laws of physics with weird NAT shit and pfSense and make it think it's still connected and route it over wireless. Or the payment traffic from shops over backup isdn to route it around brain dead payment traffic firewalls. Going for broke here. > I fall in love with specific pieces of hardware way too much. We just buy dells, restoring xml configs is easy enough. Else run from the livecd instead ;-) Prepare for anything is my advice, shit will break in new and interesting ways that will not be covered by your containment. That said, Good luck! Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance
On 12/10/10 07:23, Andy Graybeal wrote: > I'm still considering what to do about the hardware, I still want to > cheat and buy the same hardware for everything. <..Must Resist..> > I fall in love with specific pieces of hardware way too much. Resist falling in love with your network hardware, you're not supposed to see it again once it has been configured. Set it up, test it and then don't touch it again. You don't even play with the cold spares. Unless you want to explain why it wasn't in one piece on the one day that it was needed ... If you want to fall in love with some interesting kit, it better not be in production -- otherwise you can't play with it. Unless you have a lot of flexibility with downtime, and it doesn't sound like you do. You'd be better off explicitly floating the idea of an R&D test rig, where you can play with things in order to prove which will be best for production later ... -jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance
One thing that jumps out at me is the two ADSL links. Sounds like you are making a pretty good effort to "keep the lights on" with some good choices. If we were to do dual DSL lines in our area, the copper is really the same provider for the last mile. A different provider type may give you better reliability over what you can't totally control. In our case we could go to a cable company and get a business DSL line, the phone company and get fiber, fiber from a totally independent provider (or two), or even cell/microwave tower backup. All depends on what is available in your area and as others stated, the true need of uptime vs. cost. Also, along the lines of different UPS providers, what about different hardware manufactures for the boxes or just the hard drives? Andrew - Andrew, From reading the PFSense book, I have now gathered that, like you just said, having two ADSL providers is not a good way to go about redundancy. In my case, one ADSL connection is free.. and I'm already in a 2 year contract with the other ADSL provider. We don't have the luxury of fiber in my area, but cable is, we even have an option for some type of radio and cell. I did kick myself this morning while reading the book when I came to that section. Thank you for pointing it out; it's duly noted and won't be forgotten. I'll chalk it up to newbness. You were very kind in your message pointing it out like you did, not making me feel worse than I already do. I admit, I've been lucky so far... the problems must have been on the premises of the ISPs when the internet has gone down independently of one-another a week a part recently. I had to manually switch our network over, obviously. Another funny thing, when our internet is down our credit card machines roll over to using their modems.. which as I understand it doesn't make any difference when the Hungry Backhoe strikes. As far as the different UPSes, boxes and harddrives... I was really hoping to get one model for each to make it easier on me to manage. . I'm still considering what to do about the hardware, I still want to cheat and buy the same hardware for everything. <..Must Resist..> I fall in love with specific pieces of hardware way too much. Thanks for your insights. -Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance
On Mon, Oct 11, 2010 at 9:44 AM, Andy Graybeal wrote: > On 10/08/2010 03:21 PM, Seth Mos wrote: >> >>> I'll have 2 firewalls, and 2 UPS's one for each firewall. >> >> As suggested before, cross the power supply cords between the 2 ups's. >> If you have the option of 2 power feeds in your DC then put each UPS on >> one specific. >> >> Alternatively there are great breaker strips that take 2 feeds and can >> put it into one plug so that you can still have both ups systems powered >> on if the A or B feed fails. These are about 150 euro or so. >> >>> Each firewall will have: >>> 1. a hot swap raid array (only two HD's set to RAID 1, mirroring). >>> 2. two hot swap power supplies. >> >> Makes perfect sense, that's what I have. >> >>> Now for the networking... >>> I'll have two dsl modems. I'm going to guess that I should have two >>> switches, one per modem. 