Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How is CARP supposed to be setup?

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    2
    2
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Izinyoka
      last edited by

      Hello,

      i would like some clarification of how CARP is intended to be used… Any information would be much appreciated.
      Im sorry if this has been discussed before, but I couldn’t find a real answer for this.

      1. I understand that with 3 separate public IP's (in the same block), one for each firewall's WAN and one for the CARP virtual IP, this can provide firewall redundancy.

      Does the firewall use its own WAN IP for outbound connections, or does it use the VIP?

      2. Can it also provide redundancy for ISP failure?
      E.G have 2 firewalls each on different ISP's (different IP block) ? I don’t think they would be able to share a VIP would they?

      I guess in this case, you could just use a VIP for the LAN gateway and have outbound redundancy, but public DNS entries would not work if the master goes down (because the masters IP is the one you would have specified in DNS entries)...

      3. Im sure I read somewhere that CARPDev can provide redundancy like in case 1. with only one public IP, is that correct?  because it looks like CARPDev is included in version 2 and I tried it but I don't see a difference (inbound packets are still distributed between both boxes randomly).

      Let me explain one way I tried.

      ---[PFsense1] –---
      [PC]–--[Switch]                          [Switch] –---[DSL modem in bridge mode]
                            –-[PFsense2] –---

      This way (with 1 public IP), I set both PFsense WAN's and the external VIP with the public IP, and the LAN gateway is also a VIP. Obviously I have designated one as a master by setting the advertising frequency higher.
      This way works, but I see (just a few) packets arriving at the slave (and obviously being blocked because the session exists on the master).
      But I dont see why this should'nt work.... Surly when a device asks (ARP) who has the public IP, only the master is going to answer? so why are packets arriving at the slave?

      Or have I lost the plot?  ;)
      Thanks everybody
      Peace out.

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        There is a lot in your post, but I'll try to answer some of your questions.
        @Izinyoka:

        Does the firewall use its own WAN IP for outbound connections, or does it use the VIP?

        You should use AON and specify your CARP address for outgoing.
        @Izinyoka:

        2. Can it also provide redundancy for ISP failure?

        CARP is generally used to provide failover if your firewall has a hardware problem. ISP redundancy is a separate issue. You can use multi-WAN failover as one solution.
        @Izinyoka:

        3. Im sure I read somewhere that CARPDev can provide redundancy like in case 1. with only one public IP, is that correct?  because it looks like CARPDev is included in version 2 and I tried it but I don't see a difference (inbound packets are still distributed between both boxes randomly).

        I have to check out the newest 2.0 snaps, but AFAIK, CARPDEV is not yet stable on FreeBSD and not in 2.0.
        If you were using CARPDEV, the WAN interfaces would have private IPs and they would share the public CARP IP.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post