Clarification on my understanding of CARP

jhabers

I want to make sure that I am understanding CARP with what I am proposing to my client and want to make sure that it is possible.

I will be installing 2 pfSense firewalls in a data center for a client with CARP
There will be 2 reduntant CAT5 feeds coming to my cabinet
Each will go to the wan port on each pfSense
I will use the opt port on each pfSense to connect to each other
My static IP will be 1.2.3.4

psSense1 will be the Master firewall and pfSense2 will be the backup
if pfSense 1 goes down will it transfer IP 1.2.3.4 to pfSense2 and it will take over functionality with little downtime? (How long does it take to bring back up the interface?). Can pfSense alert me if it fails over?

What constitutes pfSense going down? will it sense if the link goes down? what if the link stays up but it cant get out to the internet, will it fail over? How about IPsec tunnels, will it re-establish those?

Thanks, I just ordered the book and I believe this is all in there about configuring.

Jon

Gob

hi jon
first you need to clarify whether you want line redundancy, hardware redundancy or both.
multi-wan is for links, carp is for hardware, but you can mix them both.

jhabers

@Gob:

hi jon
first you need to clarify whether you want line redundancy, hardware redundancy or both.
multi-wan is for links, carp is for hardware, but you can mix them both.

Thanks for the reply Gob, yes I would like both hardware and Line redundancy (i think)

• I want to use two physical pfSense's incase one just dies, and want it to fail over to pfSense2 and use the same WAN ip that pfSense1 was using
• There will only be 1 physical WAN cat5 to each firewall
• Can pfSense1 failover to pfSense2 if pfSense1 cant get out to the internet? (Cat5-1 goes down)

The 2 internet lines are going to come from the same "isp" and have the same IP subnet. I dont need to load balance between the 2 because I will only have XMb/s total (whether i use both or just one)

Does this answer your questions?

Thanks
JOn

Gob

There is a detailed illustration of this setup in the book however it works a little different to how you think it works.
Carp will only switch over to box 2 if box 1 dies. It will not failover if a WAN link fails.

You need to have two WAN interfaces on each pfSense box, plus one interface on each for monitoring/syncing firewall states between the two boxes.
Your two feeds need to go into each wan port on each pfSense, so you will need a couple of little switches.
Normall operation you would only be using WAN1 on pfSense1
If WAN1 link on pfSense1 fails you will switch to WAN2 on pfSense1

Should pfSense1 hardware fail, you will switch to WAN1 on pfSense2

Another consideration is that you will need 5 public ip addresses to implement this setup.
The book will explain it much better than me so I would digest that first before attempting the implementation.

G.

jhabers

Thanks makes perfect sense. Thanks. I should be getting the book delivered this week. The install wouldnt be til Aug so I have some time to test everything out. Know a little about VLANs but correct me if I am wrong, I could get switches that have vlan capabilities so I dont have to buy those little switched right? Each Cat5 feed would go to a separate switch with the power going to a APC7750 for redundant power. IPs arent a problem, I have 16 priced in and adding more is only a few more bucks a month.

Thanks again
Jon