2 connections coming from each switch, one per >>> firewall. >> >> One switch with vlans work, but if you can get 2 seperate ones that >> works too. I havn't had HP Procurve switches die on me for years. In >> fact, there is still a 2424M out there servicing after 10 years. >> >>> I'll need two IP addresses assigned to each firewall from my providers >>> (total of 4 ip addresses from providers). >> >> These will be the CARP IP addresses so that firewall failover works. You >> will want to add more for splitting services perhaps. You might want to >> terminate lan -> internet traffic on a seperate carp ip to prevent nat >> overloading. >> >> You will need 1 extra IP address per WAN connection for each part of the >> firewall that participates in the CARP. If you have a /29 assigned by >> the ISP per DSL modem you are safe. >> >>> Then I'll need a connection between each firewall for the pfsync. >>> That is a total of 3 ethernet ports per firewall (2 wan, 1 pfsync) just >>> for the redundancy; not including LANs. >> >> That is correct. >> >>> Can the pfsync connection be a simple cross-over cable, to get away from >>> needing another switch? >> >> Yes, some ports have cable length issues but 1meter is safe. >> >>> I know CARP is in the equation, I'll get to that after I understand how >>> I'm gonna hook this stuff up physically. >> >> See the book, it's recommended. No. Really. >> >> Regards, >> >> Seth >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > Seth, > Thanks for the line-by-line response on every question. > > Reading the book now :) > > Thank to everyone for their responses, I'll probably ask more questions when > I get done with the book. > > -Andy > > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > One thing that jumps out at me is the two ADSL links. Sounds like you are making a pretty good effort to "keep the lights on" with some good choices. If we were to do dual DSL lines in our area, the copper is really the same provider for the last mile. A different provider type may give you better reliability over what you can't totally control. In our case we could go to a cable company and get a business DSL line, the phone company and get fiber, fiber from a totally independent provider (or two), or even cell/microwave tower backup. All depends on what is available in your area and as others stated, the true need of uptime vs. cost. Also, along the lines of different UPS providers, what about different hardware manufactures for the boxes or just the hard drives? Andrew - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance
On 10/08/2010 03:21 PM, Seth Mos wrote: I'll have 2 firewalls, and 2 UPS's one for each firewall. As suggested before, cross the power supply cords between the 2 ups's. If you have the option of 2 power feeds in your DC then put each UPS on one specific. Alternatively there are great breaker strips that take 2 feeds and can put it into one plug so that you can still have both ups systems powered on if the A or B feed fails. These are about 150 euro or so. Each firewall will have: 1. a hot swap raid array (only two HD's set to RAID 1, mirroring). 2. two hot swap power supplies. Makes perfect sense, that's what I have. Now for the networking... I'll have two dsl modems. I'm going to guess that I should have two switches, one per modem. 2 connections coming from each switch, one per firewall. One switch with vlans work, but if you can get 2 seperate ones that works too. I havn't had HP Procurve switches die on me for years. In fact, there is still a 2424M out there servicing after 10 years. I'll need two IP addresses assigned to each firewall from my providers (total of 4 ip addresses from providers). These will be the CARP IP addresses so that firewall failover works. You will want to add more for splitting services perhaps. You might want to terminate lan -> internet traffic on a seperate carp ip to prevent nat overloading. You will need 1 extra IP address per WAN connection for each part of the firewall that participates in the CARP. If you have a /29 assigned by the ISP per DSL modem you are safe. Then I'll need a connection between each firewall for the pfsync. That is a total of 3 ethernet ports per firewall (2 wan, 1 pfsync) just for the redundancy; not including LANs. That is correct. Can the pfsync connection be a simple cross-over cable, to get away from needing another switch? Yes, some ports have cable length issues but 1meter is safe. I know CARP is in the equation, I'll get to that after I understand how I'm gonna hook this stuff up physically. See the book, it's recommended. No. Really. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Seth, Thanks for the line-by-line response on every question. Reading the book now :) Thank to everyone for their responses, I'll probably ask more questions when I get done with the book. -Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance
