pfSense in production with HA

If you work with or have an interest in IT networking and haven’t already heard of pfSense then you must go here and be amazed:

http://www.pfsense.org/

Basically (well, it is by no means your 'basic' BT home hub), pfSense is an Open Source routing platform, stateful firewall, IDS/IPS, Proxy, VPN gateway..... In fact... It can probably do everything!

I have been using pfSense on the office network and on the production network in the data centre for nearly a year so have got to play with it a fair bit.

Its basic set up simply asks you what interfaces you want to use for what (LAN, WAN, +more) and from there you can point your browser at the web GUI and start building your proper configuration.

The following is an example of one of my production HA configurations. I will walk you through it and try to give an overview of what's required to achieve this type of set up using pfSense 2.1.

You should be able to make sense of the diagram pretty easily. The data centre where this set up resides provides two WAN feeds into the rack. This is provided by their own Cisco HSRP set up and a pair of 6509's. (Big modular Cisco switches for those that don't know). Each of the colocated customers in this datacentre will have their own VLAN that pipes their routable subnet to their rack.

Those two feeds come into the WAN interfaces of my pfSense boxes and thats where the DC's network ends and mine begins.

Understanding High Availability

Our aim with this set up is to remove the single point of failure that is the LAN's default gateway. For sake of explanation... Take your home network for example, your router's IP address may be 192.168.0.1, this will most likely be the default gateway your PC is configured to use in order to communicate outside of the local subnet. Obviously... If a rouge piece of space junk comes crashing through your roof and lands on your router, no more default gateway for your PC's.

The same applies when you scale up to the enterprise IT world, hosted environments or building networks... If the default gateway dies, things stop talking beyond their local subnet.

"So to solve this problem, we need to add a second default gateway right?"

Hey presto! Yes, we need to double up on our default gateway, in this case pfSense. However, the basic fundamentals of networking & routing dictate that we can't give a host two different default gateways and obviously we can't give our second pfSense the same IP as the first.. That doesn't work! Doh...

Common Address Redundancy Protocol

Or 'CARP' as you may have heard it called is BSD's implementation of a gateway redundancy protocol. Read up here.

It works in very similar fashion to Cisco's HSRP or VRRP from the IETF. It uses virtual addressing and an Active/Passive cluster set up in order to present a single IP to the network. The passive cluster member can then assume the role of hosting this virtual address in the event that the master node fails.

The configuration of the master node is syncronised in real time to the cluster slave. Looking at my diagram again, this means if I felt like hitting pfSense A very hard with a 10lb sledgehammer, pfSense B instantly assumes ownership of the VIP (Virtual IP) that I am using as the LAN's default gateway address. The servers on the LAN are none the wiser, since they are still talking to the same default gateway address as before.

The same applies to incoming WAN traffic. Virtual 'CARP' IP's are also used on the WAN interface and therefore the second node takes ownership of them as well so everything continues as normal.

The above picture is one of two Dell Poweredge R610's that I use in a CARP configuration in a production environment. 1 interface is for the WAN, 1 is for a dedicated PFSYNC interface and the remaining two are configured as a bond for the LAN, the bond is split between two switches on the LAN side for further redundancy.

PFSYNC is used to synchronise the states and other aspects of the pfsenae master configuration to the slave. Obviously this is vital to the seamless failover between the master and slave. Inconsistent states or configuration will result in a disastrous failover. 

Support

Even though pfSense doesn't have the heavy weight support of big player like Cisco and Juniper etc... I find that it's community is excellent and as such have had no problems finding answers to my questions on their forums and the numerous guides and walkthroughs online.

But to be honest, if you can get even a basic grasp on what needs to happen in order to acheive high availability at the network perimeter then a simple guide such as the following as should point you in the right direction.

https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

Until next time....

Tom

Moving to Linux.... Full time.

So today marks somewhat of an occasion for me and its nothing to do with Valentines day! Today marks the end of the first week since I made the switch to Linux as my full time OS on my work/personal laptop.

My interest in the Linux platform was sparked around 18 months ago when previous employment had me take ownership of the cPanel web hosting platform, which obviously runs on Linux. This came about due to my personal experience with Wordpress sites and in particular, migrating them from one hosting provider to another.

At the time I was part of a 'Wintel' server support team looking after a massive exchange environment, a fairly big AD with a multi-domain forest, plenty of trust relationships, IIS servers, ISA servers etc.... So I was still very much a Windows man even though I had already been trying to specialise in VMware ESX and Citrix in previous roles... Windows was still what I’d call 'Home'.

Anyway, I took on the cPanel platform and before long needed to go beyond the excellent web based GUI.

"Ah... This isn't a Windows command prompt?!?!"

So out comes VMware workstation to the rescue, on goes CentOS 6.2 and the fun begins. This is where I first experienced Linux in a professional capacity and over the next 18 months, with the excellent guidance of a Unix consultant who I worked with (on the end of the phone and with Lync for many, many hours), I started my journey into the Linux world.

