Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP and Redundancy

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    10 Posts 3 Posters 4.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cipher7836
      last edited by

      I have two pfSense systems running CARP. I tested them by creating some NAT rules, and saw them being replicated from the master to the slave. I created a virtual IP of 192.168.9.253. I can ping the IP from either machine and from any system on my LAN. So far, so good.

      If I type that address into my web browser my pfSense GUI comes up. I wanted to see what would happen if the master pfSense server went down. I setup a ping to the virtual IP address. As soon as I rebooted the master server I stopped getting a ping response. I also couldn't get the web GUI to come up anymore.

      I thought that one of the features of CARP was to have the server available if one was down. So that if the master was down the shared IP was still up and accessible, and I could access the web GUI. Am I incorrect in this, or did I miss a configuration step?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Was that virtual IP you created a CARP Virtual IP and present on both the master and slave systems? You might double check to make sure its VHID, password, advskew, etc are all correct.

        A properly configured CARP VIP should work regardless of which system is up – as you said, that is the point of CARP.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          cipher7836
          last edited by

          As far as I can tell everything was setup correctly. It does have "Carp" selected. I'll go through the setup again just to make sure, but I was fairly confident it was good. On both machines I can "see" the virtual IP. But it's almost as if the master server is where the virtual IP resides. Once that is down then no more virtual IP.

          1 Reply Last reply Reply Quote 0
          • E
            Eugene
            last edited by

            Check Status->CARP on Stand-by box when Active is up and down.

            http://ru.doc.pfsense.org

            1 Reply Last reply Reply Quote 0
            • C
              cipher7836
              last edited by

              When I reboot the main box the backup promotes itself to master. Then it correctly "unpromotes" itself back to backup. But during that time the shared IP is still unavailable. I assume that if the firewall was in production right now, and I had rebooted the master, that services would also be unavailable. Would that be safe to assume?

              1 Reply Last reply Reply Quote 0
              • E
                Eugene
                last edited by

                Can you give us screenshots of:

                • rules
                • interfaces (from both boxes)
                • VIPs (from both boxes)

                http://ru.doc.pfsense.org

                1 Reply Last reply Reply Quote 0
                • C
                  cipher7836
                  last edited by

                  Here are some screen shots. I hope they help…

                  untitled1.JPG
                  untitled1.JPG_thumb
                  untitled2.JPG
                  untitled2.JPG_thumb
                  untitled3.JPG
                  untitled3.JPG_thumb
                  untitled.JPG
                  untitled.JPG_thumb

                  1 Reply Last reply Reply Quote 0
                  • E
                    Eugene
                    last edited by

                    You use subnet /32 in CARP IP config. This is wrong, you should use the same subnet you are using for the interface, that is why I asked you to show us interfaces configs.

                    http://ru.doc.pfsense.org

                    1 Reply Last reply Reply Quote 0
                    • C
                      cipher7836
                      last edited by

                      Oh shoot! You're right! What a stupid mistake to make. :( On the interfaces I had /24. On the virtual IP /32. Let me correct this and see what I get….

                      1 Reply Last reply Reply Quote 0
                      • C
                        cipher7836
                        last edited by

                        Here's an update…

                        I changed the subnet to 24 for the LAN interface, and the virtual IP. I was able to reboot the master, and still have access to the firewall.

                        -Thanks! :)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.