Best OS choice for HA fw/router pair

2012-04-30
2013-03-05
  • We're setting up a pair of servers as an active/active failover pair firewall and router.   From the standpoint of stability, ease of maintenance, etc, and the fact that we are free to start from scratch, what would YOU choose as the operating system platform, between OpenBSD and say 6.2 LInux?   I saw claims made back in 2008 or so that PF on OpenBSD was much better than iptables, but wondering if that is still true? 

    The plan is to have each fw host dedicated to a specific set of subnets, but each would be able to handle all subnets in case  the other failed. 

    Thanks for any insight, caveats, encouragement, etc.

      - ddj
    Dave Johnson
    Brown University CCV

     
  • Mike Horn
    Mike Horn
    2012-05-01

    I think it really depends on what OS you are most comfortable with.  Linux HA pairs are probably a bit more complex since you have to integrate several components like keepalived and conntrackd together yourself, but there are a number of examples to work from.  Here's a Linux Journal article about setting this up:

    http://www.linuxjournal.com/article/10964

    If you are already comfortable with BSD the HA config tends to be a bit simpler IMHO.  Also, we recently had a university switch from Linux iptables to PF on OpenBSD for performance reasons.  They claimed to get about 30% more throughput on the same hardware when they switched from Linux to BSD, but I don't know the specifics.

    As for encouragement, good luck!

     
  • Thanks for the reply. I downloaded OpenBSD and found that it does not support the 10 Gig Ethernet cards we own. We need support for Chelsio (4 port cards) and Mellanox T4 (2 port cards).  Intel is supported but no 4 port available.

    Plan is to go back to Linux.  Problem is, though we understand how to nail down interface names to individual cards and ports on rhel5, EL6.2 is refusing to behave.  Turned off NetManager control, reordered the ifconfig files, checked and rechecked the Mac addresses, etc.  eth0 disappears, modprobe info is completely ignored. I want the built-in ports (LOM) to be eth0 and 1, not 4 and 5.  Any suggestions?

     
  • To answer my own question, it seems that there is some internal kernel data that gets munged when the drivers are loaded and  brought up that persists despite removing and reloading the NIC driver modules.  Rebooting the machine allowed the modprobe information to control which driver owned which eth numbers, without renaming interfaces in the process.

    • ddj