• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

CARP alternative

Scheduled Pinned Locked Moved HA/CARP/VIPs
24 Posts 7 Posters 5.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    Jesper Freesbug
    last edited by Dec 13, 2016, 5:08 PM

    Hi!

    I have two PFSense machines running in a virtual datacenter.
    Unfortunately, the provider does not support CARP in that datacenter.
    I wonder if there is any CARP alternative out there that can be used with PFSense?

    For the Linux machines, I am using keepalived, which works perfectly fine. However, keepalived
    support for FreeBSD has been abandoned long ago, and I am not sure if I should even
    try to get it running on PFSense.

    Do you have any suggestions or hints?

    Thanks!
    Jesper

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Dec 13, 2016, 5:45 PM

      There are no alternatives to failover, CARP is the only working mechanism at the moment.

      We're looking at freevrrpd but if the provider doesn't support CARP, that's unlikely to work either as the base mechanism is similar.

      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      ? 1 Reply Last reply Nov 17, 2021, 1:57 PM Reply Quote 0
      • J
        Jesper Freesbug
        last edited by Dec 13, 2016, 6:13 PM

        Awwโ€ฆ, thanks for the info.

        Keepalived uses VRRP, too, and it works. So maybe the freevrrpd could work as well.
        I'll take a closer look at the differences between these protocols.

        Do you think there will be a PFSense package to test freevrrpd in the near future?
        Just tell me if you need a beta tester  :)

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Dec 13, 2016, 6:18 PM

          CARP sends the same type of traffic that VRRP does, only a slightly different format. I find it hard to believe that VRRP would work but CARP would not in the same environment.

          No ETA on any testing for anything, it's not clear when we might get around to trying that out. Certainly not for 2.4.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • J
            Jesper Freesbug
            last edited by Dec 13, 2016, 10:21 PM

            CARP sends the same type of traffic that VRRP does, only a slightly different format.

            As far as I can tell from the man page of CARP and the VRRP RFC, there is a difference in the traffic.
            VRRP promotes a single virtual MAC address, whereas CARP makes use of a multicast MAC address.

            The OpenBSD man page (http://man.openbsd.org/OpenBSD-current/man4/carp.4) says:

            However, there are a few OS and routers that do not accept a multicast MAC address being mapped to a unicast IP.

            Which I believe could cause some trouble, though I am neither a network nor a virtualization expert.
            The manual also describes some work arounds (i.e. ip-stealth mode), which I think are not a good idea to
            use in a network managed by someone else.

            Anyhow, you are propably right about saying that using CARP should be possible, tooโ€ฆ

            Cheers!

            1 Reply Last reply Reply Quote 0
            • J
              Jesper Freesbug
              last edited by Dec 15, 2016, 10:02 AM

              Just for the record, my provider confirmed that the Multicast MAC is the problem.
              Their cloud network infrastructure doesn't support it yet.
              Perhaps they are using Infiband which makes trouble or so, I don't know.  :o

              1 Reply Last reply Reply Quote 0
              • ?
                A Former User @jimp
                last edited by A Former User Nov 17, 2021, 2:37 PM Nov 17, 2021, 1:57 PM

                @jimp said in CARP alternative:

                There are no alternatives to failover, CARP is the only working mechanism at the moment.

                We're looking at freevrrpd but if the provider doesn't support CARP, that's unlikely to work either as the base mechanism is similar.

                Almost five years later, I'm wondering if freevrrpd is still not an option for pfSense @jimp?

                Unlike CARP, VRRP relies on broadcast with one single vMAC instead of multicast MAC addresses. The big advantage of VRRP is, that it does NOT require promiscuous mode on virtual environments like VMWare vSphere to be enabled, which otherwise imposes a security-risk in any business-critical environment.

                Although it's currently unmaintained, there even is a port for freevrrpd available already: https://www.freshports.org/net/freevrrpd

                Thanks

                1 Reply Last reply Reply Quote 0
                • J
                  jimp Rebel Alliance Developer Netgate
                  last edited by Nov 17, 2021, 2:36 PM

                  No, we have not attempted to utilize that.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • S
                    snunez
                    last edited by snunez Aug 1, 2022, 4:03 PM Aug 1, 2022, 4:01 PM

                    Since CARP does not work on cloud virtual environments (AWS, Google, Oracle cloud, etc), is there any other way to make pfSense work in HA configuration for cloud environments?
                    If not, is there any plan to make HA cloud configuration to work in the near future?

                    E 1 Reply Last reply Mar 11, 2025, 3:21 PM Reply Quote 0
                    • E
                      ErsanY @snunez
                      last edited by Mar 11, 2025, 3:21 PM

                      Hi. Is there any update on this matter please? Meaning, CARP support or alternative for pfsense usage on Public Clouds (AWS, GCP, Azure etc) ?

                      M J 2 Replies Last reply Mar 11, 2025, 3:43 PM Reply Quote 1
                      • M
                        michmoor LAYER 8 Rebel Alliance @ErsanY
                        last edited by Mar 11, 2025, 3:43 PM

                        @ErsanY Thanks for making this post active again. CARP is very limiting with deployments due to the IP addressing requirement.

