1. Home
  2. pfSense® Software
  3. HA/CARP/VIPs
Log in to post
Load new posts
  • H

    Pfsync and CARP failover sequence

    Locked
    7
    0 Votes
    7 Posts
    4k Views
    W
    I agree, this is my setup so far: (for tests) Interfaces - FW-master:   WAN: 172.16.0.10/23   WAN-Carp: 172.16.0.1/23 _LAN: 192.168.0.10/23   LAN-Carp: 192.168.0.1/23 Sync: 172.16.2.1/23 FW-Slave:   WAN: 172.16.0.20/23   LAN: 192.168.0.23/23 Sync: 172.16.2.2/23 Any ping tests I do, have no issues, the failover is pretty seamless, however, if I run a SSH session running, at a failover [Master -> Slave or vice-versa], the SSH session fails. Since the ping tests works I am inclined to say the Failover works, but the states are not being maintained at failover hence SSH fails. Any insight on what I might be missing. I followed instructions outlined here to get this up: https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) I am not sure if there is anything apart from setup itself that would cause this behavior. Both nodes are running on dedicated hardware._
  • A

    Upgrade procedure 2.1.5->2.2 with CARP active

    2
    0 Votes
    2 Posts
    1k Views
    V
    https://doc.pfsense.org/index.php/Upgrade_Guide#Upgrading_High_Availability_Deployments I've upgraded a CARP system from 2.1.4 as described there. No issue. However, in CARP mixed mode 2.1.x + 2.2 the states are not synced to slave, so connections are lost if the 2.1.x master take over CARP master again. E.g. if you restart the machine. If you don't want that pull out the WAN cable.
  • M

    CARP not working after upgrade from 2.1.5 to 2.2

    7
    0 Votes
    7 Posts
    2k Views
    M
    Dear All, I am still facing the issue that CARP is not working. The last interface coming up becomes master regardless of the skew setting. Could someone please be so kind as to write in a few words how the requirements for getting CARP to work in version 2.2 differs from what is written in the draft book on 2.1 in chapter 25, in particular the example redundant configuration on page 472ff ? From what I gather, CARP in 2.2 still generates an interface which reads like XXX.XXX.XXX.1 (LAN CARP VIP), i.e., the typical router IP on a typical LAN and XXX.XXX.XXX.2 (WAN CARP VIP), i.e. not the typical router IP on a typical WAN. Behind NAT, I suspect that one still has to create manual outbound rules translating to the WAN CARP VIP(s). Thank you very much, Michael
  • S

    VIP + 1:1 NAT on CARP Setup Not Working When Slave Online

    3
    0 Votes
    3 Posts
    1k Views
    S
    Thanks for the reply cmb! Yes, thats very likely the case. I finally RTFM and found that I need to setup these as CARP VIPs as well, which I did… then I brought the secondary pfSense box online and it decided to pick up some VPN connections that were already established on the master. The connections are listening on the CARP interfaces so Im not quite sure what happened this time. Looks like im going to be working on this over the weekend. I will check back and confirm as far as this particular issue goes.
  • C

    Master/Slave Manual Failover

    4
    0 Votes
    4 Posts
    3k Views
    C
    You can accomplish that with the "Persistent CARP Maintenance Mode" on 2.2. Just click that button under Status>CARP and it'll bump the advskew on that system to 254, leaving it in backup status unless the secondary disappears.
  • J

    CARP High Availability with 5 source NAT IPs, failover

    1
    0 Votes
    1 Posts
    674 Views
    No one has replied
  • M

    2.1.5 -> 2.2 Configuration Synchronisation sets NAT Config back to default

    2
    0 Votes
    2 Posts
    1k Views
    M
    Answered here https://forum.pfsense.org/index.php?topic=87813.msg483500#msg483500 This really should be in the upgrade notes.
  • G

    Upgrade to 2.2 from 2.1.5

    7
    0 Votes
    7 Posts
    2k Views
    V
    @Guldil: https://doc.pfsense.org/index.php/UpgradeGuide#Upgrading_High_Availability_Deployments Nothing about 2.1.5 to 2.2 I'll try the procedure like i did before (slave first, carp off on master, then master). I've just finished upgrading my CARP set based on 2 DELL R220II as recommended there and at the end it works great. However, upgrading the backup box at first, messed my outbound NAT settings. Automatic mode was activated and therefore it used the WAN address instead of CARP VIP. In result, connections which were made from inside to web services secured by IP authorization were rejected. Upgrade of master worked as expected. I am happy now.  :)
  • H

