Hello, I am looking for some guidance. I would like configure an ha firewall setup. I’m mostly confused on how I should go about this. I’ve read some other forums online but most examples have 2 isp connections with 2 switches before the firewall. Is it possible to have 1 isp ip >switch> 2 firewalls? Why type of switch do you use and how would you configure it.
2 Likes
Just use any old switch, plug the ISP in one port, and the WAN connections of the firewalls in the other ports. If it’s a managed switch ensure they’re all on the same vlan. This configuration is very common.
The hard bit is done by your firewall, moving the ‘active’ port between the ports. Either through smart HA, or a first-hop redundancy protocol (VRRP/HSRP/CARP/etc). Though PPP can make this a little harder, depending on the exact firewall model.
In small businesses it’s also not uncommon to use the core switch for this functionality, especially when virtual firewalls are involved. All the “unsafe” internet traffic is kept in the WAN vlan, so it can’t interact with the “safe” internal vlans. However it’s better to use a dedicated switch if possible.
2 Likes
Right, but what about the wan ip for each firewall. For example isp ip is 1.1.1.1. Would I just set the ip of my 2 firewalls to 1.1.1.2-3. And use the virtual ha port with the ip of 1.1.1.1?
To answer that we need to know what type of WAN connectivity you have …
- are you using pppoe?
- if not and have been given a routed static IP, what netmask have you been assigned?
If you’re using IPoE (static IP or DHCP) it’s usually pretty easy.
Some firewalls have a dedicated HA state (like a Cisco ASA), and they’ll automatically move the IP to the active firewall. This will just work.
Some other firewalls rely on a FHP protocol like VRRP (like OpnSense). Here you’ll either use dummy private IPs, or a linked state with another interface. DHCP is harder in this setup.
And PPP … well that depends a lot on the exact firewall you’re using.
it’s a static IP from frontier business. /29 netmask.
Ok … one more … what firewall are you using/planning on using?
2 untangle firewalls. their is a setup guide for HA/wanfailover but they use 2 isp’s
2 untangle firewalls. their is a setup guide for HA/wanfailover but they use 2 isp’s
That means yur isp has allocated 8 IPs to youw WAN, of which 6 should be usable/routed to you
so, using your example:
❯ ipcalc 1.1.1.1/29
Address: 1.1.1.1 00000001.00000001.00000001.00000 001
Netmask: 255.255.255.248 = 29 11111111.11111111.11111111.11111 000
Wildcard: 0.0.0.7 00000000.00000000.00000000.00000 111
=>
Network: 1.1.1.0/29 00000001.00000001.00000001.00000 000
HostMin: 1.1.1.1 00000001.00000001.00000001.00000 001
HostMax: 1.1.1.6 00000001.00000001.00000001.00000 110
Broadcast: 1.1.1.7 00000001.00000001.00000001.00000 111
Hosts/Net: 6 Class A
your WAN default gateway would be 1.1.1.1, you would be using address 1.1.1.2 for your single firewall setup, and 1.1.1.7 would be reserved for broadcast
That means that 1.1.1.3 to 1.1.1.6 should be available to you for use as well, unless your ISP is firewalling them …
I would try to check if that is the case by assigning to my single firewall some WAN aliasess and try pinging them from an external connection (after allowing icmp on that ip on the firewall rules).
If you are able to use them, then you can use CARP/VRRP to set up high availability of up to 3 IPs 
- 1.1.1.1 - WAN defuakt gateway
- 1.1.1.2 - your main static IP, to be wvitched using CARP/VRRP
- 1.1.1.3 - FW 1 wan ip
- 1.1.1.4 - FW2 WAN IP
- 1.1.1.5-1.1.1.6 to be used as additional IPs
You will need to set up CARP/VRRP on all internal LANs as well, and make sure the internal default gateways follow the WAN ip when it is switched between firewalls …
3 Likes
“There is zero state sharing between Untangle NGFW servers. The session tables are separate, so sessions will be reset if the slave takes over. Furthermore, application data is not shared or synchronized between servers.”
It appears that the HA functionality on untangle is only VRRP, there is no connection state syncing. In this day and age that’s pretty disappointing. Every time you have a failover there will be a disruption to your traffic (impact depends a lot on what protocols and applications you’re using).
2 Likes
You were looking at the wrong docs?
https://wiki.untangle.com/index.php/Network_Configuration#VRRP
1 Like
Thank you for your help!
1 Like
Thank you for your help. i must have missed or skimmed over that page…
2 Likes
I would STRONGLY, as in, take extreme care, that switch has all the latest and greatest security patches installed. That switch goes EOL, it gets kicked out the same day as the announcement is made. Disable all but the local RS232 management port, etc.
Because an attacker sitting in there will possible be your end.
one other question, i dont need a smart switch correct or at least something with basic management “preferably out of band management” ?
well would a dumb switch be ideal? or at least out of band management?
The main attack surface on a layer 2 vlan is layer 2 frames. Internet hosts can’t send layer 2 frames to the switch over the internet, only layer 3 packets which the switch will simply treat as a payload of the ethernet frame. So there is no security risk here.
It’s only an issue if the switch has an IP on the WAN vlan (which it shouldn’t). And then you just chuck an access list on the SVI.
1 Like
Probably, maybe?
All features the hardware does not have can not be abused.
You may handle it differently, I would lock the thing down until it only does switching.
Personally I’d prefer a managed switch for the monitoring (with an SNMP monitoring system). It also means you can setup port mirrors of your WAN traffic for trouble shooting or some kind of IDS/IPS.
You just need to ensure it’s configured securely by using a separate vlan for management. Though out of band management is best practise, but not required.