                        Firewall: NetGate,Palo Alto-VM,Juniper SRX
                        Routing: Juniper, Arista, Cisco
                        Switching: Juniper, Arista, Cisco
                        Wireless: Unifi, Aruba IAP
                        JNCIP,CCNP Enterprise

                        1 Reply Last reply Reply Quote 0
                        • J
                          jimp Rebel Alliance Developer Netgate @ErsanY
                          last edited by Mar 12, 2025, 1:15 PM

                          @ErsanY said in CARP alternative:

                          Hi. Is there any update on this matter please? Meaning, CARP support or alternative for pfsense usage on Public Clouds (AWS, GCP, Azure etc) ?

                          https://docs.netgate.com/pfsense/en/latest/solutions/aws-vpn-appliance/ha.html

                          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          M 1 Reply Last reply Mar 12, 2025, 10:39 PM Reply Quote 0
                          • M
                            michmoor LAYER 8 Rebel Alliance @jimp
                            last edited by Mar 12, 2025, 10:39 PM

                            @jimp What about on prem? Is CARP alternative still being investigated?

                            Firewall: NetGate,Palo Alto-VM,Juniper SRX
                            Routing: Juniper, Arista, Cisco
                            Switching: Juniper, Arista, Cisco
                            Wireless: Unifi, Aruba IAP
                            JNCIP,CCNP Enterprise

                            1 Reply Last reply Reply Quote 0
                            • J
                              jimp Rebel Alliance Developer Netgate
                              last edited by Mar 13, 2025, 7:38 PM

                              The only possible alternative would be VRRP which has the same limitations as CARP, which is already covered higher in the thread.

                              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              M 1 Reply Last reply Mar 13, 2025, 11:14 PM Reply Quote 0
                              • S
                                snunez
                                last edited by Mar 13, 2025, 10:27 PM

                                I've been using pfSense in HA using UCARP in Oracle Cloud.
                                Oracle Cloud has L2 VLAN that allows broadcast (but not multicast) messages. Therefore, CARP doesn't work, but UCARP works well because it can be configured to use broadcast messages instead of multicast.
                                It would be great if pfSense incorporated UCARP as an alternative for HA so that it could be used in cloud installations.
                                Do you think this is possible?

                                1 Reply Last reply Reply Quote 0
                                • J
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by Mar 13, 2025, 11:04 PM

                                  pfSense Plus has unicast CARP already.

                                  https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-addresses.html#vip-configuration-options

                                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    michmoor LAYER 8 Rebel Alliance @jimp
                                    last edited by Mar 13, 2025, 11:14 PM

                                    @jimp said in CARP alternative:

                                    The only possible alternative would be VRRP which has the same limitations as CARP, which is already covered higher in the thread.

                                    Well not having a mandatory /29 would be helpful which would be the main and important differentiator hence vrrp is desired

                                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                                    Routing: Juniper, Arista, Cisco
                                    Switching: Juniper, Arista, Cisco
                                    Wireless: Unifi, Aruba IAP
                                    JNCIP,CCNP Enterprise

                                    S 1 Reply Last reply Mar 14, 2025, 3:06 AM Reply Quote 0
                                    • S
                                      SteveITS Galactic Empire @michmoor
                                      last edited by Mar 14, 2025, 3:06 AM

                                      @michmoor I realize Iโ€™m coming in at the end of a 9 year old thread, but technically a /29 isnโ€™t required for WAN. It can be done with private IPs in the right situation, e.g. Comcast business Internet provides both NAT (10.1.10.x) and passthrough/static routing at the same time. Or the docs mention leaving router2 not able to connect out without failover, using one IP, though thatโ€™s not ideal.

                                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                      Upvote ๐Ÿ‘ helpful posts!

                                      M 1 Reply Last reply Mar 14, 2025, 2:48 PM Reply Quote 0
                                      • M
                                        michmoor LAYER 8 Rebel Alliance @SteveITS
                                        last edited by Mar 14, 2025, 2:48 PM

                                        @SteveITS said in CARP alternative:

                                        technically a /29 isnโ€™t required for WAN.

                                        For High Availability, i believe it is. CARP isn't ideal.

                                        Firewall: NetGate,Palo Alto-VM,Juniper SRX
                                        Routing: Juniper, Arista, Cisco
                                        Switching: Juniper, Arista, Cisco
                                        Wireless: Unifi, Aruba IAP
                                        JNCIP,CCNP Enterprise

                                        S 1 Reply Last reply Mar 14, 2025, 3:15 PM Reply Quote 0
                                        • J
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by Mar 14, 2025, 3:00 PM

                                          You can use a single address for CARP on any interface, but it's primarily practical on LANs. If you do that on all of the WANs, the secondary will have no upstream connectivity so it can't operate effectively. If the upstream router allows public and private addresses some of those limitations might be alleviated but it's something you'd have to try on a case-by-case basis.

                                          It's covered in the docs:

                                          https://docs.netgate.com/pfsense/en/latest/highavailability/index.html#ip-address-requirements-for-carp (second paragraph in that section)

                                          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received