HA/CARP/VIPs

• M

  CARP/HA, SYNC and XMLRPC SYNC explained
  • mk6032  

  3
  1
  Votes
  3
  Posts
  4164
  Views

  M

  Thanks for the excellent reply. I've retested as you suggested by entering persistent maintenance and there is no packet loss that way (perst maint, reboot, leave persist maint). I am still having a small problem with freeradius xmlrpc sync between the two but I posted that in a separate topic (see https://forum.pfsense.org/index.php?topic=135864.0). Regards, Matt
• N

  VRRP and CARP with XG-7100 1U (version 2.4.5)?
  • NSuttner  

  1
  0
  Votes
  1
  Posts
  11
  Views

  No one has replied

• N

  CARP with PPPoE that has VLAN requirement
  • NOTORIOUS_VR  

  7
  0
  Votes
  7
  Posts
  165
  Views

  G

  @NOTORIOUS_VR said in CARP with PPPoE that has VLAN requirement: I also have an issue with the backup unit losing the CARP/HA rule when it syncs, not sure what is causing that - lots of googling suggests it's an issue with different amounts of interfaces but the interfaces are the same number on both units. Regarding this, just to be sure, No XMLRPC Sync option on the rule is disabled?
• M

  HA LAN interface into Layer 3 switch - InterVLAN Routing
  • mstreet  

  1
  0
  Votes
  1
  Posts
  11
  Views

  No one has replied

• E

  CARP/Pfsync Across Multiple Sites
  • ehuk  

  11
  0
  Votes
  11
  Posts
  1927
  Views

  H

  Curious to know what you did here in the end and how it went. Cheers.
• G

  CARP with single PPOE - Make internet working from the slave node
  • Gabri.91  

  3
  0
  Votes
  3
  Posts
  25
  Views

  G

  It survived also the CARP Maintenance and the upgrade of both units, without the Port Forward NAT. The only issue is that in this way OpenVPN Client (to a VPN Service) binded to WAN interface will start on both nodes because both will have connectivity. Solution is to bind to a real CARP VIP like LAN and it correctly starts only on the node where LAN is MASTER.
• T

  openvpn client failover ... fails
  • tiwing  

  1
  0
  Votes
  1
  Posts
  15
  Views

  No one has replied

• T

  HA with single WAN IP, hard to find solid info
  • tiwing  

  3
  0
  Votes
  3
  Posts
  65
  Views

  T

  Figured I would update with what I came up with. It works perfectly including immediate fail-over on both LAN and GUEST networks (but openvpn does not). I hope this helps someone else with their single WAN setup. I should note, the ISP modem and first router is a single point of failure, but the router is basically doing nothing except DMZ to the WAN CARP, so not really concerned. It's accessible through its own wifi for if/when I need to get in.
• K

  Primary node is no longer routing to WAN but secondary works after upgrade
  • khuram  

  1
  0
  Votes
  1
  Posts
  18
  Views

  No one has replied

• B

  HA Setup with 1 WAN IP and port forward to FTP Server [SOLVED]
  • Bambos  

  10
  0
  Votes
  10
  Posts
  150
  Views

  B

  admin please close this thread. minimum 3 IP's for CARB. Thanks everyone for support.
• A

  CARP WAN 3 IPs - DHCP assigned
  • asterix  

  9
  0
  Votes
  9
  Posts
  2965
  Views

  A

  I'm now wondering the same thing... Did anyone get this to work?
• O

  Packet loss when pinging Carp vip
  • olavM  

  3
  0
  Votes
  3
  Posts
  37
  Views

  O

  I have just realized that I had the mtu set to 9000 everywhere except on the routers. Setting it to 9000 on the routers solved the problem...
• M

  pfSense Setup with 250+ CARP VIPs
  • MeCJay12  

  9
  0
  Votes
  9
  Posts
  54
  Views

  

  I'd get an ISP that is willing to do things right. Just sayin'. I'd pcap and see exactly what's happening. Maybe they have something silly like an inability to ARP for more than X IP addresses per MAC address or something. It is almost certainly NOT the pfSense software.
• T

