HA master/slave IPs and public IPv4/30

Security Gateway Discussions
Post Reply
SECOIT GmbH
Posts: 32
Joined: 13 Feb 2018, 16:20
Contact:

HA master/slave IPs and public IPv4/30

Post by SECOIT GmbH » 11 Jan 2019, 22:13

Hi all,
How can I properly set HA addresses on the WAN side if an ISP assigns a IPv4/30 subnet?

For example the network is 22.0.0.0/30 so that's only one usable address for the customer:
22.0.0.0 - network
22.0.0.1 - provider's gateway / next hop
22.0.0.2 - customer device
22.0.0.3 - broadcast

When using HA I'd use the 22.0.0.2 for the Clavister gateway as shared address. But what addresses can I use for the master/slave private IPs? There's nothing left in the /30 subnet.

Thanks,
Michael
--
Michael Steffens
SECOIT GmbH
https://www.secoit.de

Peter
Posts: 652
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: HA master/slave IPs and public IPv4/30

Post by Peter » 15 Jan 2019, 07:51

Hello.

If you only have one public IP, you simply cannot set any other IP address as the Master_IP and Slave_IP. You can user for instance the LocalHost object that will set an 127.0.x.x address on the Master_IP and Slave_IP.

The need to have 3 public IP's for a cluster is mainly for:

1. Managing the cluster from the internet
2. Sending logs to something on the internet (not recommended)
3. Polling the cluster nodes using SNMP.

Basically anything where you want to connect to the individual cluster nodes from the internet. If there is no need for this at all, there is no need to user 3 public IP's for the cluster. So if you manage the cluster from the local network behind the Firewall, this is most likely not needed at all.

Best regards
/Peter

P.s. Some may wonder if it's possible to manage the cluster by connecting to the Shared IP and then to end up on the current active node. The base scenario of this does not work, but it is possible to solve using loopbacks. I will probably write an How-To about this when time allows.

DexterLas
Posts: 1
Joined: 19 Jan 2019, 10:51

Re: HA master/slave IPs and public IPv4/30

Post by DexterLas » 21 Jan 2019, 13:39

Hi Peter, the principle is the same if you have more than 3 too, right?

fras
Posts: 22
Joined: 16 Apr 2018, 13:50

Re: HA master/slave IPs and public IPv4/30

Post by fras » 21 Jan 2019, 13:59

Hi DexterLas,

That is correct, 3 is just the minimum IPs needed.

Best Regards,
Fredrik Å

SECOIT GmbH
Posts: 32
Joined: 13 Feb 2018, 16:20
Contact:

Re: HA master/slave IPs and public IPv4/30

Post by SECOIT GmbH » 02 Feb 2019, 21:31

Hi Peter,

Many thanks!
I wasn't aware that the Master/Slave private IP addresses can be "invalid" (in terms of not in the IP subnet as defined within "Interface -> General -> IPv4 -> Network"). So that's good to know!
Will using such an "invalid" IP address require to disable heartbeats on this interface (Option: "This will disable sending Cluster Heartbeats from this interface")?

Thanks,
Michael
--
Michael Steffens
SECOIT GmbH
https://www.secoit.de

fras
Posts: 22
Joined: 16 Apr 2018, 13:50

Re: HA master/slave IPs and public IPv4/30

Post by fras » 05 Feb 2019, 09:24

Hi Michael,

It is a simple feature to use when you only have access to only one public IP.
In regards to disabling the heartbeats on said interface, the answer is no.
The Clavister NetWall have a few characteristics regarding heartbeats:
  • The source IP is the interface address of the sending firewall.
    The destination IP is the broadcast address on the sending interface.
In case, the heartbeats are handled automatically and you do ont need to disable them in the interfaces.

Best Regards,
Fredrik Å

Post Reply