Compatibility between VRRP and CARP

empbilly

Hello,

We have a pfsense-based appliance in production. We are acquiring another appliance to set up an HA.

Our infrastructure today is more or less like the image below.

I have already talked to our provider about the possibility of enabling some protocol so that it is not necessary to put another SW between the provider and the appliance, but they informed us that they only support the VRRP protocol.

Would it work with CARP?

viragomann

@empbilly
I'm wondering, who you intend to connect to nodes to the WAN without a switch.
But as far as I know, CARP use the same network protocol as VRRP. So I guess, it should work.

empbilly

@viragomann said in Compatibility between VRRP and CARP:

@empbilly
I'm wondering, who you intend to connect to nodes to the WAN without a switch.
But as far as I know, CARP use the same network protocol as VRRP. So I guess, it should work.

That's right.

If you can answer a few questions:

1. Will I need to have a routable IP on each wan or can I use the same IP that I use today?

2. For each vlan that I have on pfsense (10+), I need to create a VIP, correct?

Thank you very much for your time!

viragomann

@empbilly said in Compatibility between VRRP and CARP:

1. Will I need to have a routable IP on each wan or can I use the same IP that I use today?

Normally you need 3 wan IPs. One assigned to each node and one CARO VIP.

There is also a way to set it up with a single wan IPs though, but that has some drawbacks.

2. For each vlan that I have on pfsense (10+), I need to create a VIP

Yes.

empbilly

@viragomann

Ok. Thanks man!!!

It ends up having a great deal of work if pfsense has too many vlans.

Is there any other way around this?

viragomann

@empbilly
No, the VLAN behaves like a normal interface. I.e. each node needs an IP on the interface and additional you need a CARP VIP, which is occupied by the respective master.

empbilly

Ok. Thanks for all your help @viragomann!!!!!

empbilly

@viragomann

A few more doubts have popped up. rsrsrs

The vlans I have are in a lagg with 4 physical interfaces.

1. Would this be a problem?

2. Do I need to have one network (10.10.10.0/24) or can it be one IP only (10.10.10.1) for each VIP in the vlans?

3. I have the vlan ADM_LAN with the network 10.60.0.0/23 and GW 10.60.0.1

On pfsense backup can I put the GW 10.60.0.2?

4. Another point is that we have an AD in our infrastructure, and the AD IP is the DNS in some vlans. How does this work with VIP?

Derelict

This post is deleted!

Derelict

@empbilly

CARP and VRRP are both "first-hop redundancy" protocols.

For each inside network that uses pfSense as a first-hop (usually default) gateway, you need a CARP VIP for that address so when there is a failover, the address swings to the other node and ARP for that address in the ARP tables of all the inside clients does not change.

Maintaining redundant HA firewalls with that many interfaces is going to require some work.

viragomann

@empbilly said in Compatibility between VRRP and CARP:

The vlans I have are in a lagg with 4 physical interfaces.

1. Would this be a problem?

No. In former pfSense versions the network ports for a (virtual) network interface have to be the same same on both nodes. E.g. the port for VLAN 305 has to be lagg0.305 on both.

Configuring a lagg was a way to achieve this if the hardware was different.
But as far as I know, this is not necessary anymore since FreeBSD 12. However, I configured it only this way.

2. Do I need to have one network (10.10.10.0/24) or can it be one IP only (10.10.10.1) for each VIP in the vlans?

You have to configure each IP and as well the VIP with the correct mask.

3. I have the vlan ADM_LAN with the network 10.60.0.0/23 and GW 10.60.0.1

On pfsense backup can I put the GW 10.60.0.2?

If you have 10.60.0.1 already configured as gateway on all your internal machines it might be easier to turn this into the CARP VIP and change the interface IP on the primary to anything other, maybe 10.60.0.2 and use 10.60.0.3 for the secondary.

4. Another point is that we have an AD in our infrastructure, and the AD IP is the DNS in some vlans. How does this work with VIP?

This has nothing to do with HA. It should work like before.
Maybe I'm getting you wrong?