Carp VIP vs. ip alias

bgibson

Good morning,
Need to clarification as I believe I'm on the right path, just over thinking the matter. This is a two question topic regarding the same manor.

1.) I have a central HA site with virtual ip for failover on my wans/lans etc.. For internal web servers, I have specific WAN ip alias for natting. My question is, if I have the ip alias on both servers, as long as the main server is in master mode, will the ip aliases have any conflicts? I noticed my master server has the ip alias and they never were added to the backup router and I was curious if this was due to carp identifying by master/slave and IP alias is what it is. I have not tested as this is my main site and did not want to cause an IP conflict being the same ip alias on two routers.

2.) This is similar to the question above. I recently deployed a new site with HA routers. Failover went smoothly, but once my master router came back online, routing ceased. I'm 99% sure this is due to the ISP caching the arp address because as soon as I reboot my secondary router, Router1 is able to use the VIP. I have had this issue in the past with certain ISP modems (but back then, we were just starting out with pfsense). This site  only has one ISP so in the event it goes offline, I'm not to worried about it failing over. So my question here is, since I only have one ISP at the moment, could I use an ip alias, and in the event the ISP goes down, the primary will remain the primary. If a lan/router dies, then it would fail over as required.

Thanks for taking time to read this and I hope some one can clarify this.  :)

dotdash

1. You should use CARP VIPs, or stack the Alias' on the CARP, not the actual interface. The alias VIP will not migrate to the backup.
2. If you are using CARP VIPs, you shouldn't see this issue. CARP VIPs have a unique MAC address- when the secondary is in control, it will answer for the CARP MACs.

bgibson

Thanks for the reply - not sure how I missed it. So instead of using IP alias, we need to carp all of these IP's if we are using an HA system?

Thats fine - but doesn't resolve my issue with my new HA location. Seems the ISP is caching the mac and once r1 dies, r2 picks up fin but when r1 comes on as master, the ISP modem still has R2 vip mac address.

Derelict

No.

Create IP Alias VIPs but for the interface there select that interface's CARP VIP.

Your IP Aliases will then move with the CARP VIP but you will avoid all of the CARP traffic, the need for unique VHIDs, etc.

It is elegant and works very well.


Derelict

@bgibson:

Thats fine - but doesn't resolve my issue with my new HA location. Seems the ISP is caching the mac and once r1 dies, r2 picks up fin but when r1 comes on as master, the ISP modem still has R2 vip mac address.

The MAC address for the CARP VIP will always be the same regardless of which one is master.

If your VHID is 15, your CARP MAC address for that IP address will be 00:00:5e:00:01:0f

If your upstream switch/device is not moving that MAC address with changes in master status it is probably not honoring the multicast to 224.0.0.18 which is necessary for proper CARP operation.

bgibson

Ty all - I understand Carp. The issue is with the ISP modem. Once router1 comes back online and is master, until router2 is restarted, routing ceases.

The IP alias was a though. If I'm carping all other interfaces and they die on router1 - then I deff want it to roll over to router2. My main concern was - without getting the ISP invovled - could I set the IP alias for my wan on both routers without causing issues?

So if my man subnet is 10.10.10.0/29
Router1 = 10.10.10.1
Router2 = 10.10.10.2
Typically - RouterVIP would be 10.10.10.3 with natting in place.

If I set an IP alias of 10.10.10.3 on my wan interface on BOTH routers, will there be any issues as long as one is in master mode? Does IP alias give individual mac addresses per machine? I just dont want to set it up and routing go crazy seeing that theirs two IP alias on the same internal network.

bgibson

And sorry for late responses - my settings are set to notify me on reply and I'm not getting them. I just turned it off and back on. Hopefully I will catch these quicker.
Again - thanks for everyones input.