Forums

Resolved
0 votes
I'm hoping I can get some confirmation on my intended topology/config before wasting a lot of time.

I have a dual wan clear box with many subnets, via some quad nics, running nicely. Multiple subnets are to layout framework for VM clustering, web server, maintenance, storage array, etc., and I'd like to make a twin Clear box with the same IP settings incrementing each card's IP address by one, for failover/redundancy.

I expect something like

......................WAN1....... WAN2........LAN1 ................LAN2................LAN3
Clear box 1 x.x.1.1....... x.x.2.1.......192.168.1.1......192.168.2.1.....192.168.3.1
Clear box 2 x.x.1.2........x.x.2.2.......192.168.1.2......192.168.2.2.....192.168.3.2

This seems the best way to me. I realize dhcp will need to be mapped or off. I've seen manual specification of multiple gateways in windows tcpip, but am I setting myself up for issues?
Wednesday, February 05 2020, 06:08 PM
Share this post:
Responses (5)
  • Accepted Answer

    Wednesday, February 05 2020, 08:36 PM - #Permalink
    Resolved
    0 votes
    Have a look in the knowledgebase for ClearBOX articles. There is a wealth of information including HA. I have relatively little experience of it and have only really seen in with one customer, and I seem to remember to command to make it fail over was a little different to what I've briefly seen here.

    When you do something like this there are files you'll want to regularly sync across such as the firewall, DNS leases, DNS reservations and other key configuration files. You may want to think about that.

    If you don't want to go that far, you can, for example configure each LAN NIC with a real IP like you describe, but on the active firewall, configure a virtual IP as well such as 192.168.1.3. and use this as your gateway IP for your LAN devices. Then if you want to fail over, you can move the virtual IP from one ClearBOX to the other and it will take over. No need for LAN devices to reset their networking.

    BTW, 192.168.1.0/24 is not a nice LAN if you ever want VPN access.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, February 05 2020, 09:16 PM - #Permalink
    Resolved
    0 votes
    Thanks for the feedback. It's a pretty general question, and I'm surely biting off more than fits my experience. I haven't found much at all, in the kb or community forum section, but I'm still picking through it.

    The point that I'd be configuring two routers and need to keep them in sync as I go is significant, but my clear install is quite basic, with much of what I'm doing specified more or less out of the box with nic types (lan, hotlan, dmz, etc). I suspect I can backup my config and restore it onto the second box with very little fiddling. I'm hoping I can continue with windows AD handling dhcp and dns on my user LAN, where I can specify multiple default gateways via dhcp. The rest of the subnets/IPs would be static IPs and not need dhcp or dns that I can tell. Things are congealing a bit I think. The key config files you mention would be caught by a config backup/restore surely?

    The part of your reply that makes me itch is the idea of having to command failover. My thought is that they are both up and running, so there would be two gateway IPs on each subnet. If the computers on a given subnet are aware of the two gateways and one gateway goes down, what would I be commanding to achieve the hoped failover/redundancy?

    Please explain the issue with vpn on 192.168.0.x. I think I have one running on 0 currently, but don't recall anything squirrely.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 06 2020, 08:41 AM - #Permalink
    Resolved
    0 votes
    You probably want this document and this document but they largely overlap.

    When I've seen it done, the LAN NIC's were connected to a couple of Cisco switches which were bonded somehow as were the LAN NIC's, but I've no idea about the Cisco side of it. This meant that if one switch went down the other would automatically take over. The major difference, I think, is that all the LAN's were handled by VLANS rather than separate physical LAN segments coming into the servers.

    If your DNS and DHCP is handled by AD then you don't have to worry about the failover of that part of the system. A back up and restore would not really help you for failover as it is too slow. Also I've no idea how it plays with AD but I'm not sure there is much of an issue.

    With respect to subnets, 192.168.0.x and 192.168.1.x (and, to an extent 192.168.2.x) are best avoided as they are very common in domestic routers. It you ever want a VPN connection to your system, a pre-requisite is that the LAN you are connecting in from and your system LAN are on different subnets. If they are on the same subnet then you will connect but no traffic will pass. Using 192.168.0.x or 192.168.1.x on your LAN massively increases your chances of a subnet clash.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 06 2020, 02:59 PM - #Permalink
    Resolved
    0 votes
    Oh dang, didn't expect and hadn't seen clear clustering, "ClearBOX" being key. Sorry, thank you. While, I believe I've used conflicting ideas here (failover in the title vs redundant in my thinking), I'd like to continue the thinking with my first plan of parallel redundancy. The intent is/was to have them both running all the time as active gateways. If they were running LDAP for me or handling AD, grappling with setting up clustering might make sense to me. That may happen some day.

    I guess my desired knowledge is general networking, specifically dual gateways. I thought others may have done this with clear. Indeed, you improved my plan.

    When talking about backup/restore, I merely meant for setup of matching boxes.

    The VPN foresight is great.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 06 2020, 10:00 PM - #Permalink
    Resolved
    0 votes
    I can't really help with a dual headed network. I have no experience of it. You will probably need to sync your certificates, or, at least the system certificates if you ever plan to use OpenVPN on the gateway. If you ran Business with Master/Slave for the directory, this would be done for you. A config backup and restore may well work as long as all your NIC designations were the same. Otherwise your firewall could potentially end up in a mess. If you do run a directory on the gateway, I don't think backup and restore is a good way od syncing the directory.
    The reply is currently minimized Show
Your Reply