• CARP/HA, SYNC and XMLRPC SYNC explained

    Pinned
    3
    1 Votes
    3 Posts
    13k Views
    M
    Thanks for the excellent reply. I've retested as you suggested by entering persistent maintenance and there is no packet loss that way (perst maint, reboot, leave persist maint). I am still having a small problem with freeradius xmlrpc sync between the two but I posted that in a separate topic (see https://forum.pfsense.org/index.php?topic=135864.0). Regards, Matt
  • Documentation suggestion of NOT using /32 for the VIP seems wrong

    5
    0 Votes
    5 Posts
    265 Views
    P
    Alright last post from me. Leaving it here so someone can find it. The documentation concerning carp is wrong: "A High Availability cluster using CARP needs three IP addresses in each subnet along with a separate unused subnet for the Sync interface." The fact is, a High Availability cluster using CARP needs only one IP address. It only ever needed one IP address. This statement directly contradicts all the documentation available from carp(4) and the FreeBSD handbook. The distinction that I initially missed, but now have reread and understand is that when using a single IP assigned to a VIP, so long as there isn't an existing network with another IP in that same network, then the network for that VIP should in fact be a whatever that network is. Otherwise it should be a /32. Let's put it this way for a further understanding (sudo interface configuration): Server 1 (Primary): ifconfig em0 inet 192.168.0.10.1/24 ifconfig em0 inet 192.168.0.0.2/24 alias ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias Server 2 (Backup): ifconfig em0 inet 192.168.0.0.2/24 ifconfig em0 inet 192.168.0.0.3/24 alias ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias In the above example, if the OS chooses the VIP of 192.168.0.1/24 for packets sourced from Backup, Backup will never see the response, as they'll go to Primary instead. Going to primary is the expected part. Source selection of 192.168.0.1 is the unexpected but, It's unexpected because the netgate documentation is just wrong as this VIP should have been a /32. Documentation where the VIP isn't a /32 to which netgate is correct: Server 1 (Primary): ifconfig em0 inet 192.168.0.10.1/24 ifconfig em0 inet 192.168.0.1.1/24 alias ifconfig em0.123 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias Server 2 (Backup): ifconfig em0 inet 192.168.0.0.2/24 ifconfig em0 inet 192.168.0.1.2/24 alias ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias
  • Possible pfSync issues

    1
    0 Votes
    1 Posts
    146 Views
    No one has replied
  • Dynamically route to a backend or a server from a backend?

    1
    0 Votes
    1 Posts
    118 Views
    No one has replied
  • HA DNS/Unbound Fails on Backup Node after CARP Failover (pfSense 2.8.0)

    5
    0 Votes
    5 Posts
    326 Views
    empbillyE
    @netblues The problem was with the outbound NAT rules. I had disabled our AD's VLAN so that it would connect to the internet using its own IP address rather than CARP, but I didn't realize that this would interfere. After enabling it, it worked correctly. Thanks for your help!
  • No failover when Gateway is offline

    4
    0 Votes
    4 Posts
    302 Views
    M
    @viragomann said in No failover when Gateway is offline: Both? No, only the WAN cable connected to the primary device. @viragomann said in No failover when Gateway is offline: In a HA CARP setup the backup node gets CARP advertisements from the master on each interface. If this is missing, the it takes over the master role. But why doesn't it always take over all the interfaces ?
  • HAProxy configuration for roundcube

    5
    0 Votes
    5 Posts
    290 Views
    N
    @viragomann The solution was to change the DocumentRoot from /var/lib/roundcube to /var/lib/roundcube/public_html, courtesy of the Roundcube forum. This is where my internet searches were giving the wrong DocumentRoot.
  • Doubts on CARP/HA/DUALWAN

    11
    0 Votes
    11 Posts
    443 Views
    C
    I agree with WoW that, even though it can be done, it's a level of complexity I don't really need. If, in real-world experience, a server switch is triggered just because a cable gets unplugged, I’ll see how I can work around it. @netblues thanks a lot for showing me a possible solution to my concern! Thank you very much to both of you for sharing your konowledge and time!!
  • Dynamic dns don't work with carp ip

    8
    0 Votes
    8 Posts
    526 Views
    M
    @lbeard said in Dynamic dns don't work with carp ip: Done => https://redmine.pfsense.org/issues/16326 Great, thanks
  • Hyper-V Failover Clustering

    2
    0 Votes
    2 Posts
    304 Views
    S
    @bimmerdriver You need one IP that can move between the routers. Technically both WANs can be private IPs…Comcast business allows for this even if their modem is bridged, then the shared IP is a public. Maybe that helps.
  • multiple ISP/WAN interfaces

    6
    0 Votes
    6 Posts
    441 Views
    N
    @georgelza said in multiple ISP/WAN interfaces: I want to make it as simple as possible, without me becoming their IT department.... Well, you ARE their it department. Leave it as it is, if it works why fix it?
  • Switches getting wrong MAC for CARP interface

    8
    0 Votes
    8 Posts
    409 Views
    S
    Just for reference: https://docs.netgate.com/pfsense/en/latest/highavailability/index.html#switch-layer-2-concerns "switch must...Allow traffic to be sent and received using multiple MAC addresses"
  • CARP Protocol Requests Blocked on pfSense 2.8.0 HA Setup

    1
    0 Votes
    1 Posts
    169 Views
    No one has replied
  • ISP CPE reboot causing problems

    1
    0 Votes
    1 Posts
    140 Views
    No one has replied
  • CARP Error

    1
    0 Votes
    1 Posts
    182 Views
    No one has replied
  • Can I duplicate VHID group in CARP VirtualIP ?

    5
    0 Votes
    5 Posts
    377 Views
    BenGonGonB
    @patient0 Thank you very much for yours knowledges.
  • Slow Ipsec when CARP is enabled and behind primary

    1
    0 Votes
    1 Posts
    177 Views
    No one has replied
  • HA CARP VIPs for 1:1 NAT?

    3
    0 Votes
    3 Posts
    581 Views
    R
    @SteveITS Thanks for the link. I had not considered the VIP stacking idea. I'm not sure how much of an issue my setup will have with VIP multicast traffic on my WAN link but good to know this technique is available to reduce some of that. Again, thanks for the link.
  • How to make HA on 2 pfSense on bare metal WITH 4 x UPLINKS WANs ?

    40
    0 Votes
    40 Posts
    7k Views
    Sergei_ShablovskyS
    @stephenw10 said in How to make HA on 2 pfSense on bare metal WITH 4 x UPLINKS WANs ?: Well it would remove load from the firewall. So if you were under a DDoS attack and needed to still route between internal subnets that could be useful. But it wouldn't help with the attack itself much. Agree! Anyway for middle/big DDoS better to deal on local ISPs + CloudFlare level. Here no room for edge FW… :) Let me to note, if thinking in “Zero thrust” direction, also FW on end local node/service as “fine tuning firewalling” would be great, because each end node better know what particular (and how) need to be secured. So at the end we build 3-layered (as minimum) defense: ACLs on edge ASIC-based switches; pfSense as edge FW; PF/IPF/IPFW FW (sertificates, tokens, etc…) on end node/service; What do You think about this 3-layered scheme, @stephenw10 ?
  • HA Setup with Multi-WAN and DHCP Guide

    7
    1 Votes
    7 Posts
    3k Views
    F
    Happy to report that I was able to upgrade both of my servers to CE 2.8 with no issues. Everything still works as expected.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.