CARP for newbies
-
I would like to setup CARP and feel like I have half an understanding of how it works. Can somebody clarify a few things for me?
I understand that it's best practice to have a 3rd interface for your CARP traffic but from what I've figured out so far is:
the CARP interface can get set to anything, so the 3rd interface is just manually configured on it's own network? is that correct?
example:
box1:
WAN: public ip
LAN: 10.1.1.1/16
OPT1: 192.168.5.1/24box2:
WAN: public ip in same subnet as box 1
LAN: 10.1.1.2/16
OPT1: 192.168.5.2/24After configured like this, assign OPT1 as the CARP interface in the CARP config tab
Is this a proper understanding of how to configure the interfaces?Questions:
Do you turn on synchronizing on both boxes?
What is the difference between "pfSync sync peer IP" and "Synchronize to IP"?
If both boxes have different LAN addresses, how does internet traffic still continue? This question shows my ignorance to higher level firewall configs, but if my network uses the lan ip address as the gateway, when box1 dies and box2 takes over, does pfsense reconfigure itself with the box1 lan ip?
On those same lines, I assume virtual IPs are synchronized so for hosted services to stay active they need to all be on virtual IP(s) correct? Otherwise DNS points to the WAN address of box1 and if box1 dies there goes those port forwards.Answers to any of this would help greatly. I tried to configure this today and added a freshly loaded pfsense box to the network and tried to sync with my firewall and ended up deleting all my nat and rules…bummer. Got that all back in place now and want to learn where I went wrong.
-
On another forum site I think I found why I ended up deleted my rules the first time I tried to do CARP. I had filled out the "syncrhonize with IP" text box in the CARP config on both boxes when you're only suppose to fill that out on the master. Is this correct?
It looks like my rules, nat, and static routes have sync'd over to the backup box, but virtual IP's have not. Also, when I go to status -> Carp (failover) it says "could not locate any defined CARP interfaces".
What am I missing here?Also, if anybody has an explanation of how local internet access works when there's a failover I'd appreciate it.
-
For the people that have been reading this hoping for answers to my questions, maybe I can help you out.
From a newbie standpoint, I have this working:my ignorance was in understanding that virtual ips, thus this forum being CARP/VIPs, is the key to using CARP/pfsync
Here's what I have that is working in a small test environment:
box1:
WAN: public IP
LAN: 10.2.1.1/16
OPT1: 192.168.10.10box2:
WAN: public IP
LAN: 10.2.1.2/16
OPT1: 192.168.10.11In the CARP settings I am sychronizing everything and using the 192 addresses as the peer sync addresses for each box respectively. Box1 has 192.168.10.11 and the webGUI password entered at the bottom of the page on the CARP settings. Box2 has these boxes left blank.
Under virtualIPs I created a new local address of 10.2.1.4/16 associated with the LAN interface that is of type CARP. Put in a VHID password and bahm, CARP up and running.
You can post beginner level questions and I can try to pass on the little bit I've learned.