Connect CARP-Cluster with HSRP-Cluster from ISP (is a WAN-Brigde the solution?)

  • Hi folks,

    this problem does make me headache since some months already and before I start to reconfigure our CARP-Cluster, to change the WAN from single interface to a brigde, I would just like to ask if my thinking is right or if there is anything that I've overlooked. I attached a network map for a better understanding.

    To make it short: I've a 2 node pfSense CARP Cluster, which works as expected and a Cisco HSRP-Cluster from our ISP. This one is doing failover between our both internet uplinks (red). My problem is: how to connect everything together?
    First thinking was just to plug the cable from Cisco 1 in pfSense A and from Cisco 2 in pfSense B, but I learnt really fast that both Cisco must "see" eachother over the link (orange). Otherwise they start flapping (everyone want to be the master).

    So because I won't add more complexity (e.g. switches between Cisco and pfSense) my new idea is to create a 2 edge port WAN-Brigde. So every pfSense would get one cable to a cisco and another interlink between eachother (orange line).
    Then both Cisco should be able to see eachother, CARP would still fail over if my whole brigde goes down and except that I've to reconfigure my firewall rules everything should work.

    Or am I wrong?  :o

    Thanks in advance,



    ![pfSense WAN-Brigde.PNG](/public/imported_attachments/1/pfSense WAN-Brigde.PNG)
    ![pfSense WAN-Brigde.PNG_thumb](/public/imported_attachments/1/pfSense WAN-Brigde.PNG_thumb)

  • IMO, the cleanest way to do it is with a switch (or switches) between the Cisco routers and the firewalls. I think you are making it too complicated by trying to eliminate the switch.

  • Yeah maybe… I just try to find the perfect solution for this problem.

    Switches would be nice too, I just worrie about the CARP failover because they will keep the link always up. Otherwise I have not much experience about CARP and don't know if this even will be a big problem.

    I think I will just try it with switches.

  • What you are trying sounds interesting on the surface, but you will probably have issues, as the "bridged" interfaces don't behave exactly like switches.

    If you want to eliminate a single point of failure, you will need 2 switches, and you will need to connect them together so that the HSRP sessions can see each other.  Beware of loops.  You might need to work with ISP so their side is configured correctly for this.

    Lets look at some failure scenarios, normal data flow is pfSense 1 –> Cust SW 1 --> ISP Router 1.
    In the below diagram, if CUST SW 1 were to fail, you'd loose the link of pfSense 1 and ISP Router 1, and both would failover, data flows from pfSense2 -> Cust SW2 -> ISP Router 2.
    If ISP Router 1 fails, ISP Router 2 takes over, and the data flows from pfSense 1 --> Cust SW1 --> Cust SW 2 --> ISP Router 2.
    If pfSense 1 fails, pfSense 2 takes over and the data flows from pfSense 2 --> Cust SW2 --> Cust SW1 --> ISP Router 1

    +–------+          +---------+        +-----------+
          |  ISP  |          |        |        |          |
          |ROUTER 1+----------+CUST SW 1+---------+ pfSense 1 |
          |        |          |        |        |          |
          +--------+          +---------+        +-----------+
                                    |                    |
                                    |                    |SYNC
                                    |                    |
          +--------+          +---------+        +-----------+
          |  ISP  |          |        |        |          |
          |ROUTER 2+----------+CUST SW 2+---------+ pfSense 2 |
          |        |          |        |        |          |
          +--------+          +---------+        +-----------+

  • LAYER 8 Netgate

    Bridging is incompatible with CARP/HA interfaces.

    Use a switch. Have upstream route to the CARP VIP and set their HSRP address as the upstream gateway. Done.

  • @Derelict:

    Bridging is incompatible with CARP/HA interfaces.

    Good to know, then switches are the only option anyway.

    Thanks for your help

Log in to reply