Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Can / Should i use a CARP address as default GW (LAN)

    HA/CARP/VIPs
    2
    7
    77
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      planetinse last edited by

      Is it correct/best practise to in a scenario with two pfsense use a internal CARP for failover default gw (LAN gw) that is assigned from DHCP (from same pfsense boxes)

      ie.
      pfsense 1 - 192.168.0.1
      pfsense 2 - 192.168.0.2
      CARP 192.168.0.3

      then i DHCP server I set default gw to be assigned to LAN clients to 192.168.0.3

      I have some funny shit happening with haproxy (on internal https offloading) - and i suspect this is involved somehow...

      If not best practice - how should it be accomplished?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @planetinse last edited by

        @planetinse
        Yes, you should set the CARP VIP to be your LAN gateway in the DHCP settings.

        I have some funny shit happening with haproxy (on internal https offloading)

        What?

        HAproxy in real proxy mode should have nothing to do with high availability.
        The proxy forward the packets with the interface IP as source, even if you have CARP configured. So it should not have any impact.

        P 1 Reply Last reply Reply Quote 0
        • P
          planetinse @viragomann last edited by planetinse

          @viragomann

          I know that, and the problem is that it is working intermittent

          ...so iam looking at different scenarios, and suspect my way of doing this DHCP/LAN/FAILOVER "setup" is not correct way of doing it....

          It does work if each pfsense box assigns itself as default GW. (aka, pfsense1 is always default gw as long as its online)

          but then i loose failover on outgoing.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @planetinse last edited by

            @planetinse
            Have you configured the states sync in System > High Availability Sync?

            P 1 Reply Last reply Reply Quote 0
            • P
              planetinse @viragomann last edited by planetinse

              @viragomann

              Yes, to get back to my question...

              Is this the "normal" way I would setup a "LB pair" when it comes
              to Default LAN GW & DHCP failover ..

              example of a .24 net
              pfsense 1 - 192.168.0.1
              pfsense 2 - 192.168.0.2
              CARP 192.168.0.3

              then I configure DHCP server to assign clients default gw to the CARP address.

              .. or iam i barking up the wrong tree here, no reason to try get something to work, if it was not supposed to be done like that :)

              (This is a running environment with 400+ LAN clients)

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @planetinse last edited by

                @planetinse said in Can / Should i use a CARP address as default GW (LAN):

                Is this the "normal" way I would setup a "LB pair" when it comes
                to Default LAN GW & DHCP failover ..
                example of a .24 net
                pfsense 1 - 192.168.0.1
                pfsense 2 - 192.168.0.2
                CARP 192.168.0.3

                On the primary node in the interface DHCP settings you have to state 192.168.0.3 as gateway and at "Failover peer IP" you have to enter 192.168.0.2.
                The secondary's config should be adopted automatically.

                In the DHCP settings there is nothing more to do so far for enabling HA failover.

                In the HAproxy general settings you have to select a CARP VIP at "Carp monitor", which instructs pfSense to stop the service if the other node owns the master role.

                P 1 Reply Last reply Reply Quote 0
                • P
                  planetinse @viragomann last edited by

                  @viragomann

                  Good, so this is the way it should work then, then i can stop suspecting this was related to the issues at hand, thx !

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post