VyOS - Best practices and questions
-
@DustinB3403 said in VyOS - Best practices and questions:
So the next question I have is what if you lost your host, how would you set up the routing for a second firewall to take over and start routing the traffic?
Simple answer is.... set it to the IP address of the first one in case of failure.
-
@DustinB3403 said in VyOS - Best practices and questions:
However the question I have is would you dedicate a physical interface on your hypervisor to be the external edge for this? And then dedicate another interface to be the internal edge?
Obviously dedicating one to the external interface and associated vSwitch is required for security. It keeps the WAN IP off of everything except the VM that is supposed to see it.
Why do something on the LAN though? All that does is make you go through a wire for other virtual machines also on the LAN. Instead they could use the native vSwitch bus and get higher speeds internally because it never goes over the wire.
@DustinB3403 said in VyOS - Best practices and questions:
What happens if you lose that external or internal interface? How would you setup fail-over for the physical interfaces?
What happens when you lose your physical edge device now? You are down until you replace it. That it is virtualized has no bearing on the actions that need to happen. A virtualized system can allow you to mitigate downtime with hardware redundancy, but why waste money on more NICS?
-
@JaredBusch The question was asked because we have BGP setup by our ISPs and I was curious if there was a reasonable way to do so internally.
Which would be iBGP apparently.
-
@DustinB3403 BGP should have nothing to do with you or any system you have on your network. That is something maintained by the ISP for their traffic. At most they will make iBGP routes for your subnets if you are connecting more than one facility through their network.
I would not want to be the ISP that lets my clients setup their own BGP routing rules.
-
@JaredBusch But you can have internal BGP, which was what I was trying to figure out.
As the scenario is given, if I have multiple ISP's feeding 1 site for fail-over reasons and I wanted to have separate firewalls, what would I have to use.
And the answer is iBGP.
-
it wasn't a question of what your internal IT team or even network administrator may configure, but a question of what would have to be configured.
We're I am currently we have 2 ISPs feeding two separate firewalls, and the traffic from these LANs go out their respective firewalls, unless either firewall goes offline, in which case the traffic is forward to the other network and then heads out from there.
But this occurs at the ISP level, and not at all at our local firewall. The ISP is checking to see if the internal firewalls are online, and if not they reroute the traffic.
-
Here is what I would suggest.
If you're already using VMware, check to see if you're using Ent+. If so, you could replicate the vSwitches across both hosts. Also, you could replicate the VyOS VM from your active host to your passive host for a level of redundancy. I would also suggest an unmanaged switch outside of your firewall for another level of redundancy. However, this may also prove to be a security risk as well.
-
@DustinB3403 said in VyOS - Best practices and questions:
@JaredBusch But you can have internal BGP, which was what I was trying to figure out.
BGP has nothing to do with the topic as posted.
-
I think BGP has to do intricately with the OP, just because I wasn't aware of BGP as the technology used, doesn't mean it wasn't what I was trying to figure out.
It's literally the last question in the OP, what do you do if you lose the physical interface for fail over. Answer: Use BGP.
-
@DustinB3403 said in VyOS - Best practices and questions:
I think BGP has to do intricately with the OP, just because I wasn't aware of BGP as the technology used, doesn't mean it wasn't what I was trying to figure out.
It's literally the last question in the OP, what do you do if you lose the physical interface for fail over. Answer: Use BGP.
uh - no. That assumes the ISP is what failed, not the NIC that failed on the firewall. Those are two different things.