I worked as a central office tech for a very large telco for 23 years in the US. All telco equipment I ever saw was DC powered via two battery strings, designated A battery and B battery. Every piece of telco equipment I ever saw had two power supplies. And one was powered by the A string and one powered by the B string. The commerical AC power coming into the telco buildings did not power the equipment, but was used to recharge the battery strings. But redundant power supplies in PC's is usually more than adequate. Let alone dual power feeds. BTW, APC does make power stripes that have dual input feeds. Lyle Glenn Kelley wrote: > Adam > > I am shocked that the telco around you don't have redundant UPS > > Heck a large number of the cell towers we work with and around even > have this > Even N+1 cooling is in place > > But I agree - depending upon your needs what you lay out is / should > be more than enough > > > On Oct 9, 2010, at 9:01 PM, Adam Thompson wrote: > >> It’s perhaps overkill for many scenarios, but if you’re truly trying >> for no-single-point-of-failure, buy UPSes from two different vendors, >> ideally using two different technologies. I’ve seen matched pairs of >> UPSes knocked out by the same power event, and more commonly I’ve >> seen matched sets of batteries fail without warning. To clarify, >> there are power events that will kill an APC SmartUPS whereas their >> BackUPS won’t even notice a problem; on the other hand, the SmartUPS >> will protect a power supply against some failure modes that a BackUPS >> cannot. And a full-online-conversion UPS, while ideal, costs an arm >> and a leg. All three will tolerate different amounts of input power >> phase mismatch (“Power Factor”). >> >> It’s nearly impossible to design truly “uninterruptible” power; >> anyone who’s installed a mainframe can attest to this! You need >> capacitors on the circuit board to smooth ripples (micro-events), >> ultracapacitors or batteries to prop up the input power during >> sub-second (or even multi-second) outages, a traditional UPS to >> provide interim power, a generator to cover long outages, and a >> ground-zero-grade blast shelter to put it all in so it stays running >> in case of global thermonuclear war… and even then, we still don’t >> have a technology to work around the power outages anticipated when >> the heat death of the universe occurs. >> >> Yes, I’m being silly, but my point is that there’s no point in trying >> to design a “perfect” system. “Better than normal” is almost always >> what you’re really reaching for. >> Having CARP failover is level 1, dual power supplies is level 2, dual >> UPSes is level 3, how far do you plan to take this? What if your ISP >> goes down – are you also going to multi-home? Are the devices behind >> this firewall also multiply-redundant? >> >> I don’t mean to suggest there’s no point in increasing reliability, >> but even two UPSes is going far beyond the needs of most >> applications. “Carrier-grade” doesn’t even mean having redundant >> UPSes… at least, none of the telcos I work with in my region have >> redundant UPSes powering their phone switches! >> >> Anyway, like I said – if you’re going to run >1 UPS, use >> **different** UPSes to avoid hitting the identical problem at the >> identical time on all of them, which has actually happened to me. >> >> -Adam >> >> >> *From:* Hans Maes [mailto:h...@bitnet.be] >> *Sent:* Saturday, October 09, 2010 10:02 >> *To:* support@pfsense.com <mailto:support@pfsense.com> >> *Subject:* Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS >> Redundancy (?) at entrance >> >> >> On 10/08/2010 07:15 PM, Gerald A wrote: >> >> On Fri, Oct 8, 2010 at 4:55 PM, Andy Graybeal >> mailto:andy.grayb...@casanueva.com>> wrote: >> I'll have 2 firewalls, and 2 UPS's one for each firewall. >> >> Each firewall will have: >> 1. a hot swap raid array (only two HD's set to RAID 1, mirroring). >> 2. two hot swap power supplies. >> >> Is one UPS per firewall agreeable? I don't know how to do it >> otherwise. I can't imagine purchasing 4 UPS's, one for each power >> supply. Seems a little overkill. I welcome any input. >> >> >> Plug one hotswap supply from each firewall into both of the UPS boxes >> you have. That way, even if you have to service a UPS, you won't lose >> a firewall. I wouldn't dedicate a UPS to >> each firewall, because any UPS issue makes your bring down a box no >
Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance
Adam I am shocked that the telco around you don't have redundant UPS Heck a large number of the cell towers we work with and around even have this Even N+1 cooling is in place But I agree - depending upon your needs what you lay out is / should be more than enough On Oct 9, 2010, at 9:01 PM, Adam Thompson wrote: > It’s perhaps overkill for many scenarios, but if you’re truly trying for > no-single-point-of-failure, buy UPSes from two different vendors, ideally > using two different technologies. I’ve seen matched pairs of UPSes knocked > out by the same power event, and more commonly I’ve seen matched sets of > batteries fail without warning. To clarify, there are power events that will > kill an APC SmartUPS whereas their BackUPS won’t even notice a problem; on > the other hand, the SmartUPS will protect a power supply against some failure > modes that a BackUPS cannot. And a full-online-conversion UPS, while ideal, > costs an arm and a leg. All three will tolerate different amounts of input > power phase mismatch (“Power Factor”). > > It’s nearly impossible to design truly “uninterruptible” power; anyone who’s > installed a mainframe can attest to this! You need capacitors on the circuit > board to smooth ripples (micro-events), ultracapacitors or batteries to prop > up the input power during sub-second (or even multi-second) outages, a > traditional UPS to provide interim power, a generator to cover long outages, > and a ground-zero-grade blast shelter to put it all in so it stays running in > case of global thermonuclear war… and even then, we still don’t have a > technology to work around the power outages anticipated when the heat death > of the universe occurs. > > Yes, I’m being silly, but my point is that there’s no point in trying to > design a “perfect” system. “Better than normal” is almost always what you’re > really reaching for. > Having CARP failover is level 1, dual power supplies is level 2, dual UPSes > is level 3, how far do you plan to take this? What if your ISP goes down – > are you also going to multi-home? Are the devices behind this firewall also > multiply-redundant? > > I don’t mean to suggest there’s no point in increasing reliability, but even > two UPSes is going far beyond the needs of most applications. > “Carrier-grade” doesn’t even mean having redundant UPSes… at least, none of > the telcos I work with in my region have redundant UPSes powering their phone > switches! > > Anyway, like I said – if you’re going to run >1 UPS, use *different* UPSes to > avoid hitting the identical problem at the identical time on all of them, > which has actually happened to me. > > -Adam > > > From: Hans Maes [mailto:h...@bitnet.be] > Sent: Saturday, October 09, 2010 10:02 > To: support@pfsense.com > Subject: Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS > Redundancy (?) at entrance > > > On 10/08/2010 07:15 PM, Gerald A wrote: > > On Fri, Oct 8, 2010 at 4:55 PM, Andy Graybeal > wrote: > I'll have 2 firewalls, and 2 UPS's one for each firewall. > > Each firewall will have: > 1. a hot swap raid array (only two HD's set to RAID 1, mirroring). > 2. two hot swap power supplies. > > Is one UPS per firewall agreeable? I don't know how to do it otherwise. I > can't imagine purchasing 4 UPS's, one for each power supply. Seems a little > overkill. I welcome any input. > > Plug one hotswap supply from each firewall into both of the UPS boxes you > have. That way, even if you have to service a UPS, you won't lose a firewall. > I wouldn't dedicate a UPS to > each firewall, because any UPS issue makes your bring down a box no matter > what. > > > True, but depending on your configuration, another way to hook this up is to > bypass the UPS for one of the power supplies on each firewall: > > FW1 - Power supply 1 -> UPS1 > FW1 - Power supply 2 -> straight to power grid > > FW2 - Power supply 1 -> UPS2 > FW2 - Power supply 2 -> straight to power grid > > This way, you would still be up and running if both UPS systems fail for some > reason. > I've seen it happen! eg short circuit in a system connected to both UPS > triggering both UPS to shutdown. > (Try explaining complete power failure to your boss when all lights are still > on in the entire building ;-) ) > > Agreed, during power grid failure, FW1 would go down if UPS1 fails, and FW2 > would go down if UPS2 fails, but you got CARP to fix that. > > Just my 2 cents. > > Regards, > > Hans > >
