Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA Single point of failure

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    8 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      moelharrak
      last edited by

      Hi,
      I'm trying to configure pfsense HA using CARP, i'm using version 2.3.4 , The Firewall is configured with DUAL WAN load-balancing ,1 LAN Interface and SYNC Interface.
      The solution works fine when the master firewall is completely DOWN , But this is not a good solution. I need the backup Firewall to be the master if only one interface is DOWN in the master firwall.
      any help please?

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        I need the backup Firewall to be the master if only one interface is DOWN

        Define DOWN in that context.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M Offline
          moelharrak
          last edited by

          Hi,
          As I mentioned I have 2 WAN and 1 LAN, I mean by DOWN if the  interface WAN1 is disconnected ( cable) or getaway for WAN1 is unreachable (monitor IP) , or in case of the LAN1 is disconnected but the WAN interfaces are working –> I need if only one of this case happen the second firewall become the master.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Interface down (as in no carrier - unplugged) will trigger an HA failover.

            Gateway down will trigger a multi-wan event, not an HA failover event because it is not an HA failure.

            Both HA nodes should have both WANs configured identically. If a gateway is unreachable on one it should be unreachable on the other so there is no need for an HA failover.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • M Offline
              moelharrak
              last edited by

              Hi ,
              Thank you for your replay .
              It's clear for the gateway not reachable ( it will be not reachable for both sides, so it's not HA failover) , however for interface down ( as in no carrier - unplugged) I tried on both side WAN and LAN but it's doesn't work , I read in a post that I need to create a group interfaces and add all interfaces to it to make HA failover work if only one interface goes down , but also no luck .

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                It works fine. You will need to elaborate, post logs, etc.

                Any down interface that has a CARP VIP will increase the advskew of all CARP VIPs on that node by net.inet.carp.ifdown_demotion_factor which is 240 by default.

                That is enough to trigger all VIPs to go to BACKUP in the default configuration. (240 > 100)

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • M Offline
                  moelharrak
                  last edited by

                  Hi,
                  Still doesn't work.i didn't find net.inet.carp.ifdown_demotion_factor in System >Advanced >System Tunables .please note that I'm trying to make it works on virtual machine note real world.can be the issue ?
                  Attached my topology.
                  My configuration is :
                  Primary firewall :
                  LAN : 192.168.20.1
                  LAN VIPs : 192.168.20.254 VHID Group:1  Advertising frequency : 1  Skew :0
                  WAN1: 10.10.10.2
                  WAN1 VIPS : 10.10.10.4    VHID Group:2  Advertising frequency : 1  Skew :0
                  WAN2: 20.20.20.2
                  WAN1 VIPS : 20.20.20.4    VHID Group:3  Advertising frequency : 1  Skew :0
                  I create CARP Group in Interfaces > Interface Groups Name:CARP  Members : LAN, WAN1, WAN2

                  Backup Firewall
                  LAN : 192.168.20.2
                  LAN VIPs : 192.168.20.254 VHID Group:1  Advertising frequency : 1  Skew :100
                  WAN1: 10.10.10.3
                  WAN1 VIPS : 10.10.10.4    VHID Group:2  Advertising frequency : 1  Skew :100
                  WAN2: 20.20.20.3
                  WAN1 VIPS : 20.20.20.4    VHID Group:3  Advertising frequency : 1  Skew :100
                  I create CARP Group in Interfaces > Interface Groups Name:CARP  Members : LAN, WAN1, WAN2

                  when I unplug the any cable ( LAN or WAN) , only that port shows Master on backup firewall , no faillover happen.
                  Thank you

                  Selection_246.png
                  Selection_246.png_thumb

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    Yes. Being in a virtual environment might cause an unplugged cable to NOT result in an actual interface DOWN to the virtual machines because they are still connected to the vswitch. If your virtual environment supports simulating an unplugged interface there you should try that. In short, it is up to your hypervisor to actually take an interface down from the VM's perspective.

                    I use XenServer and that is pretty hard to simulate there - at least in the 2 minutes I devoted to trying to figure out how to do it.

