Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    4 LAN Interface Question

    HA/CARP/VIPs
    3
    5
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kurtism
      last edited by

      What is the best way to setup the LAN side of my firewall so that all 4 LAN interfaces (2 per box) have the same VIP.

      I have tried using LAGG and unless I am doing something wrong I get no options to add interfaces to the menu.

      Thanks
      ![Firewall Layout.png](/public/imported_attachments/1/Firewall Layout.png)
      ![Firewall Layout.png_thumb](/public/imported_attachments/1/Firewall Layout.png_thumb)

      1 Reply Last reply Reply Quote 0
      • awebsterA
        awebster
        last edited by

        Why do you want to use LAGG interfaces?  If it is for redundancy, you already will achieve that with CARP.

        –A.

        1 Reply Last reply Reply Quote 0
        • K
          kurtism
          last edited by

          We need no single point of failure hence each firewall running with 2 switches.

          Is it possible to create a CARP across multiple interfaces on the same box?

          LAN1:
          192.168.1.1 - firewall 1
          192.168.1.2 - firewall 2

          LAN2:
          192.168.1.3 - firewall 1
          192.168.1.4 - firewall 2

          CARP LAN1:
          192.168.1.10

          CARP LAN2:
          192.168.1.11

          GATEWAY CARP:
          192.168.1.20

          is the above possible with carp?

          1 Reply Last reply Reply Quote 0
          • awebsterA
            awebster
            last edited by

            Separate CARP instances should be setup for LAN and WAN sides.
            If you want multiple interfaces in each, then you would have to use LAGG, and then CARP on top of that, but that is pointless.
            A traditional pfSense cluster with 1x SYNC + 1x LAN, and 1x WAN running CARP represents no single point of failure.
            If the BACKUP pfSense stops hearing updates from the MASTER on ANY CARP interface, it will fail-over and become MASTER.

            Adding LAGG to the setup will add redundancy to the redundancy, and will complicate the setup a lot.  It and will not allow you to detect when one member of the LAGG goes down, so you could end up with degraded performance, and CARP wouldn't fail-over since it doesn't see it as a problem.

            –A.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              It and will not allow you to detect when one member of the LAGG goes down

              Well you could look for traps from the switch/stack doing the LACP for LACP issues but it really seems like overkill but it depends on the application.

              Everything always comes down to the endpoints. Unless you are going to LACP to two NICs in every endpoint to two different switches (You can LACP a group across stack members or sometimes with multi-chassis trunking), when the switch that the endpoints are connected to has a problem, those endpoints lose connectivity.

              On all of your LANs:

              X.X.X.1 CARP
              X.X.X.2 Master interface
              X.X.X.3 Backup interface

              All clients pointed to .1 for routing, DNS, etc.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.