  DHCP Server wrong IP CARP
  • tiwing  

  4
  0
  Votes
  4
  Posts
  23
  Views

  T

  @jimp said in DHCP Server wrong IP CARP: On the primary, add the secondary interface address in each active DHCP server tab. Yup, did that! Thanks both of you - I didn't realize it was supposed to be that way, and although I've read the HA docs a number of times I guess I missed the part where DHCP server address would show as the actual IP of the box, not the VIP. Thank you! Cheers Tiwing
• T

  Impossible to encode value '' from type 'NULL'
  • tiwing  

  2
  0
  Votes
  2
  Posts
  15
  Views

  T

  OK forget it. I was messing around and disabled, then re-enabled guest interface on both primary and secondary and problem is now gone. I can't explain why, but ..... woohooo! mods, you can close or outright delete this thread! cheers
• C

  Help with script for single DHCP WAN IP in HA pair
  • ctminime  

  1
  0
  Votes
  1
  Posts
  37
  Views

  No one has replied

• R

  HAProxy / Lets Encrypt / Postfix - Dovecot
  • RHLinux  

  5
  0
  Votes
  5
  Posts
  62
  Views

  R

  Thanks for the information. I think I will setup a more conventional method to have the certs on the mail server. Just wanted to see if it was possible and not to go down the rabbit hole and waist lots of hours and head scratching trying to implement something that is not doable. RHLinux
• P

  CARP/HA with keepalived in the network!
  • PointPubMedia  

  5
  0
  Votes
  5
  Posts
  56
  Views

  P

  We are having L3 switches and I can't find anything about that... I'm thinking more and more that our pfSense appliance is having a hard time with the traffic!
• Y

  Interface LAN stay master
  • Yazur  

  15
  0
  Votes
  15
  Posts
  136
  Views

  Y

  Thank you, I'm going to look at all this documentation and I'll come back to tell you the solution to the problem or more specific questions for more specific help.
• B

  Multi-WAN HA PPPoE from different ISP
  • bhopkeptelen  

  2
  0
  Votes
  2
  Posts
  33
  Views

  T

  CARP is designed for a router failing or router interface going down, so the IP addresses will switch to the backup router. The CARP IP on WAN isn't going to work on both ISPs without some sort of SD-WAN arrangement.
• L

  HAProxy forwarding to NGINX Seafile
  • Lip  

  5
  0
  Votes
  5
  Posts
  52
  Views

  L

  @PiBa said in HAProxy forwarding to NGINX Seafile: How to do it, basically still follow the instructions and don't do what do you don't need.? If you don't want to offload, leave the ssl checkbox on the frontend 'off' and choose for mode 'ssl/https'.. As your then not using offloading, also leave the 'Encrypt-SSL' checkbox on the backend server 'off', (but do check the SSL-Checks checkbox..). Should be pretty easy.. give it a try, and if it doesn't work show the config as you have made, and tell what the stats page looks like, is the server green and if not what does lastchk column say?. I'm not inclined to write a step-by-step guide tailored to a specific user. As that would be more work for me, and less of a learning experience for you.. Really.. if it doesn't work first time you can try again for no additional fee Thank you with your help I got it done. Unfortunately I don't understand most of it because it is completely new territory for me. here it is difficult to say what you need and what you don't. the side can be reached from the outside and everything should go :) THANKS again
• A

  Execute script on failover
  • adm_jdr  

  1
  0
  Votes
  1
  Posts
  35
  Views

  No one has replied

• C

  CARP failover caused by large transfer
  • chrullrich  

  2
  0
  Votes
  2
  Posts
  37
  Views

  

  It might be your switch doing it and not the firewall, check for and disable things like multicast storm control to rule that out. Also you could set advbase higher on the VIPs so that it takes longer to trigger a failover. If you increase advbase to 1 that would take 1 second + skew to switch. Or use QoS to limit the initial burst to a lower speed.
• D

