Well, if one falls over unexpectedly, you would actually want one box to be able to handle the full load, otherwise when the HA kicks in (due to planned or unplanned downtime), you would get a poor or useless situation depending on how the services handle the downgrade.
It smells like people who run dual-power servers with one leg on UPS and the other on wall-power, but when the wall power goes away and stops taking half of the load, you notice that the UPS handles the now-doubled load poorly and you do not get the expected 5-15-30 minutes of battery time you had planned for. Or when raid5 has a faulted disk, apart from the re-mirroring to the hot-spare, a degraded R5 has really poor performance added to it, since it always must read and write to all drives and recalculate the missing data from the others while doing so. Your stuff may run very well on "only" one machine in case of faults since you are at the higher end of hw I assume, but if I get the choice, I'd like to design so that the fail-over scenario isn't much worse than normal operations if possible. 2015-06-22 9:40 GMT+02:00 Aviolat Romain <[email protected]>: > Dear OpenBSD community, > > I'll deploy a new redundant firewalls setup in few weeks (waiting for the > hardware...). It'll be composed of two 1U supermicro servers and few > additional 10GbE nics. > > The idea was to use CARP + pfsync as the fail-over mechanism. > > I already deployed that few time in the past, and we're pretty happy with > this setup; maintenance is easy and the setup is rock solid. > > The only disadvantage IMHO is that there is no way to achieve load > balancing between the members of the CARP cluster, one machine is always > working while the other is idle. I could define some VLANs on top of CARP > interfaces to be MASTER on routerA and some on routerB but still it's not > real load balancing. > > So before making the same setup again I wanted to have your input about > that, maybe I'm not aware of other ways to achieve HA/load-balancing using > OpenBSD ? > > Thanks for your help ! > > Romain Aviolat > Senior System Administrator - R&D and ops Infrastructure > Kudelski Security - Kudelski Group > rte de GenÄve 22-24, 1033 Cheseaux, SWITZERLAND > +41 21 732 03 79 > > -- May the most significant bit of your life be positive.
