VHID VIP Clarification
-
Hey All, long time Sophos user that is testing pfsense, so far I'm very happy with how things are progressing.
However, I have a question about VIPs and VHID's.
Our setup is 2 nodes in HA, 1 lacp lagg for wan, 1 lacp lagg for lan, 1 failover lagg for sync. The lan side has 5+ vlans and IP subnets on it.
For the VIP's, can I use the same VHID number for each VIP, as long as they are on different vlans?
Example:
VIP vlan 500 - 10.10.10.1 VHID 1
VIP vlan 501 - 10.10.20.1 VHID 1
VIP vlan 502 - 10.10.30.1 VHID 1And then use an IP alias for additional VIP's per vlan?
Or do VHID's need to be unique across the system and all vlans?
Thanks!
-
Answer my own question, vhid's have to be unique per layer 2, so lagg interface with multiple vlans on them, each vlan can use the same vhid.
-
CARP/VRRP/etc. are using not only virtual IPs but also virtual MACs to make failover a smooth experience without clients or network equipment having to learn a new MAC address of a failover server like with only IP based configurations (early linux HA cluster for example).
The VHID setting is influencing which MAC is handed out for that CARP style VIP. All of them are (IMHO) using the failover MAC space of
00:00:5E:00:01:XX
so with changing the VHID you are also configuring the last "XX" segment of said MAC address. That's why it has to be unique on that network segment (L2) and you also have to watch out for other cluster/HA-grade setups, that are using VRRP or HSRP style VIP/MAC combinations. But if your pfSense cluster is the only cluster in that network segment, VHID 1 is commonly fine on all interfaces. We're using VHID 4 and 6 (for IP4 / IP6 VIPs on the same VLAN) over multiple VLANs just fine :)