CARP alternative
-
Hi!
I have two PFSense machines running in a virtual datacenter.
Unfortunately, the provider does not support CARP in that datacenter.
I wonder if there is any CARP alternative out there that can be used with PFSense?For the Linux machines, I am using keepalived, which works perfectly fine. However, keepalived
support for FreeBSD has been abandoned long ago, and I am not sure if I should even
try to get it running on PFSense.Do you have any suggestions or hints?
Thanks!
Jesper -
There are no alternatives to failover, CARP is the only working mechanism at the moment.
We're looking at freevrrpd but if the provider doesn't support CARP, that's unlikely to work either as the base mechanism is similar.
-
Aww…, thanks for the info.
Keepalived uses VRRP, too, and it works. So maybe the freevrrpd could work as well.
I'll take a closer look at the differences between these protocols.Do you think there will be a PFSense package to test freevrrpd in the near future?
Just tell me if you need a beta tester :) -
CARP sends the same type of traffic that VRRP does, only a slightly different format. I find it hard to believe that VRRP would work but CARP would not in the same environment.
No ETA on any testing for anything, it's not clear when we might get around to trying that out. Certainly not for 2.4.
-
CARP sends the same type of traffic that VRRP does, only a slightly different format.
As far as I can tell from the man page of CARP and the VRRP RFC, there is a difference in the traffic.
VRRP promotes a single virtual MAC address, whereas CARP makes use of a multicast MAC address.The OpenBSD man page (http://man.openbsd.org/OpenBSD-current/man4/carp.4) says:
However, there are a few OS and routers that do not accept a multicast MAC address being mapped to a unicast IP.
Which I believe could cause some trouble, though I am neither a network nor a virtualization expert.
The manual also describes some work arounds (i.e. ip-stealth mode), which I think are not a good idea to
use in a network managed by someone else.Anyhow, you are propably right about saying that using CARP should be possible, too…
Cheers!
-
Just for the record, my provider confirmed that the Multicast MAC is the problem.
Their cloud network infrastructure doesn't support it yet.
Perhaps they are using Infiband which makes trouble or so, I don't know. :o -
@jimp said in CARP alternative:
There are no alternatives to failover, CARP is the only working mechanism at the moment.
We're looking at freevrrpd but if the provider doesn't support CARP, that's unlikely to work either as the base mechanism is similar.
Almost five years later, I'm wondering if freevrrpd is still not an option for pfSense @jimp?
Unlike CARP, VRRP relies on broadcast with one single vMAC instead of multicast MAC addresses. The big advantage of VRRP is, that it does NOT require promiscuous mode on virtual environments like VMWare vSphere to be enabled, which otherwise imposes a security-risk in any business-critical environment.
Although it's currently unmaintained, there even is a port for freevrrpd available already: https://www.freshports.org/net/freevrrpd
Thanks
-
No, we have not attempted to utilize that.
-
Since CARP does not work on cloud virtual environments (AWS, Google, Oracle cloud, etc), is there any other way to make pfSense work in HA configuration for cloud environments?
If not, is there any plan to make HA cloud configuration to work in the near future?
