CARP done right with VLANS?



  • Hey Community.

    I have 2 PfSense firewalls with 4 nics.

    1 NIC is used for WAN.
    2 NIC is used for high availability sync/CARP
    3+4 NIC is used for VLANS/LANS

    Everything is working, 1 master and 1 backup. The high availability sync is running through the VLAN 4 (NIC 2).

    My real question is that made a VLAN 5 using the NIC 3 and to get everything working I had to set my virtual ip to CARP but the interface is VLAN 5. Is this the correct way? Or am I doing something incorrect here?


  • Netgate

    I really don't know what you are describing.

    If you add VLAN 5 to igb3, then assign an interface to VLAN 5 on igb3, that interface will be independent and will be tagged with VLAN 5 on igb3.

    VIPs really have nothing to do with anything in that case. All VIP types should function normally if added to that interface.



  • Well from pfsense doc.

    "Setup a Dedicated Sync Interface
    We strongly advise using a dedicated interface for synchronization, especially for state synchronization, handled using pfsync. This is not only for security purposes, but for resource utilization as well. State synchronization can consume significant amounts of traffic in a busy environment."

    So really my question is the VLAN 5 is not sync on a dedicated interface but rather on a interface that is heavily used.
    But i can only get the sync from a VLAN to work on the same interface as the vlan.


  • Netgate

    SYNC has nothing to do with VIPs either.

    You could use a VLAN interface as a pfsync/xmlrpc sync interface. Not sure you should, but you could. It won't care either. Just has to be tagged through the switch properly to both nodes.

    On a busy site you do not want pfsync to get backlogged. A rule of thumb is pfsync requires about 10% of the bandwidth represented by the states that are being synced.

    Why not just use a dedicated interface? If it's worth HA it's worth doing right.

    But i can only get the sync from a VLAN to work on the same interface as the vlan.

    No idea what you're saying here either.