New Mult-WAN setup

Looking to create a firecluster with a multi-wan configuration.

Presently I have an M470 which I will need to replace with either two M390's or M590's
as the 470's are no longer made. I'm thinking M390's, but that's another discussion.

Anyhow, my question is for the switch on the WAN (External) interface side should I use one switch or two?

I'm thinking one would work best and just create two VLAN's on that switch with each VLAN being Untagged (Aruba / HP lingo there) and each VLAN using the same IP Subnet as the FB external interfaces.
This setup may also alleviate any potential issues with the ISP hardware only wanting to connect to a single device.

This I realize still does not eliminate the single point of failure, just moves it upstream a bit, but it's cleaner and easy to implement.

What does the community think? Pro's, Con's?

Thanks!

  • Doug

It's usually something simple.

Comments

  • WG generally recommends a single switch.

    Is this for an A/A or an A/P cluster?

    Switch and Router Requirements for an Active/Active FireCluster
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_aa_multicast_wsm.html

  • Forgot to mention that Bruce.
    A/P
    :-)

    It's usually something simple.

  • edited August 2022

    Review James's last comment here for the B topic:

    Active/Passive Cluster Behavior
    https://community.watchguard.com/watchguard-community/discussion/2726/active-passive-cluster-behavior

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @shaazaminator

    I have had customers that have gotten away with using a single switch with the two firewalls plugged into it.

    Generally we recommend that you use a separate switch for the internal and external networks. Using a single switch creates a single point of failure (which most customers are trying to avoid by having a cluster in the first place.)

    The actual "proper" way to do a setup like that would be to have two switches for each and use active/backup link aggregations to each. Nobody really does this because it eats up two ports per interface on the firewall, requires extra switch hardware, (and is generally a pain to set up.)

    Since the ISP device is usually also a singular point of failure, my preferred method is to use small unmanaged switch between each ISP device and the firewall. It's still a single point of failure, but it's very easy to rule out as the problem if one arises.

    If you do decide to go the one switch/VLAN route, it can work, just watch:
    -Disable STP (spanning tree) on any interfaces that the firewall touches.

    -If the switch has something like portfast (something to make sure the ports come on right away vs testing for a minute or so) ensure that's on so the cluster doesn't ping-pong trying to find a way out.

    -Ensure that the switch in whatever config it's in passes broadcasts between the two ports the firewall is plugged into. We run into this problem a lot (especially when customers try to plug the firewalls into different switches in a managed stack.)

    The cluster will effectively share one MAC address between the two units. Some switches are very slow, or simply won't allow what it views as the device randomly moving around like that.

    -James Carson
    WatchGuard Customer Support

  • Hey James,

    Thanks for the explanation and also explaining the pitfalls of the single switch configuration. (and on a Sunday too!)

    I do like your idea of two inexpensive unmanaged switches for the external interfaces instead of a single managed switch using VLAN's. Eliminates the pitfalls you mentioned.

    Your input is much appreciated.

    Thanks,

    • Doug

    It's usually something simple.

Sign In to comment.