Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Don't access GUI, SSH etc using CARP VIP?

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 2 Posters 78 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • luckman212L Offline
      luckman212 LAYER 8
      last edited by luckman212

      https://docs.netgate.com/pfsense/en/latest/highavailability/index.html

      ^^ this page says:

      Never access the firewall GUI, SSH, or other management mechanism using a CARP VIP directly. For management purposes, only use the actual IP address on the interface of each separate node and not the VIP. Otherwise, the client cannot determine beforehand which node it is accessing.

      I've set up a handful of HA clusters and to be honest, never had any problems using the VIP to administer the firewall. With the exception of upgrades/reboots where you obviously need to be explicit with which node you're putting in standby, rebooting etc, are there other reasons why using the VIP is a bad idea?

      I prefer the convenience of using a single IP/hostname (simpler ssh config, easier bookmark management etc)

      patient0P 1 Reply Last reply Reply Quote 0
      • patient0P Offline
        patient0 @luckman212
        last edited by

        @luckman212 if accessed by the VIP you will have to know which node is the master to know on which node you are going to land. And you have to hope that cluster won't failover while you are connected to it.

        If the cluster is in failover mode then you'll land on the backup node and many settings will not persist. So what is the point :).

        After all it's just an IP, you either use one or another IP, so why not use the node's IP directly?

        But at the end of the day: whatever rocks your boat :)

        luckman212L 1 Reply Last reply Reply Quote 3
        • luckman212L Offline
          luckman212 LAYER 8 @patient0
          last edited by

          Guess I never really thought about the possibility of a failover event occurring in the middle of making configuration changes. But I guess that's as likely to happen as anything else. I'll now consider myself lucky that it never did.

          I've gone and updated all of my bookmarks and tooling to use the explicit primary and secondary IPs. Thanks again.

          1 Reply Last reply Reply Quote 2
          • First post
            Last post
          Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.