I am considering a pair of EdgeRouter Pros for a HA firewall setup. This will replace a single enterprise-grade firewall. I have done some research, but would appreciate a sanity check!
The ISP hands out a /29, which should be sufficient for the 3-IP requirement of VRRP. Connectivity is as simple as assigning an IP to the WAN port of the firewall, which then connects to the ISP handoff.
My idea is to split the single Ethernet handoff into 2 via a switch, to which the EdgeRouters will connect: ISP Ethernet handoff --> 8-port switch --> 2 Ethernet cables, 1 to each ER's WAN port --> VRRP on ER's LAN port side going into the primary LAN switch.
Just some questions that came to mind:
- Is this even feasible? (my research seems to be a definite 'yes')
- Could any layer 2 switch be used out of the box, if it's just used to 'split' the single handoff across the 2 routers (VRRP VIP and MAC address)? (seems like another 'yes')
- This site terminates a few IPSec tunnels. Will there be any issue using the VIP as the IPSec peer ID? What about after failover? Will a simple VRRP transition script used to restart IPSec do the job? This thread has more: http://community.ubnt.com/t5/EdgeMAX/IPsec-on-VRRP-virtual-interface/m-p/1131870#M51032
- Have there been any updates in recent firmware that will handle "IPSec on a VRRP interface" automatically, or should the above method still be used?
- Does connection tracking work? I was looking into this a year ago, and came across this thread where conntrackd is installed and manually set up to handle stateful failover: http://community.ubnt.com/t5/EdgeMAX/VRRP-statefull-failover/m-p/485849#M9948
And yes, I know the ISP-to-firewall switch seems like (is?) a single point of failure. However, if any layer 2 switch can do the job by default, it will be far easier to replace than a whole firewall + config. We could even have one standing by as a cold spare, ready to go.
Anyway, thanks in advance!