pfSense HA LAN Interfaces Only
-
@iptvcld
Did you set the "Failover peer IP" in the DHCP settings on both nodes?The DHCP leases are bound to the hardware interfaces. So the interfaces on both have to have the same name. If you have different hardware or one bare metal installation and one virtual you can work around this with LAGG interfaces to abstract the hardware.
You can find some hints in the pfSense docs:
Modifying the DHCP Server
Troubleshooting High Availability DHCP Failover -
@viragomann
Morning..
Yes my enabled DHCP Server settings have my CARP VIP for the DNS, Gateway and for the Failover peer IP, i have it set to the interface IP of the backup node. (In the case my LAN interface IP) When i saved this, my backup automatically picked these settings up and applied the peer IP back to the master node IP.As for the hardware, I have the same setup on both units.
Master Node Interfaces
LAN Interface (lan, lagg0)
IOT Interface (opt1, lagg0.10)
NOT Interface (opt2, lagg0.20)
SECURITYCAM Interface (opt3, lagg0.30)
VPN Interface (opt4, ovpns1)
SYNC Interface (opt5, em0)Backup Node Interfaces
LAN Interface (lan, lagg0)
IOT Interface (opt1, lagg0.10)
NOT Interface (opt2, lagg0.20)
SECURITYCAM Interface (opt3, lagg0.30)
VPN Interface (opt4, ovpns1)
SYNC Interface (opt5, em0)Status -> DHCP Leases on my nodes show My State: normal and Peer State: normal
I checked Leases on my backup node under status - DHCP Leases and i see a bunch that say online active next to them - and these are also online active showing on the master node.
Then i also see a bunch as offline / active on my backup service and online / active on my master
Not sure if this is normal operation for the dhcp leases to be hand on hand with each other.
-
@iptvcld
Your settings look well and should work this way.Then i also see a bunch as offline / active on my backup service and online / active on my master
I don't use any DHCP on CARP set ups at this time, so I cannot verify.
However, "offline" means that the machine holding the lease is actually not present in the pfSense ARP table. This seems normal as the machines doesn't communicate with the backup node in normal usage.
After you try to access the backup from one of the offline machines (e.g. ping its IP) it's state should become online. -
@viragomann
Not a problem Sir! Might be normal operation as right now i just noticed my cell phone showing online/active on both master and backup nodes (same showing) Check my phone network info and i can see it has a dhcp IP of my backup node. Again not sure if this is the way it should be working.But i will post a new thread if i can not find anything on other forums as well.
-
@iptvcld
I think, the important part is the lease state. Both nodes must be aware of all active DHCP leases. So that used IPs cannot be assigned a second time by the other machine. And that's the case as you mentioned.
Then it doesn't matter which node has issued the lease. -
-
@iptvcld
Out of curiosity, which devices are belonging to your NOT subnet? -
@viragomann
That is my Network of Things VLAN which I have Smart switch devices such as Tasmota bulbs/switches that i dont want them to reach out to the internet or other devices on my lan. They are all internal controlled/accessed devices. -
@iptvcld said in pfSense HA LAN Interfaces Only:
That is my Network of Things VLAN which I have Smart switch devices such as Tasmota bulbs/switches that i dont want them to reach out to the internet or other devices on my lan.
Ahh. I don't have such devices in my network. All I have want to access at least internet.
-
@viragomann
For that i have the Internet of Things VLAN which those devices have internet access but cannot talk to other vlans/networks on my LAN (inter-chatter) -
@iptvcld
Yes, I have an IOT subnet as well. On this only access to none-RFC1918 is allowed. -
@viragomann said in pfSense HA LAN Interfaces Only:
none-RFC1918
I have this - i guess pretty much the same; IOT can talk to each other on the same vlan but cannot chat to others outside of IOT including the firewall it self
-
@iptvcld
I use an RFC1918 alias on pfSense which simply includes all private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
So I'm still save, when I add or change a subnet without the need of modifying the alias. -
@viragomann
This makes sense! -
@viragomann
I was able to locate a video as per below that advises that both Master and backup nodes will share the DHCP lease information and also both hand out IP'sYouTube link at the section he talks about that..
https://youtu.be/Ac6U4xMFaxY?t=2423 -
@iptvcld
Interestingly. Didn't know that. Was assuming only the master is handing out DHCP leases and only the lease state is synced to the other node.
