High Availability Configuration Example without NAT¶
As mentioned earlier, only CARP VIPs provide redundancy for addresses directly handled by the firewall, and they can only be used in conjunction with NAT or services on the firewall itself. Redundancy can also be provided for routed public IP subnets with HA. This section describes this type of configuration, which is common in large networks, ISP and wireless ISP networks, and data center environments.
Public IP Assignments¶
HA requires at least a /29 public IP block for the WAN side of the firewall, which provides six usable IP addresses. Only three are required for a two node deployment, but this is the smallest subnet that will accommodate three IP addresses. Each firewall requires one IP address, and at least one CARP VIP on the WAN side.
The second public IP address subnet must be routed to one of the CARP VIPs by the ISP, data center, or upstream router. Because this subnet is being routed to a CARP VIP, the routing will not be dependent upon a single node. The example configuration depicted in this section uses a /24 public IP subnet and splits it into two /25 subnets.
The example network depicted here is a data center environment consisting of two HA nodes with four interfaces each: WAN, LAN, DBDMZ, and Sync. This network contains a number of web and database servers. It is not based on any real network, but there are countless production deployments similar to this.
The WAN side connects to the upstream network, either the ISP, data center, or upstream router.
The WEB segment in this network uses the “LAN” interface but renamed. It contains web servers, so it has been named WEB but it could be called DMZ, SERVERS, or anything desired.
This segment is an OPT interface and contains the database servers. It is common to segregate the web and database servers into two networks in hosting environments. The database servers typically do not require direct access from the Internet, and hence are less subject to compromise than web servers.
The HA nodes use the Sync network in this diagram to replicate configuration changes via XMLRPC and for state synchronization to replicate state table changes between the two firewalls. As described in other HA documentation sections, the best practice is to use a dedicated interface for this purpose.
Figure Diagram of HA with Routed IPs illustrates this network layout, including all routable IP addresses, the WEB network, and the Database DMZ.
Segments containing database servers typically do not need to be publicly accessible, and hence would more commonly use private IP subnets, but the example illustrated here can be used regardless of the function of the two internal subnets.