Re: [pfSense] pfsense + carp + ha

2016-11-16 Thread WolfSec-Support 
Hello

No.
Hardware as nic type can be anything.
For sure the 2nd node should be able to handle traffic and load

E.g. one can be physical with vlan assignments.
Other can ve virtual with vNiC per assignment.
Will work fine.
Simply interface name must be same.

And yes. For sure I agree to use identical hardware. But some setups does
not need this at all.

Br
Stephan

Am 16.11.2016 06:14 schrieb "Chris L" <c...@viptalk.net>:

> > On Nov 15, 2016, at 1:50 PM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
> >
> > same ports? you mean that same port assigment and nic can be different
> type?
> >
> > eero
>
> No.
>
> Hardware should be as identical as possible. 100% identical is best. If
> LAN is em0 on one side, it must be em0 on the other.
>
>
> >
> > 15.11.2016 11.36 ip. "Steve Yates" <st...@teamits.com> kirjoitti:
> >
> >>Any hardware should work fine.  They recommend a separate
> NIC/port
> >> for the sync traffic since if syncing states there can be a lot of
> traffic
> >> (if not syncing state there is probably very little).  I don't think it
> >> needs to be identical hardware but the rules would need to copy over so
> it
> >> would need the same ports.
> >>
> >>One gotcha that caught me...under "System/High Availability
> >> Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a
> >> "Remote System Username" field.  That field is ignored, and "admin" is
> >> always used.
> >>
> >> --
> >>
> >> Steve Yates
> >> ITS, Inc.
> >>
> >> -Original Message-
> >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> >> Volotinen
> >> Sent: Tuesday, November 15, 2016 2:20 PM
> >> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org
> >
> >> Subject: [pfSense] pfsense + carp + ha
> >>
> >> Hi List,
> >>
> >> What are requirements for pfsense ha clustering? does any of x86
> hardware
> >> work with ha? does hardware need to be identical?
> >>
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense + carp + ha

2016-11-16 Thread Chris L 
On Nov 16, 2016, at 10:30 AM, Eero Volotinen <eero.voloti...@iki.fi> wrote:
> 
> I think it is possible to use lagg interface for workaround with interface
> naming?
> 
> Eero

If you want to go that route, by all means do so.

Completely unnecessary added complexity, IMHO. That should probably be 
considered an available workaround to get you out of a jam until the real 
problem can be fixed.

If it’s worth doing HA at all, it’s worth doing right. Use a matching set of HA 
nodes.


> 
> 2016-11-16 7:14 GMT+02:00 Chris L <c...@viptalk.net>:
> 
>>> On Nov 15, 2016, at 1:50 PM, Eero Volotinen <eero.voloti...@iki.fi>
>> wrote:
>>> 
>>> same ports? you mean that same port assigment and nic can be different
>> type?
>>> 
>>> eero
>> 
>> No.
>> 
>> Hardware should be as identical as possible. 100% identical is best. If
>> LAN is em0 on one side, it must be em0 on the other.
>> 
>> 
>>> 
>>> 15.11.2016 11.36 ip. "Steve Yates" <st...@teamits.com> kirjoitti:
>>> 
>>>>   Any hardware should work fine.  They recommend a separate
>> NIC/port
>>>> for the sync traffic since if syncing states there can be a lot of
>> traffic
>>>> (if not syncing state there is probably very little).  I don't think it
>>>> needs to be identical hardware but the rules would need to copy over so
>> it
>>>> would need the same ports.
>>>> 
>>>>   One gotcha that caught me...under "System/High Availability
>>>> Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a
>>>> "Remote System Username" field.  That field is ignored, and "admin" is
>>>> always used.
>>>> 
>>>> --
>>>> 
>>>> Steve Yates
>>>> ITS, Inc.
>>>> 
>>>> -Original Message-
>>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
>>>> Volotinen
>>>> Sent: Tuesday, November 15, 2016 2:20 PM
>>>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org
>>> 
>>>> Subject: [pfSense] pfsense + carp + ha
>>>> 
>>>> Hi List,
>>>> 
>>>> What are requirements for pfsense ha clustering? does any of x86
>> hardware
>>>> work with ha? does hardware need to be identical?
>>>> 
>>>> ___
>>>> pfSense mailing list
>>>> https://lists.pfsense.org/mailman/listinfo/list
>>>> Support the project with Gold! https://pfsense.org/gold
>>>> 
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense + carp + ha

2016-11-16 Thread Eero Volotinen 
I think it is possible to use lagg interface for workaround with interface
naming?

