User Tools

Site Tools


howto:cluster

Cluster

The cluster module creates a high available redundant system from two standalone HSMX gateways. Both systems need to be in a healthy state when forming them into a cluster.

Configuration

Firewall

In order to properly function we need to open a few ports on the firewall for the other HSMX machine to access. We refer for more information to Firewall.

  • 80/tcp
  • 873/tcp before v5.2.03
  • 5432/tcp
  • 5555/udp
  • 22 / TCP since v5.2.03

 Default firewall configuration with added cluster rules for 172.20.0.137

We strongly recommend configuring source-address validation, to accomplish this modify every rule to include the Source IP, preferably using single addresses instead of whole IP ranges.

Cluster

Enabling cluster mode is fairly straight-forward. Browse to Network / Cluster settings.

The configuration options are:

  • virtual ip: Here you can configure virtual IP's, the virtual IP addresses will always be attached to the active node so usually a virtual IP should be chosen on the network used to configure the gateway cluster. Specify the IP / sub-net and network port where this needs to be applied to. Optionally a second virtual IP can be chosen.
  • Synchronisation IP: Here you can configure how the two gateways can communicate with each other. Typically a dedicated network port is used to interconnect clustered HSMX machines. This interface will be used to synchronize all data between the two HSMX machines; a backup interface can be configured to avoid the network from becoming a single point of failure. Configure the network interfaces first in network ⇒ network settings.
  • Network interface: The entire network configuration is shared between the two gateways in the cluster. This is because they share the IP aliases / PPPoE connections. They are activate on the primary node only. This means there is one more step; you have to configure the IP's of the other gateway for interfaces that are already configured. There is a small icon that will try to get the information from the other gateway, this only works properly when interface names are identical in both participants.

What is synchronized

Everything is shared between two clustered HSMX machines except:

  • All interfaces but WAN-interfaces (except for shared-IP on WAN-interfaces)
  • Language
  • License
  • Performance
  • SSL Certificates
    • To renew SSL certificates while your cluster is running. Install the certificate on the passive node first and reboot that machine. Once the machine accepted his SSL certificate (after reboot) make your cluster fail-over. You can now install your certificate on the current passive node.
  • Firewall
  • Backups and it's settings
howto/cluster.txt · Last modified: 2021/06/03 14:40 (external edit)