Carp interface

steven

Hi,

I just read the carp setup doc at : http://doc.pfsense.org/index.php/Setting_up_CARP_with_pfSense

I am not sure I understand as it seems impossible to set the same vhid to vip as stated; when I assign a different one it seems to work BUT both nodes are labeled as masters, which does not really make sense, one should be labeled as backup.

When I look at the network interface I get this:

Master:

ifconfig

xl0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>mtu 1500
        options=9 <rxcsum,vlan_mtu>inet 172.16.2.1 netmask 0xffffff00 broadcast 172.16.2.255
        inet6 fe80::250:daff:fe0b:33e3%xl0 prefixlen 64 scopeid 0x1
        ether 00:50:da:0b:33:e3
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fxp0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        options=8 <vlan_mtu>inet 192.168.15.120 netmask 0xffffff00 broadcast 192.168.15.255
        inet6 fe80::2a0:c9ff:fef1:8e4e%fxp0 prefixlen 64 scopeid 0x2
        ether 00:a0:c9:f1:8e:4e
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fxp1: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        options=8 <vlan_mtu>inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::2d0:b7ff:fe4e:683e%fxp1 prefixlen 64 scopeid 0x3
        ether 00:d0:b7:4e:68:3e
        media: Ethernet autoselect (10baseT/UTP)
        status: active
lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
pfsync0: flags=41 <up,running>mtu 1348
        pfsync: syncdev: xl0 maxupd: 128
pflog0: flags=100 <promisc>mtu 33208
carp0: flags=49 <up,loopback,running>mtu 1500
        inet 172.16.2.20 netmask 0xffffff00
        carp: MASTER vhid 1 advbase 1 advskew 0

Backup:

ifconfig

fxp0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>mtu 1500
        options=8 <vlan_mtu>inet6 fe80::2d0:b7ff:fe68:dd1%fxp0 prefixlen 64 scopeid 0x1
        inet 172.16.2.2 netmask 0xffffff00 broadcast 172.16.2.255
        ether 00:d0:b7:68:0d:d1
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
vr0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        inet 192.168.15.121 netmask 0xffffff00 broadcast 192.168.15.255
        inet6 fe80::250:baff:fe20:5353%vr0 prefixlen 64 scopeid 0x2
        ether 00:50:ba:20:53:53
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
xl0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        options=8 <vlan_mtu>inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::210:4bff:fe2a:5927%xl0 prefixlen 64 scopeid 0x3
        ether 00:10:4b:2a:59:27
        media: Ethernet autoselect (10baseT/UTP)
        status: active
lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
pfsync0: flags=41 <up,running>mtu 1348
        pfsync: syncdev: fxp0 maxupd: 128
pflog0: flags=100 <promisc>mtu 33208
carp0: flags=49 <up,loopback,running>mtu 1500
        inet 172.16.2.21 netmask 0xffffff00
        carp: MASTER vhid 2 advbase 1 advskew 10

My question is: shouldn't I get the salve node labeled as backup instaed of master ?
I only enable the master to copy its config over to the backup.

Regards,</up,loopback,running></promisc></up,running></up,loopback,running,multicast></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,promisc,simplex,multicast></up,loopback,running></promisc></up,running></up,loopback,running,multicast></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,vlan_mtu></up,broadcast,running,promisc,simplex,multicast>

steven

Ok, never mind,

I figured it out, I had to enable Synchronize Virtual IPs on the master and voila.

Great software guys, thank you very much!!

++

steven

Hi,

Ok, it seems to work ok BUT its main function (failover) is NOT working.
All rules are copied ok BUT when I turn off the master, the slaves remains exactly as is, I mean it keeps its own ip address etc therefore the firewall is seen as down, in other words the backup is not taking over.

I must have forgotten some obvious settings BUT I RTFM at least 10 times to look for what was missing, any hints?

I did set the VIP on the SYNC interface, should it be on the WAN interface instead, I am not sure I understand fully how it is suppose to work, can anyone shed some light?

Regards,

hoba

Try following http://pfsense.com/mirror.php?section=tutorials/carp/carp-cluster-new.htm , maybe you find the mssing checkbox by watching the tutorial  ;)

steven

Ok, I've made it work!

There is more info now on the tutorial, and it helped.

Regards,

hoba

Which information was missing? I'll add it to the doc wiki if you let me know.

steven

@hoba:

Which information was missing? I'll add it to the doc wiki if you let me know.

Well in the animated doc it mentions to check the box "preemption" which do not exist in the latest version of pfsense, so I had to figure it out logically. My problem was my comprehension of the VIP. Once understood that the VIP becomes the real ip used by the subnet, then it becomes easy.

The VIP concept is not clear in the written doc.

Regards,

hoba

We enable preepmtion by default now, that's why the box is missing (the tutorial was not updated regarding this). I'll have a lokk at the doc if it can be made more clear or more easy to understand.