Eero

2016-11-16 7:14 GMT+02:00 Chris L <c...@viptalk.net>:

> > On Nov 15, 2016, at 1:50 PM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
> >
> > same ports? you mean that same port assigment and nic can be different
> type?
> >
> > eero
>
> No.
>
> Hardware should be as identical as possible. 100% identical is best. If
> LAN is em0 on one side, it must be em0 on the other.
>
>
> >
> > 15.11.2016 11.36 ip. "Steve Yates" <st...@teamits.com> kirjoitti:
> >
> >>Any hardware should work fine.  They recommend a separate
> NIC/port
> >> for the sync traffic since if syncing states there can be a lot of
> traffic
> >> (if not syncing state there is probably very little).  I don't think it
> >> needs to be identical hardware but the rules would need to copy over so
> it
> >> would need the same ports.
> >>
> >>One gotcha that caught me...under "System/High Availability
> >> Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a
> >> "Remote System Username" field.  That field is ignored, and "admin" is
> >> always used.
> >>
> >> --
> >>
> >> Steve Yates
> >> ITS, Inc.
> >>
> >> -Original Message-
> >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> >> Volotinen
> >> Sent: Tuesday, November 15, 2016 2:20 PM
> >> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org
> >
> >> Subject: [pfSense] pfsense + carp + ha
> >>
> >> Hi List,
> >>
> >> What are requirements for pfsense ha clustering? does any of x86
> hardware
> >> work with ha? does hardware need to be identical?
> >>
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense + carp + ha

2016-11-16 Thread Steve Yates 
System/High Availability Sync page shows checkboxes for what to sync.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Wednesday, November 16, 2016 1:05 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] pfsense + carp + ha

ok. does it also sync all settings like ipsec and openvpn keys?

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense + carp + ha

2016-11-15 Thread Eero Volotinen 
ok. does it also sync all settings like ipsec and openvpn keys?

Eero

16.11.2016 7.14 ap. "Chris L" <c...@viptalk.net> kirjoitti:

> > On Nov 15, 2016, at 1:50 PM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
> >
> > same ports? you mean that same port assigment and nic can be different
> type?
> >
> > eero
>
> No.
>
> Hardware should be as identical as possible. 100% identical is best. If
> LAN is em0 on one side, it must be em0 on the other.
>
>
> >
> > 15.11.2016 11.36 ip. "Steve Yates" <st...@teamits.com> kirjoitti:
> >
> >>Any hardware should work fine.  They recommend a separate
> NIC/port
> >> for the sync traffic since if syncing states there can be a lot of
> traffic
> >> (if not syncing state there is probably very little).  I don't think it
> >> needs to be identical hardware but the rules would need to copy over so
> it
> >> would need the same ports.
> >>
> >>One gotcha that caught me...under "System/High Availability
> >> Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a
> >> "Remote System Username" field.  That field is ignored, and "admin" is
> >> always used.
> >>
> >> --
> >>
> >> Steve Yates
> >> ITS, Inc.
> >>
> >> -Original Message-
> >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> >> Volotinen
> >> Sent: Tuesday, November 15, 2016 2:20 PM
> >> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org
> >
> >> Subject: [pfSense] pfsense + carp + ha
> >>
> >> Hi List,
> >>
> >> What are requirements for pfsense ha clustering? does any of x86
> hardware
> >> work with ha? does hardware need to be identical?
> >>
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense + carp + ha

2016-11-15 Thread Chris L 
> On Nov 15, 2016, at 1:50 PM, Eero Volotinen <eero.voloti...@iki.fi> wrote:
> 
> same ports? you mean that same port assigment and nic can be different type?
> 
> eero

No.

Hardware should be as identical as possible. 100% identical is best. If LAN is 
em0 on one side, it must be em0 on the other.


> 
> 15.11.2016 11.36 ip. "Steve Yates" <st...@teamits.com> kirjoitti:
> 
>>Any hardware should work fine.  They recommend a separate NIC/port
>> for the sync traffic since if syncing states there can be a lot of traffic
>> (if not syncing state there is probably very little).  I don't think it
>> needs to be identical hardware but the rules would need to copy over so it
>> would need the same ports.
>> 
>>One gotcha that caught me...under "System/High Availability
>> Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a
>> "Remote System Username" field.  That field is ignored, and "admin" is
>> always used.
>> 
>> --
>> 
>> Steve Yates
>> ITS, Inc.
>> 
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
>> Volotinen
>> Sent: Tuesday, November 15, 2016 2:20 PM
>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
>> Subject: [pfSense] pfsense + carp + ha
>> 
>> Hi List,
>> 
>> What are requirements for pfsense ha clustering? does any of x86 hardware
>> work with ha? does hardware need to be identical?
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense + carp + ha

2016-11-15 Thread Eero Volotinen 
same ports? you mean that same port assigment and nic can be different type?

eero

15.11.2016 11.36 ip. "Steve Yates" <st...@teamits.com> kirjoitti:

