Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    1. Home
    2. pfSense® Software
    3. HA/CARP/VIPs
    Log in to post
    • Newest to Oldest
    • Oldest to Newest
    • Most Posts
    • Most Votes
    • Most Views
    • M

      CARP/HA, SYNC and XMLRPC SYNC explained
      • mk6032

      3
      1
      Votes
      3
      Posts
      9103
      Views

      M

      Thanks for the excellent reply. I've retested as you suggested by entering persistent maintenance and there is no packet loss that way (perst maint, reboot, leave persist maint). I am still having a small problem with freeradius xmlrpc sync between the two but I posted that in a separate topic (see https://forum.pfsense.org/index.php?topic=135864.0).

      Regards,
      Matt

    • B

      Possible to get address for CARP IP from DHCP?
      • bigups43

      3
      0
      Votes
      3
      Posts
      67
      Views

      B

      Well alllllrighty then haha. Thanks for the quick reply!

    • M

      HA SYNC XMLRPC SYC virtual ips alias sync
      • mattww

      2
      0
      Votes
      2
      Posts
      179
      Views

      M

      So from an old ticket:

      https://redmine.pfsense.org/issues/7010?tab=notes

      I'm confused why aliases on loopback interfaces would need a sync for HA cluster

    • MrPete

      How does XMLRPC config sync work across failover?
      • MrPete

      5
      0
      Votes
      5
      Posts
      754
      Views

      M

      I think there needs to be some work done e.a redesign of the whole xmlrpc process thing.
      I could easily see times that one firewall is broken and it takes weeks to perhaps months ( depending on supply of hardware vendor ) to get replaced and sycing can be moved back to original primary device.

      There should become an option to track changes on secondary device and have information tracking on primary device and as soon primary comes online there should become an option to sync the rules between devices.

      So basically what I am saying here is that a secondary node should have more involvement in this whole xmlrpc config process.

      Like there should also become an option when primary comes back online you can still keep the secondary running as the main firewall rule util you are sure the primary firewall is working correctly again.

      Just my 2 cents of thoughts.

    • J

      CARP alternative
      • Jesper Freesbug

      9
      0
      Votes
      9
      Posts
      2849
      Views

      S

      Since CARP does not work on cloud virtual environments (AWS, Google, Oracle cloud, etc), is there any other way to make pfSense work in HA configuration for cloud environments?
      If not, is there any plan to make HA cloud configuration to work in the near future?

    • B

      After adding new vip alias, PF-sense is not responding to older configured IPs
      • bakisho

      1
      0
      Votes
      1
      Posts
      119
      Views

      No one has replied

    • P

      High Load during sync after update 2.6.0
      • progial

      1
      0
      Votes
      1
      Posts
      154
      Views

      No one has replied

    • S

      CARP Sync problem on NSX-T (VMWare Cloud Director)
      • skalyx

      1
      0
      Votes
      1
      Posts
      164
      Views

      No one has replied

    • S

      HA setup however DNS clients use Primary servers DNS
      • Spectre 988

      2
      0
      Votes
      2
      Posts
      212
      Views

      V

      @spectre-988
      The clients use for DNS, what you tell them to use.
      Enter the CARP IP as DNS server, and the will send request to it.

      If they are configured by DHCP, tell the DHCP to send the CARP IP for DNS.
      In pfSense DHCP server you can enter it at "DNS servers".

    • M

      Add HA to existing system
      • mrjoli021

      2
      0
      Votes
      2
      Posts
      396
      Views

      N

      Well, it can be done, with minimal changes.
      You need to change local ip's and make ha ones as vip
      Not a big thing

      But, do keep in mind that all interfaces have to be created in the same order in both ha instances.

      You will need some experience with the ha setup.
      Many things can go wrong if you don't know what you are doing. (as is usually the case too)

      I strongly suggest to setup a lab and experiment with ha setup. When you will feel confident, you can proceed with the real thing.
      Doing such chores on a live system without prior experience will probably cause significant downtime.

    • DARA

      pfSense CARP + Cisco N5k vPC
      • DARA

      6
      0
      Votes
      6
      Posts
      1713
      Views

      P

      @dara said in pfSense CARP + Cisco N5k vPC:

      @philippe-richard Hi Philippe, Thanks a lot. This is more complete and interesting than our setup.

      I wonder how you configured the connection between the routers and switches?

      In my setup, each router has a single connection to a single switch configured as an Orphan port. For now it is working perfectly.

      I am not sure however how it will handle different link and device failure scenarios but I will test it sometime soon and post my findings here.

