Why don't you consider something like OpenBSD's packet filter (pf),
pfsync, and CARP? That would provide a better (hitless) HA solution for
firewalls. I also use fwbuilder.org to graphically manage the firewall
rules. The best use for a cluster is services that can take a hit while
the cluster migrates resources from a failed node to a healthy node.
Firewalls are a special case where you want the 'failover' to happen in
near realtime including the in memory firewall state table and the IP
MAC addresses on each segment.
I use pacemaker for application level service management with great
success.
Regards,
AP
--
Allen Pomeroy, MSc, CISSP, CISA
pomeroy.us / Website
512-705-6840 / Mobile
a...@pomeroy.us / Email
On 2013-09-18 13:34, Jeff Weber wrote:
I am looking to create a 2-node Active/Passive firewall cluster.
I am an experienced Linux user, but new to HA clusters. I have
scanned "Clusters From Scratch" and "Pacemaker Explained". I found
these docs helpful, but a bit overwhelming, being new to HA
clusters.
My goals:
* create 2-node Active/Passive firewall cluster
* Each FW node has an external, and internal interface
* Cluster software presents external, internal VIPs
* VIPs must be co-located on same node
* One node is preferred for VIP locations
* If any interface fails on node currently hosting VIPs, VIPs move to
other node
For simplicity sake, I'll start by creating VIPs, and add firewall
plumbing to the VIPs in the future.
My config:
CentOS-6.3 based distro +
corosync-1.4.1-1
pacemaker-1.1.8-1
pcs-0.9.26-1
resource-agents-3.9.2-12
and all required dependencies
My questions:
This sounds like a common use case, but I could not find an
example/HOWTO. Did I miss it?
Do I have the correct HA cluster packages, versions to start work?
Do I also need the cman?, ccs packages?
How many interfaces should each cluster node have?
2 interfaces: internal, external
or
3 interfaces: internal, external, monitor
Do I need to configure corosync.conf/totem/interface/bindnetaddr, and
if so, bind to what net?
$1M question:
How to configure cluster to monitor all internal, external cluster
interfaces, and perform
failover? Here's my estimate:
* create external VIP as IpAddr2 and bind to external interfaces
* create internal VIP as IpAddr2 and bind to internal interfaces
* co-locate both VIPs together
* specify a location constraint for preferred node
Any help would be appreciated,
thanks
Jeff
_______________________________________________
Pacemaker mailing list: Pacemaker@oss.clusterlabs.org
http://oss.clusterlabs.org/mailman/listinfo/pacemaker
Project Home: http://www.clusterlabs.org
Getting started:
http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org
_______________________________________________
Pacemaker mailing list: Pacemaker@oss.clusterlabs.org
http://oss.clusterlabs.org/mailman/listinfo/pacemaker
Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org
