Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,211

    Default VRRP plus WAN Failover

    I'm looking at doing VRRP and I also have a backup WAN connection.

    Can I setup both WANs on both routers, or is that asking for trouble? It's probably a lot easier to setup the backup WAN on the primary router only, on the logic that it's exceedingly unlikely to have a simultaneous independent failure of both the primary router AND the primary WAN.

    Thoughts?

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,754

    Default

    VRRP will only switch if the master Firewall fails to respond. All the WAN interfaces should be setup as VRRP. ISP failure has nothing to do with VRRP. VRRP is for hardware unresponsiveness.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,211

    Default

    I know VRRP has nothing to do with ISP failure. I'm just trying to wrap my head around the complexity of two routers plus two WANs.

    However I'll take your statement "All the WAN interfaces should be setup as VRRP" and go with that. It'll probably become more clear as I get into the setup.

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,754
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,211

    Default

    Can open... worms everywhere

    If I setup both WANs on both Untangles, would I need a separate WAN Failover license for each? The primary Untangle has a full sub, I was intending to run the backup Untangle with free modules only since it's only meant to fill-in during a failure.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,494

    Default

    Yes... but also no...

    So, you can configure Untangle #2 for two WANs without WAN Failover or WAN Balancer, it just won't push traffic through the 2nd WAN.

    BUT, it WILL RESPOND on that WAN. So you can have a 2nd router there, and in the event your primary Untangle fails, AND one of the WANs fail, you can still use the online WAN even if it isn't the primary to get into the 2nd unit (VPN terminate on it, or pinholed remote admin), restore the first unit's backup without networking, and then move your license to transfer full functionality, and do all of that remotely.

    But if you want that 2nd router to be multi-wan automagic... You'll need WAN Balancer and Failover on BOTH units.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,211

    Default

    Quote Originally Posted by sky-knight View Post
    So, you can configure Untangle #2 for two WANs without WAN Failover or WAN Balancer, it just won't push traffic through the 2nd WAN.

    BUT, it WILL RESPOND on that WAN. So you can have a 2nd router there, and in the event your primary Untangle fails, AND one of the WANs fail, you can still use the online WAN even if it isn't the primary to get into the 2nd unit (VPN terminate on it, or pinholed remote admin), restore the first unit's backup without networking, and then move your license to transfer full functionality, and do all of that remotely.
    that's what I was starting to think would be best. In the scenario that both the primary Untangle and WAN are down for some reason, as long as _I_ can find a way in to the backup Untangle that's good enough. Once I'm in, I can manipulate the WAN interfaces as needed, and either fix the primary or take further steps to make the backup fully functional.

  8. #8
    Untanglit
    Join Date
    Jun 2016
    Posts
    24

    Default

    I've done this a few times. You'll want to setup VRRP on both the internal and external interfaces. Also, you can just transfer the license by Command Ctr. once you realize the primary unit is down through monitoring. I would love it if Untangle created a failover app that would monitor the VRRP status and transfer a license via command center when the primary unit goes down. I wouldn't think this would be hard. The full license is key if you want all the functionality of IPSec tunnels, policies, etc.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,494

    Default

    Given that we now have Command Center, it would be a logical improvement to enable us to define two devices as "clustered", even if all it did was use defined rules for "down" to automatically move that license... it would be enough.

    But what I'd really like is for it to automatically restore without networking from the primary unit on some sort of interval... so the 2nd unit stayed ready to take over too.

    but the space between Meraki and Ubiquity is getting tight... I wonder just how long we'll have Untangle or anything else for that matter.
    jcoffin likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untanglit
    Join Date
    Jun 2016
    Posts
    24

    Default

    Yeah the idea of syncing the configs is nice but given the relatively few changes we make on production boxes, its easy to manually do the restore once your changes are complete. There is also something nice about having control of that process too. It can get complicated if the hardware is not exactly the same as I have at a couple sites. Having the flexibility to use old hardware as a failover is a really great benefit of Untangle. You don't get that anywhere else.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2