CARP and Redundancy



  • I have two pfSense systems running CARP. I tested them by creating some NAT rules, and saw them being replicated from the master to the slave. I created a virtual IP of 192.168.9.253. I can ping the IP from either machine and from any system on my LAN. So far, so good.

    If I type that address into my web browser my pfSense GUI comes up. I wanted to see what would happen if the master pfSense server went down. I setup a ping to the virtual IP address. As soon as I rebooted the master server I stopped getting a ping response. I also couldn't get the web GUI to come up anymore.

    I thought that one of the features of CARP was to have the server available if one was down. So that if the master was down the shared IP was still up and accessible, and I could access the web GUI. Am I incorrect in this, or did I miss a configuration step?


  • Rebel Alliance Developer Netgate

    Was that virtual IP you created a CARP Virtual IP and present on both the master and slave systems? You might double check to make sure its VHID, password, advskew, etc are all correct.

    A properly configured CARP VIP should work regardless of which system is up – as you said, that is the point of CARP.



  • As far as I can tell everything was setup correctly. It does have "Carp" selected. I'll go through the setup again just to make sure, but I was fairly confident it was good. On both machines I can "see" the virtual IP. But it's almost as if the master server is where the virtual IP resides. Once that is down then no more virtual IP.



  • Check Status->CARP on Stand-by box when Active is up and down.



  • When I reboot the main box the backup promotes itself to master. Then it correctly "unpromotes" itself back to backup. But during that time the shared IP is still unavailable. I assume that if the firewall was in production right now, and I had rebooted the master, that services would also be unavailable. Would that be safe to assume?



  • Can you give us screenshots of:

    • rules
    • interfaces (from both boxes)
    • VIPs (from both boxes)


  • Here are some screen shots. I hope they help…










  • You use subnet /32 in CARP IP config. This is wrong, you should use the same subnet you are using for the interface, that is why I asked you to show us interfaces configs.



  • Oh shoot! You're right! What a stupid mistake to make. :( On the interfaces I had /24. On the virtual IP /32. Let me correct this and see what I get….



  • Here's an update…

    I changed the subnet to 24 for the LAN interface, and the virtual IP. I was able to reboot the master, and still have access to the firewall.

    -Thanks! :)


Log in to reply