CARP/HA not working
-
You have to add ports 9 and 10 as tagged members of VLAN 8 in the switch config as I said.
Currently you have VLAN 8 only using port 8 so nothing is ever passed to to the internal LAGG.
Make sure you can ping between the nodes on the SYNC interface IPs. It's not required for sync but adding rules to allow it makes troubleshooting much easier.
Steve
-
@stephenw10 said in CARP/HA not working:
ou have to add ports 9 and 10 as tagged members of VLAN 8 in the switch config as I said.
Currently you have VLAN 8 only using port 8 so nothing is ever passed to to the internal LAGG.
Make sure you can ping between the nodes on the SYNC interface IPs. It's not required for sync but adding rules to allow it makes troubleshooting much easier.
SteveSo like:
So, if I add 9 and 10 as tagged to vlan 8, even though 9 and 10 are not physical ports, it might start syncing to the other firewall??
(I have no access to the other FW at the moment as I fucked it up a little bit and I need to go to the datacenter ...)
-
Yes, that is the correct switch setup. You should be able to use port 8 for sync with that on both firewalls.
Steve
-
@stephenw10 Hi, I changed the vlans on both and also added a rule:
but I still cannot ping the other SYNC ip address.
-
@nick-loenders I have found it.... The DHCP on the 2nd FW was still enabled and that was a mistake...
Resetted both devices and began from scratch, now with DHCP disabled on the 2nd LAN
And now it seems to sync well.OK Stage 1 complete :)
-
You should have DHCP enabled on both nodes for subnets that need it. You just need to setup the DHCP servers for failover operation.
See: https://docs.netgate.com/pfsense/en/latest/recipes/high-availability.html#modifying-the-dhcp-serverSteve
-
@stephenw10 Thanks, it all seems to work fine now.
It is normal that I loose +-5seconds when one device is lost?
And +-10 seconds when the device is back online? -
Lose that how?
If CARP is functioning correctly you might lose, for example, a single ping during the failover. For pings with a 1s period that is.
Steve
