Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Carp VIP vs. ip alias

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    7 Posts 3 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bgibson
      last edited by

      Good morning,
      Need to clarification as I believe I'm on the right path, just over thinking the matter. This is a two question topic regarding the same manor.

      1.) I have a central HA site with virtual ip for failover on my wans/lans etc.. For internal web servers, I have specific WAN ip alias for natting. My question is, if I have the ip alias on both servers, as long as the main server is in master mode, will the ip aliases have any conflicts? I noticed my master server has the ip alias and they never were added to the backup router and I was curious if this was due to carp identifying by master/slave and IP alias is what it is. I have not tested as this is my main site and did not want to cause an IP conflict being the same ip alias on two routers.

      2.) This is similar to the question above. I recently deployed a new site with HA routers. Failover went smoothly, but once my master router came back online, routing ceased. I'm 99% sure this is due to the ISP caching the arp address because as soon as I reboot my secondary router, Router1 is able to use the VIP. I have had this issue in the past with certain ISP modems (but back then, we were just starting out with pfsense). This site  only has one ISP so in the event it goes offline, I'm not to worried about it failing over. So my question here is, since I only have one ISP at the moment, could I use an ip alias, and in the event the ISP goes down, the primary will remain the primary. If a lan/router dies, then it would fail over as required.

      Thanks for taking time to read this and I hope some one can clarify this.  :)

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        1. You should use CARP VIPs, or stack the Alias' on the CARP, not the actual interface. The alias VIP will not migrate to the backup.
        2. If you are using CARP VIPs, you shouldn't see this issue. CARP VIPs have a unique MAC address- when the secondary is in control, it will answer for the CARP MACs.
        1 Reply Last reply Reply Quote 0
        • B
          bgibson
          last edited by

          Thanks for the reply - not sure how I missed it. So instead of using IP alias, we need to carp all of these IP's if we are using an HA system?

          Thats fine - but doesn't resolve my issue with my new HA location. Seems the ISP is caching the mac and once r1 dies, r2 picks up fin but when r1 comes on as master, the ISP modem still has R2 vip mac address.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            No.

            Create IP Alias VIPs but for the interface there select that interface's CARP VIP.

            Your IP Aliases will then move with the CARP VIP but you will avoid all of the CARP traffic, the need for unique VHIDs, etc.

            It is elegant and works very well.

            ![Screen Shot 2017-08-08 at 8.16.16 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-08 at 8.16.16 PM.png_thumb)
            ![Screen Shot 2017-08-08 at 8.16.16 PM.png](/public/imported_attachments/1/Screen Shot 2017-08-08 at 8.16.16 PM.png)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              @bgibson:

              Thats fine - but doesn't resolve my issue with my new HA location. Seems the ISP is caching the mac and once r1 dies, r2 picks up fin but when r1 comes on as master, the ISP modem still has R2 vip mac address.

              The MAC address for the CARP VIP will always be the same regardless of which one is master.

              If your VHID is 15, your CARP MAC address for that IP address will be 00:00:5e:00:01:0f

              If your upstream switch/device is not moving that MAC address with changes in master status it is probably not honoring the multicast to 224.0.0.18 which is necessary for proper CARP operation.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • B
                bgibson
                last edited by

                Ty all - I understand Carp. The issue is with the ISP modem. Once router1 comes back online and is master, until router2 is restarted, routing ceases.

                The IP alias was a though. If I'm carping all other interfaces and they die on router1 - then I deff want it to roll over to router2. My main concern was - without getting the ISP invovled - could I set the IP alias for my wan on both routers without causing issues?

                So if my man subnet is 10.10.10.0/29
                Router1 = 10.10.10.1
                Router2 = 10.10.10.2
                Typically - RouterVIP would be 10.10.10.3 with natting in place.

                If I set an IP alias of 10.10.10.3 on my wan interface on BOTH routers, will there be any issues as long as one is in master mode? Does IP alias give individual mac addresses per machine? I just dont want to set it up and routing go crazy seeing that theirs two IP alias on the same internal network.

                1 Reply Last reply Reply Quote 0
                • B
                  bgibson
                  last edited by

                  And sorry for late responses - my settings are set to notify me on reply and I'm not getting them. I just turned it off and back on. Hopefully I will catch these quicker.
                  Again - thanks for everyones input.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.