    *solved* One CARP master on slave

    1
    0 Votes
    1 Posts
    753 Views
    No one has replied
  • A

    Multiple Carp on an interface (2.2 vs 2.1 broadcast behavior)

    2
    0 Votes
    2 Posts
    893 Views
    C
    It still works the same in regards to multicast. The fact it doesn't have an additional interface isn't really of any functional consequence from a user's perspective.
  • V

    CARP + NAT reflection - interface IP instead CARP IP

    4
    0 Votes
    4 Posts
    2k Views
    jimpJ
    No difference on 2.2 Split DNS is the better fix.
  • S

    What is ['uniqid'] in function get_configured_carp_interface_list of util.inc

    3
    0 Votes
    3 Posts
    1k Views
    S
    Ok, I see uniqids got introduced in https://github.com/pfsense/pfsense/commit/89f171b052fbe72aed654d2a1c3d5a24e9bf9902 hmmm… Need to stop tinkering with this since its beyond my understanding. For sure I thought uniqid should show up in config.xml for CARP VIPs but maybe some sort of magic is going on behind the scenes someplace. -Shahid
  • N

    Virtual IP addresses not working?

    10
    0 Votes
    10 Posts
    11k Views
    N
    That was the problem. However, it was actually a virtual IP address on the second pfSense box. CARP was not configured yet. Thank you.
  • P

    Load Balancer and IPs problem

    1
    0 Votes
    1 Posts
    702 Views
    No one has replied
  • T

    CARP/Load Balance on secondary firewall error

    1
    0 Votes
    1 Posts
    819 Views
    No one has replied
  • D

    Sync not working

    4
    0 Votes
    4 Posts
    1k Views
    V
    @dark.fibre: The sync-NICs are connected with a bridge cable, they can ping each other, IP are 192.168.0.1 and 192.168.0.2. Second FW has a rule at Sync for TCP/UDP Port 443, Destination: WAN-ADRESS What is my mistake? If you have separated sync-NICs, why do you allow traffic to WAN address for syncing? Just add a rule on both boxes on sync interface to allow traffic from any to any and it will be done. The sync packets uses pfsync protocol, not TCP nor UDP!
  • S

    CARP broken including latest version 2.1.5

    9
    0 Votes
    9 Posts
    4k Views
    B
    You are right - it was my own issue. I hadn't taken an old test system offline. It was not working properly and only connected to the network intermittently causing the issue. I hate it when people don't post their answers to problems so even though I'm "late" I'm hoping that's better than "never". Thanks again! m
  • A

    Shared Virtual IPs unexpectedly toggling between two CARP members on 2.1.4

    21
    0 Votes
    21 Posts
    5k Views
    A
    I believe the issue may be due to interrupts. From watching top (top -P CC), I see that the interrupts are only hitting one CPU. Is there a way to balance that load across both CPU's? last pid: 79130;  load averages:  0.33,  0.22,  0.15                                                            up 85+19:36:44  13:05:01 38 processes:  1 running, 37 sleeping CPU 0:  0.0% user,  0.0% nice,  0.0% system, 54.3% interrupt, 45.7% idle CPU 1:  0.0% user,  0.0% nice,  1.1% system,  0.0% interrupt, 98.9% idle Mem: 84M Active, 32M Inact, 281M Wired, 1336K Cache, 91M Buf, 3524M Free
  • M

    Wrong router takes CARP address

    6
    0 Votes
    6 Posts
    1k Views
    C
    If your status is correct, all master on the primary, all backup on the secondary, and you're hitting the secondary when going to the CARP IP, that's a problem with your switch(es) on that interface. They're sending the CARP MAC to the wrong device. The advertisements from the master system update switch CAM tables so things go to the correct port, and that's not being handled properly on your switch for some reason.
  • DerelictD

    Proxy ARP and Gratuitous ARP on VIPs

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.