Multiple CARP Interfaces/Groups
Hello There from Germany :) I'm starting to replace a little more complex firewall system. I've chosen pfsense. But there is a problem i cannot solve by my self.
Attached a schematic picture of my concept. So far everything is running as planed. We have internal CARP running between PFsense1 and PFsense2 on different VLANs 1 to 15. We have DMZ Zone for "Provider" and transfer networks some of them are now redundant with two routers (VRRP) and they using the 10.10.1.1 for example as gateway for our local networks. PFsense1 and 2 are also synced with OSPF over internal VLAN we need that already for some dynamic routers in the DMZ (not listed in picture).
My problem or question when eth2 goes down all CARP IPs from PFsense1 move to PFsense2 including the internal. basically this is working for me, but we are using time critical applications and after a change or minimal loss off connection the users have to re-login what takes Minutes. Is there a way to move only the CARP IPs on the interface that goes down? Routing should be still possible through the OSPF and at this point a lag off some seconds are no big problem.
And the Bonus question is it possible to move the CARP IPs when a gateway goes down? Not so important just for research.
The www connection is not that important for internet we use one of the providers proxy servers.
I hope somebody can understand this and help me. Thanks.
After reading Documentation found out myself.
Enter on both systems "sysctl net.inet.carp.preempt=0" in Command Prompt (Web Interface)
But be sure about your routing! Maybe nothing will work on one fail.
sysctl net.inet.carp.preempt=1 can enable it again