Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unbound iface bind settings in CARP/VIP scenario

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    1 Posts 1 Posters 373 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      IT_Luke
      last edited by

      Hi all, I have looked around but can't seem to find a definitive answer to this issue or possibly missed something: in an HA setup with a CARP VIP for the outgoing GW iface, to have an automatic failover it would make sense to assign this VIP also among the ones the unbound / dns resolver service listens to in order to have a seemless failover. However this config is replicated to the secondary pfSense and the dns resolver tries to bind to this CARP VIP also and fails to start (duh). My solution was to simply set the 2 physical pfSense IPs as DNSs and not specify any CARP VIP in the dns resolver settings (so listen on LAN and Localhost) and this naturally works - but in the case of a failure of one box, clients would need to time out (yes we're tallking only about a 3 seconds here) before they would switch to the 2nd DNS / pfSense which is not "seemless".
      Is there any way to tell the failover pfSense box to restart the unbound / dns resolver so that it will successfully bind to the newly available CARP VIP once the failed box has released it? This also impacts pfBlocker as it relies on unbound to work.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.