A lot of CARP VIPs - VHID and password

Jeff W · Apr 4, 2017, 7:40 PM

Hi,
There are a few things that I’m unable to find in OpenBSD / pfSense documentation about CARP. Could you please help me with that?

VHID
I have firewall HA pair with WAN and multiple LANs
(multiple VLANs on LAN interface, each VLAN is a different subnet for different group of devices that may / may not (FW rules) communicate between each other)
I assume that all LANs (all VLANs) may have same VHID since they are on separate layer 2 network. Is that correct?
Now It’s not a problem to setup different VHID for each but in future I might have for example 300 VLANs and I won’t have available VHID numbers.

Password
Is it OK to generate 64 characters long random string for each VIP?
I’m not sure how CARP works and it might for example send the password every second and 64 characters might be performance issue…

Thank you.

Jeff W · Apr 9, 2017, 3:28 PM

I tested same VHID on different VLANs and it works so my assumption is correct - you can have same VHID on different L2 networks.

But I still don't know about the password. How does password work? Is it good idea to use long 64 characters string or is it better to use something shorter?

Thank you