Fast forward to the present and I have since run a number of LAMP web servers and experimented with Linux to run applications bespoke to the industry I currently apply my knowledge in. This experience also opened my mind to various open source platforms such as pfSense, OpenStack, Cloudstack and the KVM hypervisor... Funnily enough, I am putting a failover pfSense CARP set up in the datacentre production environment tomorrow.

Thats how much I have come to trust and adopt 'Open Source' technology, especially the community that surrounds it.

In at the deep end... Bye bye Windows! and I have to say considering this is my laptop I use for work, I am very impressed and am not regretting a thing nor am I finding myself needing to spin up a Windows VM. Result!

Also, the UI... And it needs to be said, the stupid Metro touch crap in Windows 8 has done this for me.... I don't want my laptop to look like a phone and I definitely don't want to use it like one!...

This is my nice, slick, fast and tidy Xubuntu 13.10 desktop:

It does everything I need, I can manage my Production ESXi environments, get on all the DRAC's of servers, connect to exchange with thunderbird, open office documents, connect to my VPN gateways.... Even RDP works fine! So does teamviewer... Promox VE displays perfectly and I have Oracle Virtualbox for local virtualisation.

That was the biggest point for me... Being able to manage Windows environments from Linux... and so far I have to say.... 10 out of 10 from me!

So after 14 years of using Windows, I have made the move away from it on my only computer that I use for everything. I suppose this is the best way to learn...

Until Next time!

Tom

Let me introduce myself!

Well, I have to be honest and say that in the 14 years I have been using computers & the internet, this is my very first blog post!

So here goes "One small step for man.... One giant leap for mankind"...

I am Tom and at the time of writing this I am a 24 year old Infrastructure Architect working in the IT hosting field (Keeping in with the 'Cloud' buzz word at the moment some might say...). I am one of those tech types that doesn't switch off when they leave the office at 4 or 5 in the afternoon, my mind is constantly spinning with ideas and possibilities that IT brings to the table. What can I achieve with this other hypervisor? What can I do to get this packet from here to there? How can I implement open source IDS/IPS? etc... etc...

You get the picture, technology and more so the challenges it presents give me a real buzz. IT isn't just a job to me, its a way of life and my way of thinking.

I have worked my way through a variety of roles within the industry very quickly and I think thanks to my drive for learning and hunger for information, I have been able to progress technically with every move.

Without mentioning any names, I started out as a 1st line IT help desk support analyst for one of the worlds largest IT companies. A big windows environment where I got my first exposure to things such as Microsoft Active Directory, Citrix, ticketing systems, file shares etc etc...

It didn't take me long to get my teeth into that and soon I was creating Windows 2003 domains in VMware Workstation at home, playing with DHCP, DNS, Roaming profiles and most importantly pestering my technical superiors at work for information about how things worked or ...... why they didn't work.

After I while I moved onto a more technical role at another of the worlds biggest IT companies. 2nd Line desktop support.... Same thing as the first, just more in depth and more admin rights on the network.... Every IT guy likes more rights?... right?

This continued and I gained more and more responsibility there, including the chance to play with some MS file and print servers. Ooooohhh Servers!

This is the point where my career kicked into overdrive and my head literally went into information overload.... But most importantly, this is when I really started getting down and dirty with the stuff that makes it all work. Servers, storage and networks.

This is when I joined the ranks of 3rd Line Support. Yes, the 'god like' team of support engineers that work mostly unseen or unheard and only make an appearance when the s**t really hits the fan and 2nd line are running round like a bunch of headless chickens whilst concerned management are waving the proverbial stick of authority and desperately trying to explain to the customer why 180,000 of their users are unable to log in to windows.

I was employed as a member of the 3rd line infrastructure services team, based in a data centre, looking after a production environment for a public facing portal system and its development environments to go with. I never counted but we were talking around 900-1000 servers, a few large SAN's and plenty of networking and encryption kit.

This was again a Windows environment with plenty of MS SQL clusters, IIS and Biztalk. Server 2008 & 2003 were the OS of choice. I learnt a hell of a lot during this time. Our team covered everything, cisco routers, switches, EMC SAN's and all the dell servers themselves... 

This was also where I got my first look at disaster recovery solutions as well as one other technology that I would become highly familiar with. VMWare ESXi. 

Fast forwarding a few years and having worked with numerous different technologies at '3rd line' level, headed large P2V projects and taken a massive interest in virtualisation..... I am now where I have always wanted to be, which is at the infrastructure design level. 

So.... That's a very brief background on my career so far. I will be posting my technical endeavours to this blog as frequently as possible in the hope that My experience might help others with similar interests. 

Seeing as I have used the internet as my primary source of information to do what I do.... I thought I should give something back!

Until next time.....

Tom