Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Connect CARP-Cluster with HSRP-Cluster from ISP (is a WAN-Brigde the solution?)

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfs-pdf
      last edited by

      Hi folks,

      this problem does make me headache since some months already and before I start to reconfigure our CARP-Cluster, to change the WAN from single interface to a brigde, I would just like to ask if my thinking is right or if there is anything that I've overlooked. I attached a network map for a better understanding.

      To make it short: I've a 2 node pfSense CARP Cluster, which works as expected and a Cisco HSRP-Cluster from our ISP. This one is doing failover between our both internet uplinks (red). My problem is: how to connect everything together?
      First thinking was just to plug the cable from Cisco 1 in pfSense A and from Cisco 2 in pfSense B, but I learnt really fast that both Cisco must "see" eachother over the link (orange). Otherwise they start flapping (everyone want to be the master).

      So because I won't add more complexity (e.g. switches between Cisco and pfSense) my new idea is to create a 2 edge port WAN-Brigde. So every pfSense would get one cable to a cisco and another interlink between eachother (orange line).
      Then both Cisco should be able to see eachother, CARP would still fail over if my whole brigde goes down and except that I've to reconfigure my firewall rules everything should work.

      Or am I wrong?  :o

      Thanks in advance,

      Regards

      pfs-pdf

      ![pfSense WAN-Brigde.PNG](/public/imported_attachments/1/pfSense WAN-Brigde.PNG)
      ![pfSense WAN-Brigde.PNG_thumb](/public/imported_attachments/1/pfSense WAN-Brigde.PNG_thumb)

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        IMO, the cleanest way to do it is with a switch (or switches) between the Cisco routers and the firewalls. I think you are making it too complicated by trying to eliminate the switch.

        1 Reply Last reply Reply Quote 0
        • P
          pfs-pdf
          last edited by

          Yeah maybe… I just try to find the perfect solution for this problem.

          Switches would be nice too, I just worrie about the CARP failover because they will keep the link always up. Otherwise I have not much experience about CARP and don't know if this even will be a big problem.

          I think I will just try it with switches.

          1 Reply Last reply Reply Quote 0
          • awebsterA
            awebster
            last edited by

            What you are trying sounds interesting on the surface, but you will probably have issues, as the "bridged" interfaces don't behave exactly like switches.

            If you want to eliminate a single point of failure, you will need 2 switches, and you will need to connect them together so that the HSRP sessions can see each other.  Beware of loops.  You might need to work with ISP so their side is configured correctly for this.

            Lets look at some failure scenarios, normal data flow is pfSense 1 –> Cust SW 1 --> ISP Router 1.
            In the below diagram, if CUST SW 1 were to fail, you'd loose the link of pfSense 1 and ISP Router 1, and both would failover, data flows from pfSense2 -> Cust SW2 -> ISP Router 2.
            If ISP Router 1 fails, ISP Router 2 takes over, and the data flows from pfSense 1 --> Cust SW1 --> Cust SW 2 --> ISP Router 2.
            If pfSense 1 fails, pfSense 2 takes over and the data flows from pfSense 2 --> Cust SW2 --> Cust SW1 --> ISP Router 1

            +–------+          +---------+        +-----------+
                  |  ISP  |          |        |        |          |
                  |ROUTER 1+----------+CUST SW 1+---------+ pfSense 1 |
                  |        |          |        |        |          |
                  +--------+          +---------+        +-----------+
                                            |                    |
                                            |                    |SYNC
                                            |                    |
                  +--------+          +---------+        +-----------+
                  |  ISP  |          |        |        |          |
                  |ROUTER 2+----------+CUST SW 2+---------+ pfSense 2 |
                  |        |          |        |        |          |
                  +--------+          +---------+        +-----------+

            –A.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Bridging is incompatible with CARP/HA interfaces.

              Use a switch. Have upstream route to the CARP VIP and set their HSRP address as the upstream gateway. Done.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • P
                pfs-pdf
                last edited by

                @Derelict:

                Bridging is incompatible with CARP/HA interfaces.

                Good to know, then switches are the only option anyway.

                Thanks for your help

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.