pfSense HA LAN Interfaces Only
-
@iptvcld
If you set up CARP, there would be no need to disconnect or change the IP to switch over to the backup.
In this case you need to configure a CARP VIP for all used interfaces, for LAN and all VLAN.I am also reading that my LAN interface and any VLAN interfaces have need to have 3 IP's assigned
Main: x.x.x.2 - VM: x.x.x.3 and CARP VIP x.x.x.1 and i need to do this for all my VLAN interfaces?When you set up CARP, change all existing interface IPs to another one and set the CARP IP to that ones you used till now, since these have to be the gateways in your subnet. So you don't need to change the interface settings on the devices behind.
The real interface IPs can be any in the subnet. You can set them to whatever is not in used like .251 and .252.
-
@viragomann Thank you very much for the help; I am going to implement this today and will paste a screenshot and hopefully you will be able to let me know if i did it correct as a check point for me.
Question.. Outbound NAT Rule, i have been reading this needs to be updated as well - is this the case only if i was doing CARP for my WAN? In my case I am not going to have WAN connected in my failover router and will be swinging it over when in need.
-
@iptvcld said in pfSense HA LAN Interfaces Only:
Question.. Outbound NAT Rule, i have been reading this needs to be updated as well - is this the case only if i was doing CARP for my WAN? In my case I am not going to have WAN connected in my failover router and will be swinging it over when in need.
Exactly, it is not needed when you don't configure the WAN as CARP. As you stated above, you want to do a manual failover by pulling the WAN cable from the primary router and connect it to the secondary. So there is no need for CARP VIP.
-
@viragomann Thanks again, I am setting up my interfaces on the 2nd failover pf and since i have LAGG on my LAN (master pf) - i am trying to setup LAGG on my LAN on the failover but i just have the 1 card for lan on the failover. I was able to create a LAGG 1 the single card but what protocol would i use? I cannot do LACP because then my switch will need a group of 2 ports (min) - I am thinking Load Bal but i am not too sure.
Thank you!
-
I just swinged my WAN over and i getting this error
The link does not go up and i have verified the pppoe username and password that its the same on my master pf
-
@iptvcld
I would try FAILOVER. I think this should work with only one network port. -
@iptvcld
Any reason for using the Broadcom NIC? Do you passthrough the hardware?
If it's virtual set it to Intel E1000. -
@viragomann Thanks; i have selected failover and for the primary i changed it from Auto to my nic interface i will have my wan in. (even thought its a single card LAGG)
-
@viragomann Its a physical card pass-though on unraid but i think i figured out what the issue is That port may be defected on the card. Other port works ok . But now i need to find a different card as i needed both ports..
-
Alright card issue has been fixed..
Question; i noticed my non CARP Virtual IP's from master are not being synced over to failover.. Is this normal? Only when i create a CARP VIP, that is when it gets copied over. Thanks,
-
@iptvcld
Yes, interface settings cannot be synced. If they were, you would have the same IPs on master and backup, which wouldn’t work naturally. -
@viragomann thank you and that makes sense!
I am also finding that when i switch the master CARP to my failover that some devices i am no longer able to reach unless i reboot the device once whole on the master pf and then if i were hot it from the failover, that will work. Seems to be a one time thing per device though.. Maybe an option i am missing?
-
@iptvcld
A reboot should not be really necessary. But existing connections will timeout though, because the connection is on the other node and you don't sync states. -
@viragomann Thanks.. Does the High Availability Sync setting under System needs to also be turned on for the slave? I currently only have it configured and on the master and settings seem to be syncing fine. I just have been reading that on the slave you also need to enable with a check and select tje interface and pfsync Synchronize Peer IP only; dont touch the bottom portion and save. Is this true? and if so, how is sync working right now then?
Thank you!
-
@iptvcld
No, this is only needed for syncing states in both directions. But syncing states doesn't make sense in your case, cause your WAN has no CARP VIP.
So you can only sync settings and this is done from the master to the slave. -
@viragomann I am also syncing LAN interfaces as per below:
-
@iptvcld
Yeah, you can sync states if you want, but only connections passing CARP interfaces solely will benefit from it. Connections passing the WAN will stuck after failover anyway.
If states sync is on pfSense will also try to sync WAN states, of course. Don't know what happens on the other box, when the interface is not present.For syncing states it's recommended to use a separate sync interface.
-
@viragomann Thank you; yes i added a new card on both systems and created a new interface as SYNC and i am using that on both ends
-
@viragomann Your help along the way has been more much appreciated! I think i have it all set now and later on tonight i am going to test and fail it over to see how it all works.
-
This post is deleted!