RE: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance
It’s perhaps overkill for many scenarios, but if you’re truly trying for no-single-point-of-failure, buy UPSes from two different vendors, ideally using two different technologies. I’ve seen matched pairs of UPSes knocked out by the same power event, and more commonly I’ve seen matched sets of batteries fail without warning. To clarify, there are power events that will kill an APC SmartUPS whereas their BackUPS won’t even notice a problem; on the other hand, the SmartUPS will protect a power supply against some failure modes that a BackUPS cannot. And a full-online-conversion UPS, while ideal, costs an arm and a leg. All three will tolerate different amounts of input power phase mismatch (“Power Factor”). It’s nearly impossible to design truly “uninterruptible” power; anyone who’s installed a mainframe can attest to this! You need capacitors on the circuit board to smooth ripples (micro-events), ultracapacitors or batteries to prop up the input power during sub-second (or even multi-second) outages, a traditional UPS to provide interim power, a generator to cover long outages, and a ground-zero-grade blast shelter to put it all in so it stays running in case of global thermonuclear war… and even then, we still don’t have a technology to work around the power outages anticipated when the heat death of the universe occurs. Yes, I’m being silly, but my point is that there’s no point in trying to design a “perfect” system. “Better than normal” is almost always what you’re really reaching for. Having CARP failover is level 1, dual power supplies is level 2, dual UPSes is level 3, how far do you plan to take this? What if your ISP goes down – are you also going to multi-home? Are the devices behind this firewall also multiply-redundant? I don’t mean to suggest there’s no point in increasing reliability, but even two UPSes is going far beyond the needs of most applications. “Carrier-grade” doesn’t even mean having redundant UPSes… at least, none of the telcos I work with in my region have redundant UPSes powering their phone switches! Anyway, like I said – if you’re going to run >1 UPS, use *different* UPSes to avoid hitting the identical problem at the identical time on all of them, which has actually happened to me. -Adam From: Hans Maes [mailto:h...@bitnet.be] Sent: Saturday, October 09, 2010 10:02 To: support@pfsense.com Subject: Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance On 10/08/2010 07:15 PM, Gerald A wrote: On Fri, Oct 8, 2010 at 4:55 PM, Andy Graybeal wrote: I'll have 2 firewalls, and 2 UPS's one for each firewall. Each firewall will have: 1. a hot swap raid array (only two HD's set to RAID 1, mirroring). 2. two hot swap power supplies. Is one UPS per firewall agreeable? I don't know how to do it otherwise. I can't imagine purchasing 4 UPS's, one for each power supply. Seems a little overkill. I welcome any input. Plug one hotswap supply from each firewall into both of the UPS boxes you have. That way, even if you have to service a UPS, you won't lose a firewall. I wouldn't dedicate a UPS to each firewall, because any UPS issue makes your bring down a box no matter what. True, but depending on your configuration, another way to hook this up is to bypass the UPS for one of the power supplies on each firewall: FW1 - Power supply 1 -> UPS1 FW1 - Power supply 2 -> straight to power grid FW2 - Power supply 1 -> UPS2 FW2 - Power supply 2 -> straight to power grid This way, you would still be up and running if both UPS systems fail for some reason. I've seen it happen! eg short circuit in a system connected to both UPS triggering both UPS to shutdown. (Try explaining complete power failure to your boss when all lights are still on in the entire building ;-) ) Agreed, during power grid failure, FW1 would go down if UPS1 fails, and FW2 would go down if UPS2 fails, but you got CARP to fix that. Just my 2 cents. Regards, Hans
Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance
