Fully redundant network config using CARP
-
Hello, I am currently trying to architect a fully redundant network solution. Here is how we are planning to do this:
1 - We are going to have 2 network drops into our cabinet. They will both be 'hot', but we are only supposed to use a single drop…
2 - We are going to have 2 pfsense FWs, drop1 --> fw1 ; drop2 --> fw2
3 - We will have a dedicated CARP interface between fw1 and fw2, all inbound traffic will be over VIPs, as well as our internal IP gateway
[ so far we have no single point of failure ]
4 - we are planning on having 2 switches sitting behind the two firewalls. these are going to be intelligent managed switches to which each server will be connected to. each of our servers will have 2 NICs which via link aggregation will have a connection to each switch.
My question is regarding how the pfsense machines will need to be connected to these switches… will each fw need to have a connection to each switch? if so, i assume we would need to do link aggregation with two interfaces on the pfsense machine... is this possible?
Perhaps I am going about this the wrong way...i am open to any comments, questions, or snide remarks :)
thanks,
geoff -
here is a JPG of what I am trying to accomplish…
thanks,
geoff
-
First of all you have to make sure that the both pfSense systems can "see" each other on all interfaces that have CARP VIPs. That means you have to make sure that fw1 can broadcast a keepalive on drop1 that fw2 can receive on drop2. If your ISP is preventing broadcasts between the drops or they are not in the same broadcastdomain you will be out of luck with this setup. The messages themselves are similiar to VRRP traffic.
For the LAN segment it's eough to have fw1 hooked up to the one switch and fw2 hooked up to the second switch as long as the switches are trunked to each other and fw1 can broadcast it's heartbeat over to fw2. If one switch failes it will trigger fw2 going to master state.
The direct link between fw1 and fw2 is not a heartbeat. It's for syncing states which makes the backup firewall aware of the active connections of the masterfirewall to have a stateful failover. It even would work without that link or if you run these syns at LAN (more insecure of course) but the heartbeats of the VIPs run on the interfaces the CARP VIP is living on. This way it does not only detect a failure of a single firewall but also broken links, cut cables, dead switches, …
-
Thank you for the answer… I am not 100% sure I will need to broadcast directly over the drops. I may have described the setup incorrectly. If you look at the diagram you can see that drop 1 goes into switch 1 and drop 2 goes into switch 2. switch 1 and switch 2 are going to be trunked together. there will be a VLAN on the switches which will contain fw1 and fw2 as well as drop1 and drop2. with the switches in the middle here, am I going to be dependant on the ISP to allow broadcasts, i think fw1 and fw2 should be able to easily communicate directly.
take a look at the attached JPG and let me know what you think...
thanks again!
Geoff -
Yes, in that case it will work just fine, if the switch is configured correctly. I use CARP on vlans as well for our office install.