Downstream CARP upstream BGP

  • Hi,

    at work we might be migrating over to pfSense from Fortigate. The current solution implements an Active Passive setup which we also want for pfSense. I've experience with pfSense in a CARP environment but we want to try something new like so.

    upstream Router 1:
    -> Link to pfSense box 1
    -> Link to pfSense box 2
    upstream Router 2:
    -> Link to pfSense box 1
    -> Link to pfsense box 2

    We would like to run CARP only on pfSense's downstream interfaces. On upstream we think about exploiting BGP for failover. That's what's in my mind:

    • Every pfSense has two BGP Neighbors via a dedicated p2p link
    • Only pfSense master shall announce routes
    • The routes are being announced to both upstream routers (which are Nokia 7750). So traffic may flow over any of those

    Is there anybody out there who might have experience with such or similar setup?

    • Does this setup sound reasonable
    • How can I make sure that only the master announces via BGP?
    • Shall I go for FRR or OpenGBGP?

    The other option that came to my mind is to setup VRRP on the Nokia side but we think the BGP is nicer.
    Thank you in advance

  • LAYER 8 Netgate

    BGP doesn't make a very good failover protocol. A CARP failover is much faster.

    Aside from failover, where do you actually need dynamic routing? I would use failover protocols where you need failover and dynamic routing protocols where you need dynamic routing.

    Why do the firewalls have to announce routes at all? Why don't the routers just announce them? Routers don't get blown up by asymmetric routing and changing paths like stateful firewalls do.

    If you do decide to use BGP on pfSense, FRR all the way.

  • Thank you for your response. We are going to use CARP.
    We will also build LAGGs for upstream and downstream links so the probability for failure should be pretty low.
    We thought about using BGP because our upstream devices can handle that and because it would mean less cabling / ports.

Log in to reply