CARP and Vlans



  • hi,
    when I do the failover between 2 PfSense (CARP) does it have to synchronize the creation of VLANs?
    when I create a Vlan and its interface in the Pfsense Master, does this have to be created automatically in PfSense Slave?



  • No, all your interfaces must first be created on both sides, since the actual real interfaces will each have their own different IP address.
    You must also make sure they use the same NIC and VLAN numbers on each side.
    The Sync will copy over any changes you make to firewall rules, NATs, DNS, DHCP, basically everything EXCEPT the interfaces.



  • haah okeyyy , thank youu



  • @awebster

    but do I put the same ip address for the 2 interface of the Vlan ( the saùe on the master and the slave )? or I put 2 different ip address



  • Each underlying interface must have a unique IP.

    For example:
    LAN-A = LAN Interface on Master =192.168.1.2
    LAN-B = LAN Interface on Backup = 192.168.1.3
    LAN-VIP = CARP VIP address on BOTH = 192.168.1.1

    Hosts will use 192.168.1.1 as their default gateway, and this IP address will map to MAC address 01:00:5e:00:00:xx (xx= VHID number). This MAC address with normally be on the Master pfSense, but if the Backup detects that the Master is down, it will take over the MAC address and send ARP packets to update the network so that the traffic for 192.168.1.1 will arrive at the Backup.


  • Netgate

    Close.

    ARP responses from the firewalls are always CARP VIP ISAT CARP MAC. But those reponses are sourced from the interface MAC address, not the CARP MAC. The CARP MAC address is included in the ARP ISAT response, not the frame itself.

    What steers the traffic to the proper node that holds the CARP MASTER is the fact that the CARP advertisements are sourced from the CARP MAC address. This tells the switching layer what port to send the traffic to. No traffic ever gets sourced from the CARP MAC at layer 2 other than the CARP advertisements.

    This is why most CARP problems come down to switching, not pfSense itself.