Yes I need to understand what is and is not a security risk, otherwise my job would be impossible. Your ISP will be using lots of switches in their infrastructure, almost certainly all managed switches with management enabled. Depending on the setup, they may even be using SNMP to do your port billing too.
1 Like
For this specific use case (redundant WAN that needs to be physically isolated from the rest of the network but still needs to be monitored, and reasonable budget) we ususally suggest the Mikrotik CRS305
It is 130EUR, has oob management, supports 1/2.5/5/10Gbit transceivers if needed and has redundant power supply …
If you only need 1Gbit the SFP transceivers are 20EUR a pop, so you end up spending less than 200EUR for a dedicated and reliable and manageable solution …
1 Like
Right ok that was going to be my go to for this use case.
1 Like
Years ago I wrote this wiki based on the setup I was using at home at the time [OpenWrt Wiki] High availability
I haven’t used this setup in a while, but I know other folks actively use it for their small businesses or homes and sometimes they update the wiki.
keepalived is what implements VRRP, and conntrackd is what can sync linux firewall state which in turn helps TCP survive the IP failover from one host to another. What terminates your TCP should be redundant too, and that’s generally not sync-able.
What’s your use case?
my boss wanted more redundancy for our small business and bought 2 untangle ng firewalls. Im more familiar with Pfsense but he wanted the contracted support that untangle offers and ease of use. I anticipate that it will collect dust but its what he wanted. It will be nice to be able to update during the day while im their if something happened.
1 Like
The documentation for untable states that firewall connection state isn’t shared between firewalls. So when you failover between firewalls there may be a small disruption in the internet connection. Pfsense (and basically every other firewall) has the connection state syncing, and wouldn’t have this problem. But you should set it up and see if it’s actually a problem for you, most things are pretty resilient these days.
Yay impulsive buys by the head of a small company, glad it doesn’t happen all the time >_>
1 Like
yeah its not my money but 
Quick note. Just because you have a certain netmask doesn’t mean you are assigned all IPs in that subnet. I see /24s on Verizon Fios here a lot. That doesn’t mean you have 253 IPs at your disposal. Granted, a /29 is much more likely to mean that you have the whole subnet, but check with the ISP to be sure. Usually the additional addresses will be a line item on the bill.
I have no idea about Untangle, but in cases where you only have a single IP and want to use CARP, you can use a link local subnet on the individual interfaces and assign the public IP to the CARP interface. The participating host interfaces do need IPs to negotiate CARP, so at least 3 addresses are required. But only the CARP IP needs to actually route anywhere.
You can set up a dedicated switch for this purpose or use your existing switching infrastructure if you assign the WAN ports to a dedicated VLAN. If you’re not confident with VLANs, then stick with a dedicated switch as there is a real security risk to misconfiguring it.
1 Like
Yeah, I did mention that 
This is the way to go it indeed he has only one available, more difficult to grasp though
Whoops! my bad
For sure. I think it also works with DHCP but I haven’t tried it.
AFAIK, Cisco states that all packages currently handled by the “Master” may be lost in the moment of the hand over.
From testing with some other prominent brands, they all seem to rely on the software on both ends to notice the lost packages and retry.
It is very little fun to get a call from your ISP along the lines of “You are currently fielding two hundred IPs, everything okay with your end?”
1 Like
Even if you gracefully hand over the MAC address together with the IP and relay the leftover frames to new master, the sender/L2 neighbor is the only one that can guarantee there will be no reordering within a flow as a result.
I’d you had to pick between a few dropped frames/packets or a few out of order frames/packets, a few dropped ones are usually less disruptive since that happens all the time anyway.
1 Like
Do you pay for 6 static IPs? Or do you pay for 1 static IP? These are usually $20 each on Frontier and you will see them on your bill.