If you set up CARP, then you don’t manage outages at 4am, you manage them when
you get in to work because no services went out.
If you hate CARP, then just do HA Sync to a running backup VM with the uplink
and downlink disconnected. Then your emergency procedure is to reboot the
primary, or engage the secondary. Truthfully, I think you’re doing as much as
harm as good with putting firewall infrastructure into a VM if reliability is
your concern. What failure do you envision surviving gracefully?
Opengear ACM5004 etc. seems to be the way to go if you need to get to the
inside of an isolated network segment. Or Aten CN8000 / IPMI on a secondary
network?
ED.
> CARP seems complicated... I am certain I can set it up, but it would require
> a lot of training for the other techs to be able to manage in a failure
> situation.
> Also, I am trying to avoid this because the intention is that they would also
> being running as VM's... adding another layer of complication...
> Combine that with VLANS and it isn't something I want to put in the hands of
> a simple tech at 4am...
>
> My thoughts were to setup a simple VM of pfSense... give it physical port
> access, etc... set it up like a regular firewall.
> Then, have it cloned nightly to another VM on another box... but not have it
> running... only in waiting to be powered up.
> This other box would be physically hooked up to the same simple ports on the
> switch as the primary firewall.
>
> If the firewall fails... then it should be a matter of making sure the
> problem firewall is powered down and powering up the clone.
>
> The problem I had was, how do I get into the network behind the firewall so
> that I can power down the bad and power up the good clone?
>
> Or is there a better/easier solution?
>
> Chuck
> _______________________________________________
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
