[Pacemaker] create 2-node Active/Passive firewall cluster

Allen Pomeroy a at pomeroy.us
Wed Sep 18 14:43:17 EDT 2013 

Why don't you consider something like OpenBSD's packet filter (pf), 
pfsync, and CARP?  That would provide a better (hitless) HA solution for 
firewalls.  I also use fwbuilder.org to graphically manage the firewall 
rules.  The best use for a cluster is services that can take a hit while 
the cluster migrates resources from a failed node to a healthy node.  
Firewalls are a special case where you want the 'failover' to happen in 
near realtime including the in memory firewall state table and the IP 
MAC addresses on each segment.

I use pacemaker for application level service management with great 
success.

Regards,
AP

-- 
Allen Pomeroy, MSc, CISSP, CISA
pomeroy.us / Website
512-705-6840 / Mobile
a at pomeroy.us / Email

On 2013-09-18 13:34, Jeff Weber wrote:
> I am looking to create a  2-node Active/Passive firewall cluster.
>  I am an experienced Linux user, but new to HA clusters. I have
> scanned "Clusters From Scratch" and "Pacemaker Explained".  I found
> these docs helpful, but a bit overwhelming, being new to HA
> clusters. 
> 
> My goals:
> 
> * create 2-node Active/Passive firewall cluster
> * Each FW node has an external, and internal interface
> * Cluster software presents external, internal VIPs
> * VIPs must be co-located on same node
> * One node is preferred for VIP locations
> * If any interface fails on node currently hosting VIPs, VIPs move to 
> other node
> 
> For simplicity sake, I'll start by creating VIPs, and add firewall
> plumbing to the VIPs in the future.
> 
> My config:
> CentOS-6.3 based distro + 
> corosync-1.4.1-1
> pacemaker-1.1.8-1
> pcs-0.9.26-1
> resource-agents-3.9.2-12
> 
> and all required dependencies
> 
> My questions:
> 
> This sounds like a common use case, but I could not find an
> example/HOWTO.  Did I miss it?
> 
> Do I have the correct HA cluster packages, versions to start work?
> Do I also need the cman?, ccs packages?
> 
> How many interfaces should each cluster node have?
>     2 interfaces: internal, external
>     or
>     3 interfaces: internal, external, monitor
> 
> Do I need to configure corosync.conf/totem/interface/bindnetaddr, and
> if so, bind to what net?
> 
> $1M question:
> How to configure cluster to monitor all internal, external cluster
> interfaces, and perform
> failover?  Here's my estimate:
> 
> * create external VIP as IpAddr2 and bind to external interfaces
> 
> * create internal VIP as IpAddr2 and bind to internal interfaces
> * co-locate both VIPs together
> * specify a location constraint for preferred node
> 
> Any help would be appreciated,
> thanks
> Jeff
> 
> 
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
> 
> Project Home: http://www.clusterlabs.org
> Getting started: 
> http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org

More information about the Pacemaker mailing list