Do CARP IP addresses work with load balancing?

Active/Passive is currently the only supported configuration. You are correct in that you should add a dedicated interface for the sync. The carp tutorial is a good place to start: http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm

Hi thanks for the reply.  I have not looked at this in a while as it did not seem possible and as of yet it is not possible. We do use multihomed DNS, however it is not ideal as there is no failover, if a server goes down, DNS does not automatically remove or change the DNS record, which means there is a failure and no response for x% of requests made (depending on how many host are in the loop). I will still like to find a solution for this, if possible without having to fly out to the data centre to reconfigure the entire network :) Thanks

I posted some responses from dotdash, I still have few things not quite configured correctly. I created by second PF-Sense machine by copying my first box.  The only difference is the IP address and the name of the server. I have following Settings: Synchronize Enabled Synchronize Interface - OPT2 pfSync sync peer IP 192.168.17.2 Synchronize rules Synchronize NAT Synchronize IPsec Synchronize Virtual IPs Synchronize traffic shaper Synchronize to IP 192.168.30.2 Remote System Password (username reset to ADMIN and password set to match on both servers Added Virtual IP to the Master machine   Type = CARP   Address  192.168.17.2 /24   matched the VIP password   VHID group 1   Advertising Frequency 0 Rules OPT2 All traffic set to pass between servers When I bring up the second server CARP comes up with FW1 as master and FW2 as backup.  However I see two issues at that point I see even with 192.168.14.2 added as a second gateway, I can't access the internet and IPSEC tunnels appear to be up on both firewalls. I really want to get this running due to my occasional virtual server issue. Many thanks, RC

<taps microphone="">hello, is this thing on? :D</taps>

After doing some more digging, I figured it out.  It was a VMWare thing. I had to set the virtual adapter with a security policy exception to allow promiscuous mode. There seems to be another issue though - it seems as though there is another client out there on the WAN (albeit, on a different VLAN) using a pfSense box, because I see the same MAC address as what my pfSense box is using for my CARP MAC Address. Is there a way to change the CARP MAC address so I can differentiate my MAC address from this other person's?

There is a lot in your post, but I'll try to answer some of your questions. @Izinyoka: Does the firewall use its own WAN IP for outbound connections, or does it use the VIP? You should use AON and specify your CARP address for outgoing. @Izinyoka: 2. Can it also provide redundancy for ISP failure? CARP is generally used to provide failover if your firewall has a hardware problem. ISP redundancy is a separate issue. You can use multi-WAN failover as one solution. @Izinyoka: 3. Im sure I read somewhere that CARPDev can provide redundancy like in case 1. with only one public IP, is that correct?  because it looks like CARPDev is included in version 2 and I tried it but I don't see a difference (inbound packets are still distributed between both boxes randomly). I have to check out the newest 2.0 snaps, but AFAIK, CARPDEV is not yet stable on FreeBSD and not in 2.0. If you were using CARPDEV, the WAN interfaces would have private IPs and they would share the public CARP IP.

@purdue512: I'm feel for you here. You are doing the right thing.. I did the same (put two switched on the private (lan) side to avoid a single point of failure). But I did not have any CARP problems. I was under the impression that the carp traffic was through the synch link…  At least for me.. Do you have your incoming WAN links setup this way or just the lan side? Andy

I think the issue on your internet LB is that you are NATing on the same subnet. I know that we've never been able to do this in two different implementations that are similar to yours…  Just ain't gonna work.

@blak111: You could also accomplish this using static only DHCP entries for the machines on each firewall if you don't have VLAN capable switches. Yeah. We did that at the last LAN party i helped organize. But if you cannot get your guests to register their MAC before the party it's a pain in the ass… People check in; someone has to go to their place and get their virus-check and their MAC, go back to the checkin, add their MAC to the list at the correct place.... Maybe in the end too much of a hassle.

Hi, I have a simpler setup with just WAN and LAN.  The WAN has 5 static IPs.  I wanted to forward the ports to the servers internally.  The primary IP assigned responded very fast.  But the other VIP have very slow response.  To make a valid test, I forwarded the http port of each static IP to an internal IP of the same internal server (with differnet LAN IP respectively) using virtual host, serving the same exact content.  I've tried using VIP as CARP, PARP, and other.  All have performance issue on the VIPs.  Does any one know the causes to this? Thanks, Tommy BTW:  I'm using pfsense version 1.2.1 RC2. I have 0 In/Out errors on status > NICs.

FWIW, there is some discussion of this here: http://forum.pfsense.org/index.php/topic,7039.0.html

CARP supports active/active setup, but pfsense doesn't (at least not out of the box). If you want such advanced configuration i would advise you to study CARP and fix pfsense to be in active active (switches are important too in this case). If you do it, post a detailed description on how you did it, so others can follow. The easier option would be just to upgrade hardware of your firewalls. If you have such traffic you have to have enough money. You could even buy support from Sullrich i'm sure he would help you set up active/active freebsd install if you paid for it. :-)

I haven't used virtual server pools and other related stuff with pfsense yet, but it should be nothing more that a bunch of DNAT rules. For those you need VIP (virtual IPs). I would recommend you to go and create one CARP VIP then try to use then in your load balancing options.

Af far as i know pfsense doesn't have to be BGB aware (i could be wrong thou). You would set it up the same way if there were no BGP, just make sure that both firewalls are connected to all networks.

I guess noone understands your post. How can you still access (measure the pings) if you remove the VIP and NAT rule? If you remove those then you cannot access the user behind in LAN from internet, so you cannot measure it.

'cause no one responded i'll try. What kind of load balancing do you do? Outbound internet load balancing or inbound load balancing to servers.

Hello I think I posted to soon, i discovered that I had a slight misconfiguration in one of the firewalls interfaces settings, it was set as a /24 when it should have been /25 so there for the new subnet I was adding was encompased ino the /24 range. I will post back if im still having the issue, I just reconfigured the firewalls and rebooting the backup one So far it looks good I can actually route through that network onto the internet now Sorry for wasting your time.