Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Downstream CARP upstream BGP

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 2 Posters 598 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • junicastJ
      junicast
      last edited by junicast

      Hi,

      at work we might be migrating over to pfSense from Fortigate. The current solution implements an Active Passive setup which we also want for pfSense. I've experience with pfSense in a CARP environment but we want to try something new like so.

      upstream Router 1:
      -> Link to pfSense box 1
      -> Link to pfSense box 2
      upstream Router 2:
      -> Link to pfSense box 1
      -> Link to pfsense box 2

      We would like to run CARP only on pfSense's downstream interfaces. On upstream we think about exploiting BGP for failover. That's what's in my mind:

      • Every pfSense has two BGP Neighbors via a dedicated p2p link
      • Only pfSense master shall announce routes
      • The routes are being announced to both upstream routers (which are Nokia 7750). So traffic may flow over any of those

      Is there anybody out there who might have experience with such or similar setup?

      • Does this setup sound reasonable
      • How can I make sure that only the master announces via BGP?
      • Shall I go for FRR or OpenGBGP?

      The other option that came to my mind is to setup VRRP on the Nokia side but we think the BGP is nicer.
      Thank you in advance

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        BGP doesn't make a very good failover protocol. A CARP failover is much faster.

        Aside from failover, where do you actually need dynamic routing? I would use failover protocols where you need failover and dynamic routing protocols where you need dynamic routing.

        Why do the firewalls have to announce routes at all? Why don't the routers just announce them? Routers don't get blown up by asymmetric routing and changing paths like stateful firewalls do.

        If you do decide to use BGP on pfSense, FRR all the way.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 1
        • junicastJ
          junicast
          last edited by junicast

          Thank you for your response. We are going to use CARP.
          We will also build LAGGs for upstream and downstream links so the probability for failure should be pretty low.
          We thought about using BGP because our upstream devices can handle that and because it would mean less cabling / ports.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.