Page 1 of 1

HA master/slave IPs and public IPv4/30

Posted: 11 Jan 2019, 22:13
by SECOIT GmbH
Hi all,
How can I properly set HA addresses on the WAN side if an ISP assigns a IPv4/30 subnet?

For example the network is 22.0.0.0/30 so that's only one usable address for the customer:
22.0.0.0 - network
22.0.0.1 - provider's gateway / next hop
22.0.0.2 - customer device
22.0.0.3 - broadcast

When using HA I'd use the 22.0.0.2 for the Clavister gateway as shared address. But what addresses can I use for the master/slave private IPs? There's nothing left in the /30 subnet.

Thanks,
Michael

Re: HA master/slave IPs and public IPv4/30

Posted: 15 Jan 2019, 07:51
by Peter
Hello.

If you only have one public IP, you simply cannot set any other IP address as the Master_IP and Slave_IP. You can user for instance the LocalHost object that will set an 127.0.x.x address on the Master_IP and Slave_IP.

The need to have 3 public IP's for a cluster is mainly for:

1. Managing the cluster from the internet
2. Sending logs to something on the internet (not recommended)
3. Polling the cluster nodes using SNMP.

Basically anything where you want to connect to the individual cluster nodes from the internet. If there is no need for this at all, there is no need to user 3 public IP's for the cluster. So if you manage the cluster from the local network behind the Firewall, this is most likely not needed at all.

Best regards
/Peter

P.s. Some may wonder if it's possible to manage the cluster by connecting to the Shared IP and then to end up on the current active node. The base scenario of this does not work, but it is possible to solve using loopbacks. I will probably write an How-To about this when time allows.

Re: HA master/slave IPs and public IPv4/30

Posted: 21 Jan 2019, 13:39
by DexterLas
Hi Peter, the principle is the same if you have more than 3 too, right?

Re: HA master/slave IPs and public IPv4/30

Posted: 21 Jan 2019, 13:59
by fras
Hi DexterLas,

That is correct, 3 is just the minimum IPs needed.

Best Regards,
Fredrik Å

Re: HA master/slave IPs and public IPv4/30

Posted: 02 Feb 2019, 21:31
by SECOIT GmbH
Hi Peter,

Many thanks!
I wasn't aware that the Master/Slave private IP addresses can be "invalid" (in terms of not in the IP subnet as defined within "Interface -> General -> IPv4 -> Network"). So that's good to know!
Will using such an "invalid" IP address require to disable heartbeats on this interface (Option: "This will disable sending Cluster Heartbeats from this interface")?

Thanks,
Michael

Re: HA master/slave IPs and public IPv4/30

Posted: 05 Feb 2019, 09:24
by fras
Hi Michael,

It is a simple feature to use when you only have access to only one public IP.
In regards to disabling the heartbeats on said interface, the answer is no.
The Clavister NetWall have a few characteristics regarding heartbeats:
  • The source IP is the interface address of the sending firewall.
    The destination IP is the broadcast address on the sending interface.
In case, the heartbeats are handled automatically and you do ont need to disable them in the interfaces.

Best Regards,
Fredrik Å