• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Unbound iface bind settings in CARP/VIP scenario

Scheduled Pinned Locked Moved HA/CARP/VIPs
1 Posts 1 Posters 383 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • I
    IT_Luke
    last edited by Mar 23, 2021, 1:02 PM

    Hi all, I have looked around but can't seem to find a definitive answer to this issue or possibly missed something: in an HA setup with a CARP VIP for the outgoing GW iface, to have an automatic failover it would make sense to assign this VIP also among the ones the unbound / dns resolver service listens to in order to have a seemless failover. However this config is replicated to the secondary pfSense and the dns resolver tries to bind to this CARP VIP also and fails to start (duh). My solution was to simply set the 2 physical pfSense IPs as DNSs and not specify any CARP VIP in the dns resolver settings (so listen on LAN and Localhost) and this naturally works - but in the case of a failure of one box, clients would need to time out (yes we're tallking only about a 3 seconds here) before they would switch to the 2nd DNS / pfSense which is not "seemless".
    Is there any way to tell the failover pfSense box to restart the unbound / dns resolver so that it will successfully bind to the newly available CARP VIP once the failed box has released it? This also impacts pfBlocker as it relies on unbound to work.

    Thanks!

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received