Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP on WAN with redundant uplinks

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    6 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mrbnet
      last edited by

      In previous setups I run the ISP connections directly into the PFSense boxes. This time I needed to be able to plugin another set of FWs so I added some switches WAN side.

      I realized the C and D connections are physically separate which caused some un-expected behavior with failover.

      What is the proper way to setup and maintain full redundancy WAN side without creating loops? I could stack the switches or trunk.

      pfsense-wan.jpg
      pfsense-wan.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        In that configuration you are relying on the ISP to forward the CARP advertisements. That might not be the best idea.

        Can the link to the ISP be LACP?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M Offline
          mrbnet
          last edited by

          The ISP wasn't forwarding CARP advertisements which is what was causing the issues with failover since the networks were split. Trunking the edge switches took care of that but now I believe we're relying on STP which I'm not sure is a good idea. The ISP should be able to accommodate whatever config we need.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            This is my "perfect world" diagram…

            If that ISP link is a loop with RSTP it should be reasonable as long as you ensure the ISP is the root bridge and everything is sane there. You won't get the aggregation while both links are up however. And some providers charge you for two circuits.

            HA+LACP.png
            HA+LACP.png_thumb

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • M Offline
              mrbnet
              last edited by

              The LAGG connections are working great! I believe there is some room to improve the responsiveness of CARP failovers. I'm running a 3750 stack do you know if portfast should be on the port channel or members of the channel?

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                Nothing different should apply. That is all dependent on your STP configuration but it would generally be safe to have portfast enabled I would think.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.