      Hello, have you made progress on your configuration?
      Have a good day

    • E

      OpenVPN client cannot access second pfSense host
      • Eric Scace

      4
      0
      Votes
      4
      Posts
      859
      Views

      S

      Could someone post an example for the necessary NAT rule(s), please?
      EDIT: got it already, at least I think so 😊

    • N

      Move all CARP IP's together
      • neilewing

      4
      0
      Votes
      4
      Posts
      266
      Views

      Derelict

      @neilewing When an interface with a CARP VIP loses carrier, all VIPs on that host are demoted. This makes the VIPs on the other node "better" and the rest of the VIPs on the first node swing to BACKUP status (because they see the "better" advertisements) and the ones on the backup node assume MASTER (because they see that they are the "best" VIP status).

    • C

      Netgate 1537, OpenVPN & CARP High Availability
      • cboenning

      3
      0
      Votes
      3
      Posts
      453
      Views

      C

      @viragomann We indeed had very strange routing issues on the location the pfSense instances are deployed. It's really nothing wrong with them but we had a strange situation in combination with our WAN Switches and the LACP upstream to the provider.

      OpenVPN to the CARP Address is now running stable.

    • S

      Azure Load Balancer Probe IP Routing
      • SCITECH

      1
      0
      Votes
      1
      Posts
      306
      Views

      No one has replied

    • P

      Pfsense CARP switch from MASTER/BACKUP randomly
      • pfsense7515

      7
      0
      Votes
      7
      Posts
      750
      Views

      Derelict

      @pfsense7515 Need to look at what caused that. That is only part of the event. There are also logs like links going down and up, etc.

    • M

      HAProxy - max_execution_time more than 30 sec
      • MisterDeeds 0

      1
      0
      Votes
      1
      Posts
      311
      Views

      No one has replied

    • R

      Ha proxy redirects to wrong ip
      • Robban 0

      1
      0
      Votes
      1
      Posts
      530
      Views

      No one has replied

    • B

      Accessing the slave from remote networks
      • bakisho

      6
      0
      Votes
      6
      Posts
      601
      Views

      B

      @derelict
      IT WORKS!
      Thank you

    • B

      CARP "Master" in All Nodes
      • brunoroza

      4
      0
      Votes
      4
      Posts
      415
      Views

      Derelict

      @brunoroza If that is really the case then your switch is likely not properly passing the CARP advertisements. They are multicast to 224.0.0.18.

      20:17:32.490656 IP 172.25.228.18 > 224.0.0.18: CARPv2-advertise 36: vhid=228 advbase=1 advskew=0 authlen=7 counter=2770184658337638700

      If those are not received by the secondary node, it will also become MASTER and begin advertising its CARP VIP.

    • M

      HAproxy for NFS connection
      • MisterDeeds 0

      1
      0
      Votes
      1
      Posts
      410
      Views

      No one has replied

    • T

      Issues with Server behind pfSense cluster + 1:1 NAT and virtual IP (IP Alias)
      • thomas.hohm

      3
      0
      Votes
      3
      Posts
      816
      Views

      T

      Update: after turning the whole infrastructure from left to right we found the solution.
      It's the limiter bug that is already known. After removing the limiter from the firewall rule (it was a just one catch all rule for the whole NAT traffic), it works as before.
      Which also means: the same setting worked perfectly fine before the upgrade.

      I am some much hoping for a soon fix of the limiters in an official update or release!

    • M

      HA randomly BACKUP goes to MASTER state
      • m4rek11

      21
      0
      Votes
      21
      Posts
      1443
      Views

      P

      @m4rek11 After applying the patches, I did not notice that the routers changed the roles of Master-> Backup, Backup-> Master.
      All the problems went with those when I made any changes to the rules, dns or DHCP.

      I found my configuration error early. For unknown reason, for 2 different networks I sent the same vhid for Virtual IP. But the problems were still there. After applying the patches, the problem was gone.

    • D

      High Availability port forward to VIP -am i doing this right?
      • digger30

      13
      0
      Votes
      13
      Posts
      1048
      Views

      R

      @digger30 Perfect! Glad I could be of assistance.

    • J

      LAN only HA + OpenVPN
      • jasontaubman

      1
      0
      Votes
      1
      Posts
      622
      Views

      No one has replied

    • junicast

      Upgrade to 2.6 redeploy ZFS layout CARP
      • junicast

      4
      0
      Votes
      4
      Posts
      1289
      Views

      jimp

      The maintenance mode switch is in the config and persists across reboots.

