Can / Should i use a CARP address as default GW (LAN)

planetinse · Feb 7, 2023, 2:05 PM

Is it correct/best practise to in a scenario with two pfsense use a internal CARP for failover default gw (LAN gw) that is assigned from DHCP (from same pfsense boxes)

ie.
pfsense 1 - 192.168.0.1
pfsense 2 - 192.168.0.2
CARP 192.168.0.3

then i DHCP server I set default gw to be assigned to LAN clients to 192.168.0.3

I have some funny shit happening with haproxy (on internal https offloading) - and i suspect this is involved somehow...

If not best practice - how should it be accomplished?

viragomann · Feb 7, 2023, 2:34 PM

@planetinse
Yes, you should set the CARP VIP to be your LAN gateway in the DHCP settings.

I have some funny shit happening with haproxy (on internal https offloading)

What?

HAproxy in real proxy mode should have nothing to do with high availability.
The proxy forward the packets with the interface IP as source, even if you have CARP configured. So it should not have any impact.

planetinse · Feb 7, 2023, 2:40 PM

@viragomann

I know that, and the problem is that it is working intermittent

...so iam looking at different scenarios, and suspect my way of doing this DHCP/LAN/FAILOVER "setup" is not correct way of doing it....

It does work if each pfsense box assigns itself as default GW. (aka, pfsense1 is always default gw as long as its online)

but then i loose failover on outgoing.

viragomann · Feb 7, 2023, 2:50 PM

@planetinse
Have you configured the states sync in System > High Availability Sync?

planetinse · Feb 7, 2023, 3:09 PM

@viragomann

Yes, to get back to my question...

Is this the "normal" way I would setup a "LB pair" when it comes
to Default LAN GW & DHCP failover ..

example of a .24 net
pfsense 1 - 192.168.0.1
pfsense 2 - 192.168.0.2
CARP 192.168.0.3

then I configure DHCP server to assign clients default gw to the CARP address.

.. or iam i barking up the wrong tree here, no reason to try get something to work, if it was not supposed to be done like that :)

(This is a running environment with 400+ LAN clients)

viragomann · Feb 7, 2023, 3:28 PM

@planetinse said in Can / Should i use a CARP address as default GW (LAN):

Is this the "normal" way I would setup a "LB pair" when it comes
to Default LAN GW & DHCP failover ..
example of a .24 net
pfsense 1 - 192.168.0.1
pfsense 2 - 192.168.0.2
CARP 192.168.0.3

On the primary node in the interface DHCP settings you have to state 192.168.0.3 as gateway and at "Failover peer IP" you have to enter 192.168.0.2.
The secondary's config should be adopted automatically.

In the DHCP settings there is nothing more to do so far for enabling HA failover.

In the HAproxy general settings you have to select a CARP VIP at "Carp monitor", which instructs pfSense to stop the service if the other node owns the master role.

planetinse · Feb 7, 2023, 3:33 PM

@viragomann

Good, so this is the way it should work then, then i can stop suspecting this was related to the issues at hand, thx !