pfSense HA LAN Interfaces Only
-
@iptvcld
Any reason for using the Broadcom NIC? Do you passthrough the hardware?
If it's virtual set it to Intel E1000. -
@viragomann Thanks; i have selected failover and for the primary i changed it from Auto to my nic interface i will have my wan in. (even thought its a single card LAGG)
-
@viragomann Its a physical card pass-though on unraid but i think i figured out what the issue is That port may be defected on the card. Other port works ok . But now i need to find a different card as i needed both ports..
-
Alright card issue has been fixed..
Question; i noticed my non CARP Virtual IP's from master are not being synced over to failover.. Is this normal? Only when i create a CARP VIP, that is when it gets copied over. Thanks,
-
@iptvcld
Yes, interface settings cannot be synced. If they were, you would have the same IPs on master and backup, which wouldn’t work naturally. -
@viragomann thank you and that makes sense!
I am also finding that when i switch the master CARP to my failover that some devices i am no longer able to reach unless i reboot the device once whole on the master pf and then if i were hot it from the failover, that will work. Seems to be a one time thing per device though.. Maybe an option i am missing?
-
@iptvcld
A reboot should not be really necessary. But existing connections will timeout though, because the connection is on the other node and you don't sync states. -
@viragomann Thanks.. Does the High Availability Sync setting under System needs to also be turned on for the slave? I currently only have it configured and on the master and settings seem to be syncing fine. I just have been reading that on the slave you also need to enable with a check and select tje interface and pfsync Synchronize Peer IP only; dont touch the bottom portion and save. Is this true? and if so, how is sync working right now then?
Thank you!
-
@iptvcld
No, this is only needed for syncing states in both directions. But syncing states doesn't make sense in your case, cause your WAN has no CARP VIP.
So you can only sync settings and this is done from the master to the slave. -
@viragomann I am also syncing LAN interfaces as per below:
-
@iptvcld
Yeah, you can sync states if you want, but only connections passing CARP interfaces solely will benefit from it. Connections passing the WAN will stuck after failover anyway.
If states sync is on pfSense will also try to sync WAN states, of course. Don't know what happens on the other box, when the interface is not present.For syncing states it's recommended to use a separate sync interface.
-
@viragomann Thank you; yes i added a new card on both systems and created a new interface as SYNC and i am using that on both ends
-
@viragomann Your help along the way has been more much appreciated! I think i have it all set now and later on tonight i am going to test and fail it over to see how it all works.
-
This post is deleted! -
@viragomann Is it normal for the DHCP server to show the actual interface IP of the pf node or should it show the CARP LAN VIP IP (192.168.2.1)?
2.80 is master and 2.81 is slave (currently CARP is on Master) -
@viragomann sorry.. Was thinking how I can provide internet access to my backup node. Just for the purpose to keep the apps up to date as the master. Since there is no active wan when it's in slave mode.
-
@iptvcld said in pfSense HA LAN Interfaces Only:
Is it normal for the DHCP server to show the actual interface IP of the pf node
Yes, the DHCP server is the real interface IP.
You only have to enter others node IP at "Failover peer IP" in the DHCP server settings. This ensures that the server is exclusively running on the present master. -
@iptvcld said in pfSense HA LAN Interfaces Only:
Was thinking how I can provide internet access to my backup node. Just for the purpose to keep the apps up to date as the master. Since there is no active wan when it's in slave mode.
There is a way to go over the masters LAN to the internet:
Add the masters LAN IP as gateway on the secondary an set up a gateway group with the WAN DHCP gw as Tier 1 and the masters LAN as Tier 2. Set the gateway group as default gw.
But first of all disable the sync of routing settings on the masters System > HA page.Now the secondary goes out over the masters LAN interface to the internet, when the WAN gw isn't available.
-
@viragomann fantastic.. I will give this a shot today. So when I swing the wan over from primary to secondary node as a failover, this will restore internet to flow over the backup only?
And does this solution affect the primary wan internet in any negative way? Or will this just provide internet to the secondary node as a client for the purpose to update apps on the router.
Do I need to add additional CARP VIP for this? If master goes down my carp for the Lan interfaces will go master on the backup node. And I assume the secondary will loose access to the Internet right since it was routing from there (which is fine and makes since) at that point I would swing wan over.
-
@iptvcld said in pfSense HA LAN Interfaces Only:
I will give this a shot today. So when I swing the wan over from primary to secondary node as a failover, this will restore internet to flow over the backup only?
Yes, the gateway group cares that the the secondary use primarys LAN only if the WAN DHCP isn't available.
It's only to provide internet to the secondary and doesn't affect any other connections.
I guess, it's a good idea to set a public IP for monitoring (e.g. 8.8.8.8) in the LAN gateway settings. This way the secondary detects the gateway as offline in case you activate the CARP maintenance mode on the master and will switch over to the WAN gw.