@xlameee
If the gateway is up depends on the setup. If each box has an IP in within the gateway subnet it should be up though.
However, it have to be up on the box which has the master rule at all.

@smith-0 said in BGP with CARP and two ISP:

With this setting I have one feed to each ISP and I don’t have to wait for BGP rebuild in case of failure of one PFSense.

Should read :
With this setting I have two feeds from both PFSense to the ISP and I don’t have to wait for BGP rebuild in case of failure of one PFSense.

Hello,
I'm experiencing the same config and difficulties. Two PFsense (2.4.5p1) with CARP and two ISPs.

Have to annonce a network, with the "set nexthop" to external CARP IP.
But is it correct with openbgp to have the same network announced twice but with a different set nexthop ?

Eg (with RFC 1918 addresses) :

10.10.10.0/24 set nexthop 192.168.1.1
10.10.10.0/24 set nexthop 172.16.1.1

(or here https://forum.netgate.com/topic/51849/openbgp-with-carp-nexthop-carp-ip-carp )

Or will openbgp drop the second network announce ?

Thanks.

Alright man ofc that makes perfect sense. Many thanks for your reply.

@kom I'm using VMware ESXi v.7 (latest update).
I really don't understand why I'm experiencing this strange behaviour.

May be the problem related to the pfsense version I'm using (the latest one - v.2.5.2 community edition). I think that promiscuous mode should detect neighbours traffic, maybe it's normal. But something is wrong in pfsense that shows neighbours traffic also in STATUS->TRAFFIC GRAPH-> WAN using LOCAL filter.

Anyway, thank you for the time you spent for me.

@jokabo
So you had just to add it as type IP alias on the master, select the proper CARP address at interface, otherwise it doesn’t failover properly.

@ultrahkr the vSwitch shouldn't matter as it's not getting an IP, the ISP won't see it. What you need to do is set static MAC on the VM's, but unfortunately you cannot do that on the CARP. So, you may have to rely on DNSRR for external items coming in, if that is the concern.

@pfsenseuser1234 Why three? There's simply too much traffic for one (over 50k requests/minute, over 2Gbps of upload). Two is enough for now, third one is just to be safe.

No problem with that :)

I'm guessing pfsense can handle 50k req/min for now and I would be fine with simple active-standby approach. But what if I go to 100k by the end of the year? Or 150k. I'll probably hit some limit sooner or later. That's why I'm thinking about multi-master configuration.

I can understand the thought, but pfSense simply can't work in an active-active constellation.

*Not only volumetric DDoS (>10Gbps to kill one VM), but also SYN floods, DNS amplifications, slow HTTP requests… I get them all.

OK you could get various DDoS but the goal of all is clear: denial of service via massive flooding. Be it SYN, be it DNS, be it slow HTTPs. You can filter out some, but at the end your own firewall will give up or your upstream pipe is full. DDoS mitigation is nothing you can do on your end/site in a meaningful way. Yes you can somehow slow the process and try to mitigate the hit but with enough firepower / distribution you'll get nuked nonetheless. So if you get hit on a continuous fashion the only really helpful thing is bringing a CDN into play and (actually) try to hide the real endpoint addresses so they don't actually leak out (or the attacker will just ignore the CDN and hit the IP). That's the point where Cloudflare, Akamai or Stackpath etc. come into play.

Other then bringing a CDN into play and balancing your three proxies out for traffic reasons, I don't see a quick/simple way to bump that up further. But perhaps some other can chime in.

Cheers

@kom I run a ton of personal stuff at home as well
Mainly CCTV and file servers,
so for me its way more cost effective to run the game servers on the hardware I already have
(If I was making money from this then yes id put the money back into a VPS)
Also some of the game servers I run take a bit of grunt to run, so running on my own hardware is much cheaper

If you can tag a VLAN on that interface, traffic shaping does work with LAGG+VLANs since at that point traffic shaping is only on the VLAN, not the LAGG directly.

We hoped to have the updated pf code to let this work would be in 2.5.2 but it still needed some work and had to be backed out.

It's in 2.6.0 snapshots already but still needs work yet, may be a couple weeks before it's in a state were this would be testable in a viable way.

It resolved by using change default gateway in server. My server was using two gateways. (that uses two uplinks)

@kom
Thanks for your help, my understanding was incorrect. I got it now.

@steveits Thanks for the link, looks like that's my issue.