Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    dhcp carp and automatic sync

    HA/CARP/VIPs
    2
    5
    968
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      skullnobrains
      last edited by

      hello

      i am using 2 synchronised pfsense boxes with bunch of vlan interfaces and deploying machines using pxe on many different vlans.

      i fail to understand how dhcp config is supposed to be replicated :

      if i setup the "Failover peer IP" with the slave's ip address in the proper vlan, the synchronisation tool will setup the slave with a "Failover peer IP" corresponding to the first interface of the master which is in a different VLAN ( actually on my WAN interface )

      not setting it at all actually does not create IP conflicts, but produces a disfunctionnal config since the overall setup is active-passive.

      i assume it would work reasonably well if i manually set the CARP address as the gateway, though

      i'm wondering if i am missing something here. is this a bug ? am-i misconfiguring something ? is there a different simple way to make sure that whichever member owns the carp address will answer to dhcp queries ?

      for now, i only use the master for DHCP which is suboptimal but at least works in a predictable way.

      thanks for your time

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Sounds like your interfaces do not match between the two cliuster nodes. This is a requirement.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S
          skullnobrains
          last edited by

          they do match

          i'm using carp failover between each interface of both firewalls which definitely would fail to work otherwise. the WAN interface is the very first interface that i've been setting up and the one i'm working on is the last one.

          the WAN interface is dedicated. other interfaces are all vlan interfaces built over a LAGG on each firewall. each vlan has it's own carp gateway. most vlans have their own dhcp servers which are only used for automated deployment with PXE.

          i believe there is a bug in the replication code : the ip address of the slave's peer is probably automagically replaced with the first address of the master rather than the master's address for the same interface, in my lagg+vlan case at least

          ... and my setup is also buggy : i should definitely use the carp address as the gateway

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            https://www.netgate.com/docs/pfsense/book/highavailability/index.html

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • S
              skullnobrains
              last edited by

              what is your point ?
              my carp setup does work. i have multiple machines in each vlan. no problem there. i can shutdown either firewall and unplug any cable without producing a mess. i had disabled pfsync in some previous tests which is why using the carp address as the gateway is required.

              am i expected to configure a LAN interface as the first interface and use the LAN address as the failover peer for each of the dhcp server instances ? this would be meaningful indeed. but in that case, it may be worth to drop a line in the documentation and there is little to no point in setting the same address for each dhcp instance.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.