VyOS - Best practices and questions
-
So as the topic ask what is best practice for VyOS (or any software firewall). As is displayed on the VyOS website there are several videos where the subject matter is operated in a virtual machine.
This is normal and expected.
However the question I have is would you dedicate a physical interface on your hypervisor to be the external edge for this? And then dedicate another interface to be the internal edge?
What happens if you lose that external or internal interface? How would you setup fail-over for the physical interfaces?
-
Would it be better to pair several interfaces together so you have redundancy should any single interface fail?
-
Most likely you wouldn't need the performance of 2 or 4 bonded Gbe pairs for an external Edge, same goes for the internal.
Unless you had some really awesome internet performance.
The added reliability of the bonded pairs if what you'd be looking for the most, right?
-
Anytime a production system has a dedicated interface, the expectation is that it is bonded or teamed for failover, if not load balancing.
-
@scottalanmiller That is what I assumed as well (bonded or teaming), and the only way to do that is to dedicate the interfaces for that purpose.
No way around it, right?
It's not as if you'd team every interface on a server into a single "team" and then dole out the single interface from that, to be the external, internal and whatever else you might need.
-
@DustinB3403 said in VyOS - Best practices and questions:
@scottalanmiller That is what I assumed as well (bonded or teaming), and the only way to do that is to dedicate the interfaces for that purpose.
No way around it, right?
It's not as if you'd team every interface on a server into a single "team" and then dole out the single interface from that, to be the external, internal and whatever else you might need.
No, and you can't really team above four interfaces, anyway.
-
So the next question I have is what if you lost your host, how would you set up the routing for a second firewall to take over and start routing the traffic?
Or a better question, what would be the best way to set fail-over to another firewall?
-
Wow - these are really high end business questions.
I only have one firewall in my office, I've never had more. Perhaps considering costs of the ER series it might be worth considering a cold spare on the shelf for just such a situation.
In most of our cases here, I would assume a single LAN interface would be sufficient. If it fails, you log into the host and reconfigure it for a new LAN connection to the outside.
As for the inside, why would it need a dedicated port out of the box? Again, in most of our cases the vSwitch will probably be on the same network as everything else on the network, so you point the inside interface at that vSwitch, and the vSwitch has a bonded/teamed pair of LAN connections.
Of course, if you're a huge company or can't afford downtime (as in really can't and it's worth the spend to not have any), then money isn't the issue, and you can afford to do what is required for a higher level of up time.
-
@DustinB3403 said in VyOS - Best practices and questions:
So the next question I have is what if you lost your host, how would you set up the routing for a second firewall to take over and start routing the traffic?
Simple answer is.... set it to the IP address of the first one in case of failure.
-
@DustinB3403 said in VyOS - Best practices and questions:
However the question I have is would you dedicate a physical interface on your hypervisor to be the external edge for this? And then dedicate another interface to be the internal edge?
Obviously dedicating one to the external interface and associated vSwitch is required for security. It keeps the WAN IP off of everything except the VM that is supposed to see it.
Why do something on the LAN though? All that does is make you go through a wire for other virtual machines also on the LAN. Instead they could use the native vSwitch bus and get higher speeds internally because it never goes over the wire.
@DustinB3403 said in VyOS - Best practices and questions:
What happens if you lose that external or internal interface? How would you setup fail-over for the physical interfaces?
What happens when you lose your physical edge device now? You are down until you replace it. That it is virtualized has no bearing on the actions that need to happen. A virtualized system can allow you to mitigate downtime with hardware redundancy, but why waste money on more NICS?
-
@JaredBusch The question was asked because we have BGP setup by our ISPs and I was curious if there was a reasonable way to do so internally.
Which would be iBGP apparently.
-
@DustinB3403 BGP should have nothing to do with you or any system you have on your network. That is something maintained by the ISP for their traffic. At most they will make iBGP routes for your subnets if you are connecting more than one facility through their network.
I would not want to be the ISP that lets my clients setup their own BGP routing rules.
-
@JaredBusch But you can have internal BGP, which was what I was trying to figure out.
As the scenario is given, if I have multiple ISP's feeding 1 site for fail-over reasons and I wanted to have separate firewalls, what would I have to use.
And the answer is iBGP.
-
it wasn't a question of what your internal IT team or even network administrator may configure, but a question of what would have to be configured.
We're I am currently we have 2 ISPs feeding two separate firewalls, and the traffic from these LANs go out their respective firewalls, unless either firewall goes offline, in which case the traffic is forward to the other network and then heads out from there.
But this occurs at the ISP level, and not at all at our local firewall. The ISP is checking to see if the internal firewalls are online, and if not they reroute the traffic.
-
Here is what I would suggest.
If you're already using VMware, check to see if you're using Ent+. If so, you could replicate the vSwitches across both hosts. Also, you could replicate the VyOS VM from your active host to your passive host for a level of redundancy. I would also suggest an unmanaged switch outside of your firewall for another level of redundancy. However, this may also prove to be a security risk as well.
-
@DustinB3403 said in VyOS - Best practices and questions:
@JaredBusch But you can have internal BGP, which was what I was trying to figure out.
BGP has nothing to do with the topic as posted.
-
I think BGP has to do intricately with the OP, just because I wasn't aware of BGP as the technology used, doesn't mean it wasn't what I was trying to figure out.
It's literally the last question in the OP, what do you do if you lose the physical interface for fail over. Answer: Use BGP.
-
@DustinB3403 said in VyOS - Best practices and questions:
I think BGP has to do intricately with the OP, just because I wasn't aware of BGP as the technology used, doesn't mean it wasn't what I was trying to figure out.
It's literally the last question in the OP, what do you do if you lose the physical interface for fail over. Answer: Use BGP.
uh - no. That assumes the ISP is what failed, not the NIC that failed on the firewall. Those are two different things.
