Any way of getting around the VHID limit of 256
-
Let's say I have 2 firewalls in HA mode. I want to have 200 "internal" interfaces. That means I need to use 200 VHID for IPv4 CARP interfaces. I could also provide the "internal" interfaces with IPv6 addressing, however I am hitting the VHID limit immediately and "IPv6 IP Alias cannot be assigned to IPv4 CARP interface"
Option 1. - Don't do IPv6. I would really like to do IPv6.
Option 2. - More firewalls. Where is the end...
Option 3. - Have no IPv6 CARP/IP Alias, but have the primary router advertize itself with "high" priority and the backup one with "medium" priority.So far only option 3 looks like a possible solution, but I am not 100% sure client devices will play nice with it.
Any suggestions are welcome.
-
Option 4. - Make routing on a routing device or a switch.
-
@bepo said in Any way of getting around the VHID limit of 256:
Option 4. - Make routing on a routing device or a switch.
Yes changing the network design is definitely option 4.
-
Actually You could re-use VHID as long as they are in a different/distinct Layer2 network segment. I'll test this out tomorrow
-
As long as the L2 is separate, you can use the same VHID for each interface.
-
@xciter327 Great idea!
-
So I've been testing with a large number of CARP interfaces. I keep getting:
sonewconn : pcb 0xfffff800298220f0 Listet queue overflow. 193 already in queue awaiting acceptance(xxxxx occurrences)
Theoretically I can start increasing the "kern.ipc.somaxconn", but I am unsure if this is the right way.
-
That error wouldn't be from CARP directly, but from a daemon or other socket provider on the firewall (web server, php, etc)
-
I am still investigating, however currently it looks like pfctl is trying to start the firewall and failing.
-
A little bit of PSA.
While You seem to be able to configure unlimited amount of interfaces, pFSense has major issues when the number of interfaces goes above 128. High CPU load, UI times out, DHCP does not work, CARP/Sync becomes unusable, system freezes up etc.
This is very much pFSense related and not a FreeBSD problem, by the looks of it.
To reproduce: make 200 vlans and assign them IPs, DHCP etc. If Your devices is really powerful make more. I've tested this on a Atom 2758 box.
-
The number of CARP VIPs and the number of interfaces are completely unrelated problems, but thanks for the note.