                    You might also try just taking the interface down in software

                    ifconfig xn0 down

                    Dec 15 20:21:39 kernel carp: 236@xn0: MASTER -> INIT (hardware interface down)
                    Dec 15 20:21:39 kernel carp: demoted by 240 to 240 (interface down)
                    Dec 15 20:21:39 kernel carp: 239@xn0: MASTER -> INIT (hardware interface down)
                    Dec 15 20:21:39 kernel carp: demoted by 240 to 480 (interface down)
                    Dec 15 20:21:39 kernel xn0: link state changed to DOWN
                    Dec 15 20:21:39 kernel carp: 240@xn2: MASTER -> BACKUP (more frequent advertisement received)
                    Dec 15 20:21:39 kernel ifa_maintain_loopback_route: deletion failed for interface xn2: 3
                    Dec 15 20:21:39 kernel carp: 237@xn2: MASTER -> BACKUP (more frequent advertisement received)
                    Dec 15 20:21:39 kernel ifa_maintain_loopback_route: deletion failed for interface xn2: 3
                    Dec 15 20:21:39 kernel carp: 241@xn4: MASTER -> BACKUP (more frequent advertisement received)
                    Dec 15 20:21:39 kernel ifa_maintain_loopback_route: deletion failed for interface xn4: 3
                    Dec 15 20:21:39 kernel carp: 243@xn5: MASTER -> BACKUP (more frequent advertisement received)
                    Dec 15 20:21:39 kernel ifa_maintain_loopback_route: deletion failed for interface xn5: 3
                    Dec 15 20:21:39 kernel carp: 238@xn1: MASTER -> BACKUP (more frequent advertisement received)
                    Dec 15 20:21:39 kernel ifa_maintain_loopback_route: deletion failed for interface xn1: 3
                    Dec 15 20:21:39 kernel carp: 242@xn5: MASTER -> BACKUP (more frequent advertisement received)
                    Dec 15 20:21:39 kernel ifa_maintain_loopback_route: deletion failed for interface xn5: 3
                    Dec 15 20:21:39 kernel carp: 228@xn1: MASTER -> BACKUP (more frequent advertisement received)

                    Secondary takes over for all VIPS. All VIPs on primary are either INIT (the two on xn0) or BACKUP (everything else.)

                    ifconfig xn0 up

                    Dec 15 20:23:44 kernel carp: 236@xn0: INIT -> BACKUP (initialization complete)
                    Dec 15 20:23:44 kernel carp: demoted by -240 to 240 (interface up)
                    Dec 15 20:23:44 kernel carp: 239@xn0: INIT -> BACKUP (initialization complete)
                    Dec 15 20:23:44 kernel carp: demoted by -240 to 0 (interface up)
                    Dec 15 20:23:44 kernel xn0: link state changed to UP
                    Dec 15 20:23:44 kernel carp: 236@xn0: BACKUP -> INIT (hardware interface up)
                    Dec 15 20:23:44 kernel carp: 236@xn0: INIT -> BACKUP (initialization complete)
                    Dec 15 20:23:44 kernel carp: 239@xn0: BACKUP -> INIT (hardware interface up)
                    Dec 15 20:23:44 kernel carp: 239@xn0: INIT -> BACKUP (initialization complete)
                    Dec 15 20:23:44 check_reload_status Linkup starting xn0
                    Dec 15 20:23:44 kernel carp: 239@xn0: BACKUP -> MASTER (preempting a slower master)
                    Dec 15 20:23:44 kernel carp: 236@xn0: BACKUP -> MASTER (preempting a slower master)
                    Dec 15 20:23:44 kernel carp: 241@xn4: BACKUP -> MASTER (preempting a slower master)
                    Dec 15 20:23:44 kernel carp: 240@xn2: BACKUP -> MASTER (preempting a slower master)
                    Dec 15 20:23:44 kernel carp: 237@xn2: BACKUP -> MASTER (preempting a slower master)
                    Dec 15 20:23:44 kernel carp: 243@xn5: BACKUP -> MASTER (preempting a slower master)
                    Dec 15 20:23:44 kernel carp: 242@xn5: BACKUP -> MASTER (preempting a slower master)
                    Dec 15 20:23:44 kernel carp: 238@xn1: BACKUP -> MASTER (preempting a slower master)
                    Dec 15 20:23:44 kernel carp: 228@xn1: BACKUP -> MASTER (preempting a slower master)

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.