CARP and partial failure

  • Hello,
    I have a master/slave setup correctly configured with wan using three public addresses and several lans.
    In this setup usually the slave has no internet access because the carp ip is, obviously, on master.
    The problem is that, if I detach from master the lan2 cable, the slave becomes the master only for lan2 interface.
    And it is correct (I suppose).
    But so all pcs connected to lan2 cannot reach internet because they are connected to a pfsense that is slave for other interfaces and so it has no defalt route.

    So the simplest question is: in a carp setup how what can I do to be sure that also slave can reach internet?


  • Hello!

    I`m not 100% sure I understood your problem, but if I did, You want all CARP VIPs to failover to the slave.

    This can be achieved with the system tunable net.inet.carp.preempt. By default it is set to 0, but if you set it to 1, the CARP VIPs will become "bonded", which means that if one VIP is to be taken over by the slave, all VIPs will failover to the slave.

    That will ensure the slave takes over the public WAN VIP, which provides internet access and gain reachability.

    Hope this helped!

  • Ok, I think I got a better idea of the question.

    You want the slave to have internet access, while beeing the slave, although the master is controling the only IP (the CARP VIP), which has internet access.

    You could try creating an lower priority gateway on both firewalls, that leads to the other firewall (through the pfsync interface or however you please).
    This way the box that is the slave at the moment will not be able to reach the default gateway, which is on the WAN interface and will fallback to using the lower priority gateway, which will lead it through the master firewall and grant internet access.
    You just need to configure the firewall rules properly.

    Hope this helped a bit more!

  • Hi,

    So the simplest question is: in a carp setup how what can I do to be sure that also slave can reach internet?

    In your MASTER, Firewall/NAT/Outbound, make your Mappings similar to the attached pic, 2nd entry. In your case all references to WAN1 should just be WAN. If as you say your CARP is properly configured, the MASTER settings should replicate to the SLAVE via the SYNC interfaces. You do have SYNC interfaces, properly configured & connected, right?

    What does this 2nd entry do? It ensures that internet access for the pfSense machines (MASTER/SLAVE) themselves (, goes thru their respective WAN IP addresses.

    As for your "several" LANs, LAN2 in particular, create rule(s) similar to the 4th entry. This ensures the allowed LAN machines can access the internet via the designated WAN CARP VIP.

    Anyway if you followed the CARP setup docs, all those entries should have been more or less taken cared of already.


Log in to reply