  2 ISP, 2 pfSense and 2 Core Switch
  • digitalcomposer  

  9
  0
  Votes
  9
  Posts
  104
  Views

  D

  Nobody?!?
• H

  CARP with SR-IOV enabled NIC under Hyper-V
  • hege  

  1
  0
  Votes
  1
  Posts
  31
  Views

  No one has replied

• C

  Only VIP no Interface IP
  • cmcologne  

  2
  0
  Votes
  2
  Posts
  56
  Views

  V

  @cmcologne said in Only VIP no Interface IP: Why is it not possible to only assign a CARP-IP to a Interface? Cause the interfaces which are sharing a CARP VIP must be able to communicate over Layer 3. So they need to have a unique IP each within a common subnet. It's possible to assign IPs out of a private subnet to the interfaces with some drawbacks. You may find threads discussing that topic here in this forum when you search for "CARP with only one public IP".
• S

  XMLRPC restore_config_section Error
  • SzyslaK  

  5
  0
  Votes
  5
  Posts
  57
  Views

  S

  @jimp Brilliant. Thank you for clarifying that.
• 

  Sync error with packages since today
  • JeGr  

  3
  0
  Votes
  3
  Posts
  61
  Views

  

  @jimp said in Sync error with packages since today: That's just one possibility, but something to consider. Absolutely, thanks. As this was some elevated by my boss because of the constant nagging ;) I can report, that Paighton from Support has found it out. To my surprise our old FreeRadius configuration (since the FR2 package times) contained a manual sync setting instead of using the systems sync (which would be the right way but I can remember it sometimes being bugged in the beginning). So as we switched UI Port a few weeks ago we never had any problem until there was a request for a new customer VPN server and Radius User. Didn't see that coming and perhaps would have found it in the end after debugging hours, but happy to say that support got it faster :) So always check your packages that allow syncing to the cluster peer and make sure the sync is using the right ip/port/credentials or is using the system ones in the first place :) Should have found that myself, but sometimes especially in your own setup environments you get stuck in a rut... In a customer setup I'm fairly certain we would've found that ;)
• P

  VIP persisting after removal
  • pstine  

  7
  0
  Votes
  7
  Posts
  88
  Views

  P

  I created a new vm, assigned the offending IP to that VM, let it hang out for a day, deleted the VM and the DNS records in Infoblox. Finally, after the weekend the record has cleared in Infoblox and presumably the switch. Switch weirdness in the end, I suppose. Thanks to Derelict for the suggestions in trying to track this down.
• D

  CARP Address showing Master on both FWs
  • dsolutions  

  2
  0
  Votes
  2
  Posts
  59
  Views

  

  That's called out in the documentation in several places https://docs.netgate.com/pfsense/en/latest/book/highavailability/high-availability-troubleshooting.html#issues-inside-of-virtual-machines-esx https://docs.netgate.com/pfsense/en/latest/highavailability/configuring-high-availability.html#vmware-esx-users https://docs.netgate.com/pfsense/en/latest/highavailability/troubleshooting-high-availability-clusters.html#hypervisor-users-especially-vmware-esx-esxi [...]
• M

  CARP/NAT issue on cable modem
  • mjh_ca  

  1
  0
  Votes
  1
  Posts
  46
  Views

  No one has replied

• M

  Maximum distance between HA devices / sync
  • mstreet  

  2
  0
  Votes
  2
  Posts
  76
  Views

  

  As long as the L1/L2 between them is clean and fast that should be OK. You can adjust advbase if it isn't. With a higher advbase it won't fail over as fast, but it is more tolerate of latency between the nodes. Having them in different places in the same building is not unheard of, or even separate buildings on the same campus. It's not ideal but it can work. I think we even had someone try to use CARP for HA to a node in a DC as some attempt at DR, but I can't remember if that ended up working in the end. When working with skew and base values for CARP VIPs, Skew values are 1/256th of a second, and base values add whole seconds. So if you set advbase to 1, then it would wait 1 second + skew, rather than only the skew time.
• P

  CARP not failing over all interfaces
  • PacketMaster  

  1
  0
  Votes
  1
  Posts
  59
  Views

  No one has replied

• F

  Unplug WAN cable on primary and lose internet access
  routing wan sg-1100 lan failover • • frenzy_usa  

