Firewall cluster Active/Active

[Asir]

I'm not sure if there is the correct site to explain this case.

I want to make a firewall cluster with load balance and High Availability. I thought to use Proxmox for the cluster and make 2 nodes for the load balance and 2 more for the HA.

The problem is, how can I make the load balance?

I thought make an LACP or some tecnique that can balance the entered traffic on the switch previus to the nodes. But i'm not sure that's possible. Has proxmox any solution to cases like this?

Do you know if anybody have ever try something like that?

Thanks, and sorry for my english

 

[guletz]

Hi,

Ucarp can be used for HA on any linux OS(Proxmox included). For load balance tcp can be used haproxy.

 

[Asir]

Hi,

Ucarp can be used for HA on any linux OS(Proxmox included). For load balance tcp can be used haproxy.

Thanks for Reply.

It's possible to use haproxy to make a firewall using iptables? I heard that haproxy it's just for webs servers (or traffic from port 80).

 

[guletz]

I heard that haproxy it's just for webs servers (or traffic from port 80).

HAproxy can be use for ANY appl who use tcp!

 

[Asir]

HAproxy can be use for ANY appl who use tcp!

Okay, I will try it and post the results

Thanks!

 

[Asir]

I have a firewall on two nodes but, I can't find the method to balance the traffic between that two nodes using HAproxy. I tried the HAProxy with 2 apache nodes and it works.

I asked on a HAproxy community and they told me that the HAProxy is not a forwarding proxy, but a reverse proxy, and that's I need. I not pretty sure thats I need, but...I can't find a way to balance the traffic.

Any idea? Thanks a lot

 

[guletz]

Hi,

Like I said, you can make a load-balancing system with HAproxy for any TCP services, see a snippet:

listen haproxy_server
        bind *:2424
        mode tcp
        option tcplog
        timeout client  10800s
        timeout server  10800s
        balance leastconn
        server r1 NODE1:1234
        server r2 NODE2:1234

In this example, clients will connect on balancer with TCP/port 2424, and they will be balanced bethen NODE1 and 2 using TCP but with port 1234. But this tcp ports could be the same(2424 instead of 1234).

 

[Asir]

Thanks, I'll try it!
I'm a bit lost. So, if want to balance all connections, I'll have to include all the services that i want to balance to the firewalls? for example for ssh bind *:22, for webs bind *: 80, etc?

 

[guletz]

Thanks, I'll try it!
I'm a bit lost. So, if want to balance all connections, I'll have to include all the services that i want to balance to the firewalls? for example for ssh bind *:22, for webs bind *: 80, etc?

Yes.

 

[spirit]

AFAIK, the only way to balance the inbound traffic to both firewall at the same time, is to use ecmp + bgp from your upstream router.
and you need a pair of firewall with bidirectionnal sync of sessions/conntrack.

It's really simpler to use active/passive HA firewall, with a floating vip for example.

Or use the proxmox firewall

 

[guletz]

Hi @spirit ,

.... your suggestions are valid as usual. But take in account the user experience; )

 

[Asir]

I'm trying the HAproxy option and..it doesn't work.

I'm not sure if i apply the correct configuration.

If any user want to acces to Youtube for example, I need to do something like this, didn't?:

listen haproxy_server
        bind *:80
        mode tcp
        option tcplog
        balance leastconn
        server r1 NODE1:1234
        server r2 NODE2:1234

But that's not balance work to me. If I select one by one the nodes to use like firewall, they work fine. But if I set this like the gateway it doesn't balance. Where did I make mistake?

 

[guletz]

Where did I make mistake?

Is no mistake on the haproxy confic. Double check your backends and their port number. Also, you could enable haproxy logs, so you can see all requests are go to haproxy. Check if you can create a connection from haproxy host to any of haproxy backends(telnet NODE1/2 1234)

 

[Asir]

When I'm trying to connect with telnet it prints "Connection refused".

I opened that port with iptibles before.

If I use other port like 80, the machine will not act like an firewall, didn't?

 

[guletz]

Hi @Asir,

I opened that port with iptibles before.

Check again your iptables then!

If I use other port like 80, the machine will not act like an firewall, didn't?

Depend what you mean with "act like an firewall". For me a firewall is "something" that will enforce some rules/ACLs that permit or block some type of traffic. So in this case if you BLOCK anything(comming from internet) except the INPUT to HAproxy host on port 80 then you have a firewall.

Good luck

 

[Asir]

I mean that the iptables configuration of these node act like the native iptables configuration of the other machines.

 

[guletz]

Take a look here !