Adam is absolutely correct.
If you look at each box individually, doubling the number of boxes will
obviously increase the chance that a single box fails.
However, in this context, our concerns are not whether a box has failed. We are
concerned with minimizing network down-time. As such, it is important that a
second firewall can automatically take over if the first fails. This should
mean a network down-time of approximately 3 seconds instead of the time it
takes to swap-out the firewall manually (considerably longer than 3-seconds).
Of course, this comes at the cost of adding an additional level of complexity to
the firewall configuration. On the basis that a default setup would be a
single-box solution (as it is now) and that fail-over would be an entirely
I appreciate that the majority of people will be using M0n0wall in an office or
home environment and are probably wondering how critical an Internet connection
can be. Whilst we obviously use firewalls in this environment (including
M0n0wall) we also require firewalls to head up our data-center based web/email
clusters hence the importance of uptime.
Quoting Adam Nellemann <adam at nellemann dot nu>:
> Just spamming... :)
> Chad R. Larson wrote:
> > the box against the additional complexity. And remember, if you have two
> > firewall boxes, you have twice the chance of a failure.
> While I'm no statestician, I'm rather sure that is not true, at least
> strictly speaking!
> In this context, "failure" would be both boxes failing
> "simultaneously" (ie. second failure occuring before first one is
> fixed), this is MUCH less likely than a single box failing (at least
> if you aren't too lazy with repairs!)
> But then there is, of course, the issue of the watchdog hardware or
> software failing, adding further complexity to the MTBF calculations?
> Personally however, I feel that your argument about complexity holds.
> A box like a Soekris running m0n0wall should be quite stable in
> itself. Still, some people need 100% uptime...
> P.S. I'm not an expert in these matters, but wouldn't the (least
> complex) way of achieving failsafe connectivity be by using two
> m0n0walls on two independent WAN connections, and then configuring the
> hosts with both of them as gateways. While this probably wouldn't
> load-balance, I speculate that it would allow traffic to continue
> through either gateway, should one stop working? (Or perhaps a small
> script could do some ping-testing and switch gateway to the "backup"
> m0n0wall, in case of failure?)
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch