IP Alias in VirtualIP-Reg

kps1234

Hi All

Virtual IP created by IP Alias type is not syncing in backup firewall. Any reasons??

Regards
KP

Derelict

IP aliases cannot be synced between nodes because they will create an address conflict.

Don't assign your IP Alias VIPs to an interface. Assign them to a CARP VIP on the interface.

azekiel

What if you want to have more than 255 IPs as VIPs?

Derelict

A CARP VIP takes one VHID. IP Alias VIPs riding on a CARP VIP take none.

I didn't say to make them CARP VIPs. I said to assign them to a CARP VIP on the interface.

![Screen Shot 2017-05-29 at 6.00.23 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-29 at 6.00.23 PM.png)
![Screen Shot 2017-05-29 at 6.00.23 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-29 at 6.00.23 PM.png_thumb)

kps1234

What abt proxy ARP?

azekiel

ah, okay.

is /32 for the IP Alias on the CARP interface correct?

The secondary pfsense is now master as well as the primary one for my wan carp (and all of the ip aliases on that).
is that correct?
//edit: I couldn't solve that be entering persistent maintenance mode or sth similar so I rebooted the secondary one. Now it's backup.

Derelict

/32 is fine. You could also use the interface subnet. It creates only one VIP regardless. ARP, etc. will work fine regardless.

Impossible to say what might be an issue with your HA with the information provided.

No, You cannot use Proxy ARP VIPs with an HA cluster. Both nodes would try to use the same address on the same network at the same time. See Clustering here:

https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

azekiel

I just changed it to /27 for every IP Alias in the CARP, because of the document you provided.

Thank you very much for your help.

Just one additional question: Everytime I change something in the CARP setup or in the VLANs especially the system is going nuts.
I changed about 25 IP Aliases in the CARP from /32 to /27 at the same time - I got 853 mails

Every mail is "HA cluster member "(<ip>@bge1): (WAN)" has resumed CARP state "BACKUP" for vhid 1"

All tunnels and so on get disconnect/re-established. After so many notifications the nginx halted, webinterface only said "503 bad Gateway". After restarting php-fm with Option 16 from the console the mails stopped and everything was working fine.

Do you have any idea about that? I asked for support for the same question on another threads a couple of weeks/months ago without any luck.

pfSense are 2x Dell R200 with Intel cards only.
pfSync interface is a dedicated physical interface, WAN1 is a second dedicated physical interface, everything else is a 4-way bond with multiple VLANs on top of it (VLAN on lagg - lacp)</ip>

Derelict

I do not know. I do not see that behavior.

Adding and removing interfaces can trigger things to reload. Probably best done in a maintenance window.

You can possibly try adding them to the secondary node, letting it settle down, then failing over to it. Then repeat the process on the primary, add the interface rules there, then fail back.

All interfaces must be assigned to both nodes in exactly the same order.

azekiel

Thanks for your tips! Thats almost exactly the way I do it right now because of this strange behavior.