Re - Compatibility between VRRP and CARP
-
@empbilly
No, you only need to configure the primary interface IPs and the sync interface and rules and sync settings in System > High Availability.
The CARP VIP need to be set on the naster only.
Other VIPs are synced to the secondary node.For details check out the docs: https://docs.netgate.com/pfsense/en/latest/recipes/high-availability.html
-
Nice!!! Thanks again!!!
Regarding the DNS and Gateway of each vlan, I should put the VIP address, correct?
I had questioned before, but in our institute we have a samba4 AD. The administrative vlans and the computer labs use the AD IP as DNS. Is this a problem for HA/VIP CARP?
Another question is about the NAT Outbound, which pfsense automatically sets to automatic. Would I have to change it to MANUAL or HYBRID and then set the translation IP to the WAN's VIP CARP address?
-
@empbilly said in Re - Compatibility between VRRP and CARP:
Regarding the DNS and Gateway of each vlan, I should put the VIP address, correct?
At least for the gateway you have to state the CARP VIP of each subnet.
For DNS you can have either the CARP VIP or both interface IPs or any other DNS server you prefer.he administrative vlans and the computer labs use the AD IP as DNS. Is this a problem for HA/VIP CARP?
No, you can use any DNS.
Another question is about the NAT Outbound, which pfsense automatically sets to automatic. Would I have to change it to manual and then set the translation IP to the WAN's VIP CARP address?
Yes, you need to configure it manually.
When you switch over to manual mode, pfSense takes over the automatic rules, so you can edit them, as far as I remember.
So edit all rules for your internal subnets (you can also set only one rule to apply to all your subnets by enlarging the source network).
Remember that the first matching rule is applied and further are ignored.But don't touch the rules for 127.0.0.1/8. They have to stay on WAN address.
-
Thanks @viragomann !!!!!
On the dhcp server of the wan interface, do I also need to configure GW, DNS and Failover peer IP?
-
@empbilly said in Re - Compatibility between VRRP and CARP:
On the dhcp server of the wan interface, do I also need to configure GW, DNS and Failover peer IP?
Normally you don't need to run DHCP server on WAN at all, and it's disabled by default. So if you don't really need it, keep it disabled.
But if you need it for whatever reason, you have to configure these settings accordingly.
-
Ok. On the wan we always leave disabled.
My doubt is about the failover IP exchange when, for example, the master goes offline.
For the wan in specific, does pfsense know the failover IP even without configuring it?
-
@empbilly
This setting is only needed for DHCP. It isn't even necessary for the failover of the master role.You have a CARP VIP on on each (virtual) interface. This is always occupied by the master, regardless which node has the master role.
The failover is controlled by the CARP protocol only.So this CARP VIPs are meant to be used as your gateway IPs for your internal devices and on WAN for routing traffic to your pfSense.
The DHCP settings have nothing to do with this.
-
I left one interface free on each appliance for hasync.
on pfmaster I set the IP 10.11.1.1 on igb5
on pfbackup I set the IP 10.11.1.2 on igb5After the settings I enabled ha sync and the error below occurs:
A communications error occurred while attempting to call XMLRPC method host_firmware_version
Do I need to configure anything else on this interface? In pfbackup I don't need to enable hasync, do I?
-
@empbilly
You need to allow the sync on on the backup as described int the docs: Setup Sync Interface.You have to add this rule to the primary, since it is synced to the secondary though, but for the first sync you have to allow it on the secondary as well.
-
Ok. My doubt is if I need to enable this option on pfbackup:
System > high availability sync
Syncronize states?
-
@empbilly
Yes, only the states sync.
So the state are in sync, when failback to the primary and the connections persist.But don't enable XMLRPC sync on the secondary.
Config changes must be made on the primary then. -
pfsync Synchronize Peer IP needs a IP of pfmaster?
-
@empbilly
No, not on the backup! -
Thanks!!! Sorry for so many questions!!! :)
After setting the IP Peer failover in pfmaster's dhcp, in the dhcp lease option, the pool state needs to be normal, right?
Both pfmaster and pfbackup status is recover.
What causes this?
-
@empbilly
Maybe missing the Failover peer IP in the DHCP settings?
This must be stated on the primary only. -
-
We have DNS Forwarder enabled. Do I need to select the VIPs in the DNS Forwarder?
-
@empbilly said in Re - Compatibility between VRRP and CARP:
We have DNS Forwarder enabled. Do I need to select the VIPs in the DNS Forwarder?
Not clear, what you mean. There are no IP to select in the Forwarder settings.
But if you are talking about the DHCP settings, then yes, it doesn't matter if you're running the Resolver or Forwarder or any other DNS server, you have to enter it's IP here. For these ones running on pfSense, this is the interface VIP.
-
I meant that.
But there is still something I am not getting, because I have enabled pfbackup on our network and the WAN is as MASTER in pfbackup and the dhcp leases are not as "normal".
Any hints on what to look for?
-
@empbilly
These are the IPs, the Resolver is listening on. Yes, you should select the respective VIPs there or even keep "all".because I have enabled pfbackup on our network and the WAN is as MASTER in pfbackup and the dhcp leases are not as "normal".
Don't know, what you mean with the term "the dhcp leases are not as normal".
However, I just rarely use the DHCP server on an HA system, so I'm sadly not experienced with it.
If you have trouble with that you should better open a separate thread to get viable help, I think.