> Any hardware should work fine.  They recommend a separate NIC/port
> for the sync traffic since if syncing states there can be a lot of traffic
> (if not syncing state there is probably very little).  I don't think it
> needs to be identical hardware but the rules would need to copy over so it
> would need the same ports.
>
> One gotcha that caught me...under "System/High Availability
> Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a
> "Remote System Username" field.  That field is ignored, and "admin" is
> always used.
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Tuesday, November 15, 2016 2:20 PM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: [pfSense] pfsense + carp + ha
>
> Hi List,
>
> What are requirements for pfsense ha clustering? does any of x86 hardware
> work with ha? does hardware need to be identical?
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense + carp + ha

2016-11-15 Thread Steve Yates 
Any hardware should work fine.  They recommend a separate NIC/port for 
the sync traffic since if syncing states there can be a lot of traffic (if not 
syncing state there is probably very little).  I don't think it needs to be 
identical hardware but the rules would need to copy over so it would need the 
same ports.

One gotcha that caught me...under "System/High Availability 
Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a "Remote 
System Username" field.  That field is ignored, and "admin" is always used.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Tuesday, November 15, 2016 2:20 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] pfsense + carp + ha

Hi List,

What are requirements for pfsense ha clustering? does any of x86 hardware work 
with ha? does hardware need to be identical?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense + carp + ha

2016-11-15 Thread Vick Khera 
I use commodity x86 (64-bit) hardware. I tend to make my pairs
identical, so I know the backup can handle the load if the primary
keels over. There's no hard requirement for that, though.


On Tue, Nov 15, 2016 at 3:19 PM, Eero Volotinen  wrote:
> Hi List,
>
> What are requirements for pfsense ha clustering? does any of x86 hardware
> work with ha? does hardware need to be identical?
>
> --
> Eero
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfsense + carp + ha

2016-11-15 Thread Eero Volotinen 
Hi List,

What are requirements for pfsense ha clustering? does any of x86 hardware
work with ha? does hardware need to be identical?

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Pfsense CARP

2015-08-14 Thread Sergio Mira - Gerencianet 
Just to close the case.

I'm using LAGG in all my carp interfaces and I was using LOAD BALANCE
algorithm.
I changed to FAILOVER and it seems to be working well.

It was something on my switch (Dell N Series), but I'll investigate later.

Thanks!

On Tue, Aug 11, 2015 at 10:45 AM, Sergio Mira - Gerencianet 
ser...@gerencianet.com.br wrote:

 Hello all,

 I'm working at a scenario where all my interfaces are using CARP over lagg.

 When I disable (on switch) a lagg linked to my primary pf, that interface
 becomes *INIT *on primary node and *MASTER *on my secondary node.

 Problem is the other interfaces (such as WAN) does not become *MASTER* on
 secondary node.

 I want to, in any case of failure, all my carp over lagg interfaces become
 master on the secondary node.

 Is this not a typical scenario?

 Thanks!

 --

 Best regards,
 || --
 ||   _Sergio Mira - Infrastructure Analyst
 ||  °v°   Gerencianet Pagamentos do Brasil
 || /(_)\  www.gerencianet.com.br
 ||  ^ ^   E: ser...@gerencianet.com.br
 ||T: +55.31.3603.0816
 ||M: +55.31.9192.9788
 || --
 || Linux User #497558
 || Use Linux and be free.





-- 

Best regards,
|| --
||   _Sergio Mira - Infrastructure Analyst
||  °v°   Gerencianet Pagamentos do Brasil
|| /(_)\  www.gerencianet.com.br
||  ^ ^   E: ser...@gerencianet.com.br
||T: +55.31.3603.0816
||M: +55.31.9192.9788
|| --
|| Linux User #497558
|| Use Linux and be free.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Pfsense CARP

2015-08-11 Thread Sergio Mira - Gerencianet 
Hello all,

I'm working at a scenario where all my interfaces are using CARP over lagg.

When I disable (on switch) a lagg linked to my primary pf, that interface
becomes *INIT *on primary node and *MASTER *on my secondary node.

Problem is the other interfaces (such as WAN) does not become *MASTER* on
secondary node.

I want to, in any case of failure, all my carp over lagg interfaces become
master on the secondary node.

Is this not a typical scenario?

Thanks!

-- 

Best regards,
|| --
||   _Sergio Mira - Infrastructure Analyst
||  °v°   Gerencianet Pagamentos do Brasil
|| /(_)\  www.gerencianet.com.br
||  ^ ^   E: ser...@gerencianet.com.br
||T: +55.31.3603.0816
||M: +55.31.9192.9788
|| --
|| Linux User #497558
|| Use Linux and be free.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold