HA CARP with FRR OSPF on PFSense LAN Interface
-
Greetings All. Full disclosure, I am completely new to PFSense and how it does what it does. Setting up a new pair of PFSense Firewalls to replace some Cisco FTD devices that are simply too pricey for what they deliver these days. I have the PF devices set up in an HA pair using CARP/Sync etc. Working great so far in my test lab.
On my FTD, I run an OSPF process between it and the L3 switch its connected to. This allows me to dynamically exchange network routes on the L3 switch with the PFSense devices as well as have the PFSense boxes announce the OpenVPN subnet I am using for VPN sessions to the L3 switch. I have done this for years with my FTD devices and its worked great.
I have done the same with the PFSense devices I am setting up testing the OSPF FRR with a test L3 switch I have in my lab. I can get it to work fine and exchange routes between the two devices, and even have FRR doing interface CARP status checking to selectively bring up the FRR OSPF process on the backup device in the event of a CARP status change. Seems to work fine.
One of the things I am doing in the OSPF FRR configuration is redistributing the PFSense devices default route via OSPF. This is working but slightly different than the way the FTD does things. With FTD you assign the IP you want to always be available to an interface on the primary, assign another IP in the same subnet to the secondary, and in an HA failover the two devices 'swap' IP addresses such that that IP is always actually assigned to an interface. In the default route scenario, the route that gets distributed to the switch shows a next hop of the interface IP address of the LAN interface on the primary PFSense device, rather than the CARP VIP IP address. So, if the interface IP of the primary PFSense device in the HA pair is 10.10.10.2 and the CARP VIP is 10.10.10.1, the OSPF default route on the switch gets installed as having the next hop be 10.10.10.2 rather than 10.10.10.1.
Not sure this is an issue here as the routing would work technically. Is there some way to get the PFSense box to announce the route with the VIP being the next hop rather than the IP assigned to the node FRR is running on? Some kind of route map or something. I didn't see or understand some of the next hop settings available in a route map in OSPF FRR on PFSense to see where I could set the next hop as the LAN VIP, but maybe someone more experienced with PFSense can help me here. And since I am running dynamic routing between the switch and the PFSense device, it begs the question do I even need a CARP VIP for the LAN interface if OSPF can direct traffic to the correct active FW? Are there some issues that might be a problem doing that with PFSense. I still need the VIP for the WAN side and there is no OSPF routing on the WAN. Thanks in advance for replies.
-
So thought about this a bit and realize I'd need to have the CARP VIP on the LAN to if nothing more facilitate the failover state on the WAN in the case of a LAN failure. CARP on here fails together so would still want the CARP VIP IP on the LAN even if I don't technically need it for routing traffic.
Still could use some help on getting the next hop for the default route learned by my switches to be the VIP address and not the LAN interface IP.