CARP/HA not working
-
ix0 will work for the SYNC interface, yes, but since it's doesn't use CARP SYNC can be on one of the Eth ports. You just need to configured the internal switch correctly.
Using ix0 as either WAN or LAN is a much better use if you don't have an expansion card.
You need to have a layer connection between the nodes on all interfaces that have CARP failover, yes. So, yes, you need a switch on the WAN side.
See: https://docs.netgate.com/pfsense/en/latest/recipes/high-availability.html
Steve
-
@stephenw10 so how do I configure the ETH8 then, so it is configured correctly for CARP SYNC ??
if I leave ETH1 for WAN and eth2 for LAN .
-
You have to add ports 9 and 10 as tagged members of VLAN 8 in the switch config as I said.
Currently you have VLAN 8 only using port 8 so nothing is ever passed to to the internal LAGG.
Make sure you can ping between the nodes on the SYNC interface IPs. It's not required for sync but adding rules to allow it makes troubleshooting much easier.
Steve
-
@stephenw10 said in CARP/HA not working:
ou have to add ports 9 and 10 as tagged members of VLAN 8 in the switch config as I said.
Currently you have VLAN 8 only using port 8 so nothing is ever passed to to the internal LAGG.
Make sure you can ping between the nodes on the SYNC interface IPs. It's not required for sync but adding rules to allow it makes troubleshooting much easier.
SteveSo like:
So, if I add 9 and 10 as tagged to vlan 8, even though 9 and 10 are not physical ports, it might start syncing to the other firewall??
(I have no access to the other FW at the moment as I fucked it up a little bit and I need to go to the datacenter ...)
-
Yes, that is the correct switch setup. You should be able to use port 8 for sync with that on both firewalls.
Steve
-
@stephenw10 Hi, I changed the vlans on both and also added a rule:
but I still cannot ping the other SYNC ip address.
-
@nick-loenders I have found it.... The DHCP on the 2nd FW was still enabled and that was a mistake...
Resetted both devices and began from scratch, now with DHCP disabled on the 2nd LAN
And now it seems to sync well.OK Stage 1 complete :)
-
You should have DHCP enabled on both nodes for subnets that need it. You just need to setup the DHCP servers for failover operation.
See: https://docs.netgate.com/pfsense/en/latest/recipes/high-availability.html#modifying-the-dhcp-serverSteve
-
@stephenw10 Thanks, it all seems to work fine now.
It is normal that I loose +-5seconds when one device is lost?
And +-10 seconds when the device is back online? -
Lose that how?
If CARP is functioning correctly you might lose, for example, a single ping during the failover. For pings with a 1s period that is.
Steve