  1
  0
  Votes
  1
  Posts
  63
  Views

  No one has replied

• T

  Using CARP primary AND backup for DNS?
  • tobiasm  

  5
  0
  Votes
  5
  Posts
  63
  Views

  

  In other words: Using the CARP VIP you get guaranteed failover and consistent behavior across all client platforms. Using both you are completely reliant upon the client to behave in specific ways, which only gets worse on networks with many different types of clients.
• J

  ipconfig/all showing secondary CARP device interface IP as DHCP server address instead of the VIP - is this as expected?
  • jklmn12345  

  3
  0
  Votes
  3
  Posts
  83
  Views

  J

  @Derelict Thanks for the confirmation that the behaviour is as expected. Very much appreciated.
• D

  VRRP Cluster on lan behind pfsense - how much arp is too much?
  • dalfonsodtm  

  1
  0
  Votes
  1
  Posts
  50
  Views

  No one has replied

• T

  CARP IPv6 /127 not working
  • tobiasm  

  2
  0
  Votes
  2
  Posts
  93
  Views

  T

  I think I'm at least partially encountering this bug, which I updated with what I'm seeing: https://redmine.pfsense.org/issues/6579
• C

  Override xmlrpc version check
  • CW_  

  3
  0
  Votes
  3
  Posts
  43
  Views

  C

  Thanks for the reply
• B

  HA Config BIND DNS sync setup problem
  • bolvar  

  16
  0
  Votes
  16
  Posts
  418
  Views

  

  idk i don't have bind installed on pfsense, i have a dedicated server for bind9 and to transfer from my master to the slave i have it configured like this: server 172.17.0.100 { keys { rndc-key; }; }; server 2001:470:b682:ffff:ffff:ffff:ffff:fffe { keys { rndc-key; }; }; .................. zone "kiokoman.eu.org" { type master; allow-transfer {151.3.106.211; 2001:470:b4e1:ffff:ffff:ffff:ffff:fffe; 192.168.10.202; 2001:470:26:5dc:ffff:ffff:ffff:fffd;}; also-notify {151.3.106.211; 2001:470:b4e1:ffff:ffff:ffff:ffff:fffe; 192.168.10.202; 2001:470:26:5dc:ffff:ffff:ffff:fffd;}; file "/etc/bind/external/pri.kiokoman.eu.org.signed"; auto-dnssec maintain; update-policy local; }; on one of the slave: server 172.17.0.100 { keys { rndc-key; }; }; server 2001:470:b682:ffff:ffff:ffff:ffff:fffe { keys { rndc-key; }; }; ............................... zone "kiokoman.eu.org" { type slave; masters {172.17.0.100; 2001:470:b682:ffff:ffff:ffff:ffff:fffe;}; file "/etc/bind/external/pri.kiokoman.eu.org.signed"; }; under xfer-out.log and xfer-in.log ( channel xfer-in_file / channel xfer-out_file) 3c81316a0 192.168.10.202#56101/key rndc-key (kiokoman.home): view trusted: transfer of 'kiokoman.home/IN': IXFR ended 23-Jan-2020 20:13:25.430 client @0x7f53d0141340 192.168.10.202#43941/key rndc-key (2.168.192.IN-ADDR.ARPA): view trusted: transfer of '2.168.192.IN-ADDR.ARPA/IN': IXFR started: TSIG rndc-key (serial 2018046843 -> 2018046844) 23-Jan-2020 20:13:25.430 client @0x7f53d0141340 192.168.10.202#43941/key rndc-key (2.168.192.IN-ADDR.ARPA): view trusted: transfer of '2.168.192.IN-ADDR.ARPA/IN': IXFR ended 23-Jan-2020 20:56:05.485 client @0x7f53c81221e0 192.168.10.202#48387/key rndc-key (kiokoman.home): view trusted: transfer of 'kiokoman.home/IN': IXFR started: TSIG rndc-key (serial 2019092987 -> 2019092989) 23-Jan-2020 20:56:05.485 client @0x7f53c81221e0 192.168.10.202#48387/key rndc-key (kiokoman.home): view trusted: transfer of 'kiokoman.home/IN': IXFR ended if something go wrong you should check/rise verbosity of that log