Clustering

From securityrouter.org, an OpenBSD-based firewall
Revision as of 14:51, 20 December 2011 by Anders (talk | contribs) (Created page with "Clustering and high availability is a concept that spans a broad range of features within the router. This document is divided into sections targeting different audiences. == Z...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Clustering and high availability is a concept that spans a broad range of features within the router. This document is divided into sections targeting different audiences.

Zero-configuration clustering

For administrators that wish to deploy two routers in a high availability cluster with as little manual intervention as possible, the zero-configuration clustering is a very good start. It's main characteristics are:

  • It works both on new deployments (starting with two routers) and existing deployments (adding a secondary router)
  • It automatically converts the configuration, although some manual adjustments might be necessary depending on its complexity
  • It only requires one WAN (Internet) IP address; shared by both routers
  • The routers communicate over a cluster synchronization interface, which by default is the last (highest number) Ethernet interface

Manual clustering

For more flexibility, the clustering can be configured manually.

Clustering with unique addresses

Normally, routers share only one address per interface. One disadvantage of that approach is that it's difficult to reach the routers separately. They do not have their own unique addresses. To use both shared and unique addresses, consider the following configuration:

# master router
interface em0 {
   group "wan"
   address 212.37.18.195'/27
   interface carp0 {
      address 212.37.18.194/32
   }
   route default 212.37.18.193
}
# backup router
interface em0 {
   group "wan"
   address 212.37.18.196/27
   interface carp0 {
      address 212.37.18.194'/32
      advskew 100
   }
   route default 212.37.18.193
}

In the above example, router 1 and 2 have their own unique addresses (.195 and .196) as well as the shared address (.194). The prefix length (mask) is emphasized; it's recommended to use /32 on the shared address, and the actual mask (/27 in this case) on the unique addresses (as described in on the addressing page). In this way, routing works even when a router is in backup mode.