Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP and Multiple Switches

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    6 Posts 4 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      geewhz01
      last edited by

      I'm trying to eliminate the possibility of a switch failure and put one firewall on switch a and firewall b on switch b.  The 2 units have a sync interface and there is some connectivity between the switches on some vlans.  I do not have it setup so that the 2 firewalls can talk to each other on the multiple wan interfaces.  When I do this CARP makes both machines appear as masters.  Do the firewalls need to be on the same switches in order for CARP to work on these multiple wan interfaces correctly?

      Andy

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        CARP needs to be able to talk to the other node on every CARP interface. You need to make sure the WAN interfaces of each firewall can communicate with each other. (same for other interfaces with CARP)

        1 Reply Last reply Reply Quote 0
        • C
          cconk01
          last edited by

          this makes me wonder, how could you elimate the posability of a switch failure having only one switch between your lan interface on the firewall and lan?

          1 Reply Last reply Reply Quote 0
          • G
            geewhz01
            last edited by

            Well what I ended up doing was putting each firewall in it's own switch and passing a common vlan between the switches.  Then since I have multiple internet connections I have put one of those in a different vlan on one switch and it goes to both switches with the firewalls wan interface picking up that vlan.  Then I take the other connection and put it in the other switch with a different vlan.  I have gone one step further and plugged both wan connections into each switch and disabled the port so I don't have a loop.  This way if I lose a switch I can still get to the network and just enable the port so the other wan connection will pick up.

            I thought that carp would pass status through the sync interface but it does not, that would make the solution much each to eliminate switch failures.

            Andy

            1 Reply Last reply Reply Quote 0
            • P
              purdue512
              last edited by

              I'm feel for you here. You are doing the right thing..

              I did the same (put two switched on the private (lan) side to avoid a single point of failure). But I did not have any CARP problems. I was under the impression that the carp traffic was through the synch link…  At least for me..

              1 Reply Last reply Reply Quote 0
              • G
                geewhz01
                last edited by

                @purdue512:

                I'm feel for you here. You are doing the right thing..

                I did the same (put two switched on the private (lan) side to avoid a single point of failure). But I did not have any CARP problems. I was under the impression that the carp traffic was through the synch link…  At least for me..

                Do you have your incoming WAN links setup this way or just the lan side?

                Andy

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.