    • P

      inconsistent icmp packets with VIP
      • parsecadmin

      1
      0
      Votes
      1
      Posts
      693
      Views

      No one has replied

    • P

      a communications error occurred while attempting to call xmlrpc method host_firmware_version: request timed out due to default_socket_timeout php.ini setting
      • philippe richard

      1
      0
      Votes
      1
      Posts
      813
      Views

      No one has replied

    • C

      After CARP failover packets go out the wrong WAN
      • chrullrich

      8
      0
      Votes
      8
      Posts
      1833
      Views

      C

      @chrullrich I replaced the pfSense 2.6 "local router/firewall"s in my test setup with OPNsense 22.1 (this is FreeBSD 13.0 instead of pfSense 2.6's 12.3) to get a second opinion. The behavior is the same: As soon as the CARP failover happens, everything sent towards the "Internet" goes out the default route with the NATed source address appropriate for the policy route.

      When I tried it the first time today I thought I saw ping (and only ping) work correctly, but now I cannot reproduce it. I probably just saw what I wanted to see.

    • P

      CARP og IP Alias on additional IPs routed to us by the data center
      • professor

      4
      0
      Votes
      4
      Posts
      994
      Views

      P

      @derelict
      Yeah, same conclusion i had.

      @viragomann
      Yup.

    • luckman212

      No XMLRPC sync for rrd (Monitoring) settings, packages, Dashboard...
      • luckman212

      1
      0
      Votes
      1
      Posts
      779
      Views

      No one has replied

    • B

      Crestron NVX nor working with CARP interface
      • bolvar

      1
      0
      Votes
      1
      Posts
      732
      Views

      No one has replied

    • O

      HA proxy issue to resolve local ip
      • overlaps

      3
      0
      Votes
      3
      Posts
      1184
      Views

      O

      @viragomann

      Issue resolved with hostname override and haproxy listnening on LAN interface

      Thx

    • S

      CARP IPv6 with routed network
      • skid9000

      2
      0
      Votes
      2
      Posts
      1463
      Views

      S

      @skid9000 Perhaps some screenshots of the setup? Can you get it working without the VLANs and add those in after? I've not had occasion to set HA up with VLANs but have done so with aliases for other subnets on LAN.

    • U

      Download-speed drops to 0 when pfSense statesync is enabled
      • unico-dm

      5
      0
      Votes
      5
      Posts
      1524
      Views

      U

      Just for your info. We've now seen the issue on multiple installations (even different hardware and pfsense versions) and could solve it on every single system by moving the sync-vlan to a dedicated physical interface.

    • P

      Best way to access failover HA node from another subnet?
      • planedrop

      1
      0
      Votes
      1
      Posts
      821
      Views

      No one has replied

    • C

      ESX Physical NIC Failure Fails to Trigger Failover
      • carlsond

      1
      0
      Votes
      1
      Posts
      841
      Views

      No one has replied

    • M

      Issue with XMLRPC after adding a NAT rule
      • mattiav

      7
      0
      Votes
      7
      Posts
      1502
      Views

      M

      @viragomann
      i think it's that
      https://forum.netgate.com/topic/150505/xmlrpc-restore_config_section-error

      because my rule to NAT with CARP ip make the backup node not able to reach the gateway
      so as it explain on that like you sent

      Filter reload sees the down gateway and resets states, terminating the connection currently used for XMLRPC.

      it make sense
      Thanks you very much, i think you resolve my issue :)

    • P

      How Does "This Firewall (Self)" Apply in CARP Setups?
      • planedrop

      17
      0
      Votes
      17
      Posts
      1822
      Views

      P

      @kayavila OK this is great info, thank you! I read your entire write up you linked to as well but I'm still trying to wrap my brain around it. Think I've got it figured out but wanted to pose an example.

      This particular one will be between different VLAN/subnets rather than with WAN as I personally don't ever allow those connections via the WAN.

      So in theory if you had VLAN1 and VLAN2 setup, and there was an any-any rule below a block "This Firewall" rule on VLAN1, and some device on VLAN1 tried to contact the LAN interface of VLAN2, due to state syncing this would be let through? Since the first node would see the connection to the VLAN2 IP and see that it's not in it's block list but matches the any-any rule, and then the state would sync to the secondary which wouldn't assess it's rules?

      If that is the case, I would imagine not having a rule on the primary node that allows access to any would solve the issue, but since some people do use an any rule for internet access it could pose a problem (though best practice is of course to use an alias for RFC1918 and explicitly allow the inverse of that).

    • A

      VIP & NAT
      vip nat mail • • Alek

      3
      0
      Votes
      3
      Posts
      1325
      Views

      A

      @viragomann
      Thanks !
      Went with the port forward + outbound option, NAT is working finally.