Problem with Virtual IP
-
I was wondering if anyone has experienced the following problem.
In my network I have two PFSense firewalls, one main and one secondary. Whenever switching from one to the other happens, the virtual IPs stop working and we need to recreate them all. In fact we don't need to recreate, just click on the edit button and then save without changing anything that the virtual IP will work again.
I would like help with such a problem if someone has already gone through the same situation.
Note: Both Firewalls are not configured via CARP, they are with the same IPs, changing only the management IP, it is not the best configuration, however in my current network it only works like this due to other problems, so the switching between them is done manually. -
@yuridmelo So they are defined as carp, or just simple virtual ip's?
-
@netblues just simple virtual ip's
-
Same virtual ip's on both pfsenses?
-
@netblues yes, the same. I came to think that it could be something related to physical address, arp table, but I'm not sure and even if I don't know how to solve it.
-
@yuridmelo This is not supported, it leads to ip conflicts.
You should be glad it works like this. -
@netblues IP conflict? But this is not possible because only one of the firewalls remains active.
My situation is as follows
I have two firewalls configured in an identical way, one is active and the other is only with an active interface, the lan, the other cables are all disconnected and the interfaces disabled, only the lan cable, which is what we use to access it is connected. So when we need, for example, to update the primary (active) firewall, we disconnect the cables from it and connect to the secondary, update the primary and reconnect the cables to the primary. That is, we never left both active at the same time, only one, so there is no way to be giving IP conflict because while one is active the other is with all interfaces disconnected and disabled. However, we still have to keep recreating all virtual IPs every time we need to connect the secondary and disconnect the primary. -
@yuridmelo So I guess these virtual ip's end up in mac's which need to propagate to the switches table.
I suspect that if you could wait, the network would converge without hitting refresh on the ip's
By saving you make this happen faster.You really need to put carp to work for you.
-
@netblues I also think it has to do with the mac address. Yes, with carp the convergence would be much faster, however, before, when we used carp, our network had a lot of problems with packet losses, precisely because both were with the same virtual and ACTIVE ip (of course wrong lol), then of that we decided to work like this, but we already have on our dashboard the project to return with the carps. Currently we only have this problem with the virtual ips that I can't solve however, and a very rare problem, occurs only in the situations reported above.
-
It can depend on the switch/router on the other end of the cable. For instance with Comcast routers often when replacing a router in an office (inside the Comcast router) I've found it's fastest to power off or reboot the Comcast router so it learns the IP has a new MAC. If you have the second router on, and are just plugging in cables, I would wonder if restarting the second router (or just leaving it off and powering it on) would help.
But overall CARP set up properly works basically instantly so that would be preferred. https://docs.netgate.com/pfsense/en/latest/book/highavailability/index.html