On 10/08/2010 07:15 PM, Gerald A wrote: On Fri, Oct 8, 2010 at 4:55 PM, Andy Graybeal mailto:andy.grayb...@casanueva.com>> wrote: I'll have 2 firewalls, and 2 UPS's one for each firewall. Each firewall will have: 1. a hot swap raid array (only two HD's set to RAID 1, mirroring). 2. two hot swap power supplies. Is one UPS per firewall agreeable? I don't know how to do it otherwise. I can't imagine purchasing 4 UPS's, one for each power supply. Seems a little overkill. I welcome any input. Plug one hotswap supply from each firewall into both of the UPS boxes you have. That way, even if you have to service a UPS, you won't lose a firewall. I wouldn't dedicate a UPS to each firewall, because any UPS issue makes your bring down a box no matter what. True, but depending on your configuration, another way to hook this up is to bypass the UPS for one of the power supplies on each firewall: FW1 - Power supply 1 -> UPS1 FW1 - Power supply 2 -> straight to power grid FW2 - Power supply 1 -> UPS2 FW2 - Power supply 2 -> straight to power grid This way, you would still be up and running if both UPS systems fail for some reason. I've seen it happen! eg short circuit in a system connected to both UPS triggering both UPS to shutdown. (Try explaining complete power failure to your boss when all lights are still on in the entire building ;-) ) Agreed, during power grid failure, FW1 would go down if UPS1 fails, and FW2 would go down if UPS2 fails, but you got CARP to fix that. Just my 2 cents. Regards, Hans
Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance
I'll have 2 firewalls, and 2 UPS's one for each firewall. As suggested before, cross the power supply cords between the 2 ups's. If you have the option of 2 power feeds in your DC then put each UPS on one specific. Alternatively there are great breaker strips that take 2 feeds and can put it into one plug so that you can still have both ups systems powered on if the A or B feed fails. These are about 150 euro or so. Each firewall will have: 1. a hot swap raid array (only two HD's set to RAID 1, mirroring). 2. two hot swap power supplies. Makes perfect sense, that's what I have. Now for the networking... I'll have two dsl modems. I'm going to guess that I should have two switches, one per modem. 2 connections coming from each switch, one per firewall. One switch with vlans work, but if you can get 2 seperate ones that works too. I havn't had HP Procurve switches die on me for years. In fact, there is still a 2424M out there servicing after 10 years. I'll need two IP addresses assigned to each firewall from my providers (total of 4 ip addresses from providers). These will be the CARP IP addresses so that firewall failover works. You will want to add more for splitting services perhaps. You might want to terminate lan -> internet traffic on a seperate carp ip to prevent nat overloading. You will need 1 extra IP address per WAN connection for each part of the firewall that participates in the CARP. If you have a /29 assigned by the ISP per DSL modem you are safe. Then I'll need a connection between each firewall for the pfsync. That is a total of 3 ethernet ports per firewall (2 wan, 1 pfsync) just for the redundancy; not including LANs. That is correct. Can the pfsync connection be a simple cross-over cable, to get away from needing another switch? Yes, some ports have cable length issues but 1meter is safe. I know CARP is in the equation, I'll get to that after I understand how I'm gonna hook this stuff up physically. See the book, it's recommended. No. Really. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance
Plug one hotswap supply from each firewall into both of the UPS boxes you have. That way, even if you have to service a UPS, you won't lose a firewall. I wouldn't dedicate a UPS to each firewall, because any UPS issue makes your bring down a box no matter what. Make sense? Gerald, That strategy did cross my mind and thank you for spelling it out, much appreciated. -Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance
Hey there, On Fri, Oct 8, 2010 at 4:55 PM, Andy Graybeal wrote: > Greetings, > I need some help wrapping my head around how to be redundant. > > I'll have 2 firewalls, and 2 UPS's one for each firewall. > > Each firewall will have: > 1. a hot swap raid array (only two HD's set to RAID 1, mirroring). > 2. two hot swap power supplies. > > Is one UPS per firewall agreeable? I don't know how to do it otherwise. I > can't imagine purchasing 4 UPS's, one for each power supply. Seems a little > overkill. I welcome any input. > Plug one hotswap supply from each firewall into both of the UPS boxes you have. That way, even if you have to service a UPS, you won't lose a firewall. I wouldn't dedicate a UPS to each firewall, because any UPS issue makes your bring down a box no matter what. Make sense? Gerald.
