CARP and load balancing



  • Hi,

    I've set up CARP on two machines - just like in the tutorial. This works fine. One DSL connection, two machines in a cluster eating 3 IPs on WAN side and 3 IPs on LAN side - so far so good.

    Now I'm planning another DSL connection. It will be physically in another building but still within the same LAN subnet. I intend to set up one pfSense system in that location for load balancing (outgoing only). I'm considering two options:

    1. Adding third machine, configuring CARP only on LAN interface, adding this machine to a pool for load balancing.
    2. Splitting two already set up machines - deleting CARP on WAN and configuring load balancing using two separated machines.

    Is this possible and which approach would be less painful? Or maybe this is unreachable (CARP and load balancing over different machines)?

    With first option I'll have three machines allocating 4 WAN IPs and possibly greater reliability. With second option I'll free 2 WAN IPs (one from physical interface, one from CARP) and simplify the configuration (two machines instead of three).

    Any suggestions to my approach?

    And yes, I can separate SYNC traffic from the rest with VLANs.



  • I would setup 2 machines with loadbalancing as CARP-Cluster. Basically that means adding 1 nic to each of your machines for the additional WAN, configuring a gateway pool and adding firewallrules that utilize the pool as gateway.



  • @hoba:

    I would setup 2 machines with loadbalancing as CARP-Cluster. Basically that means adding 1 nic to each of your machines for the additional WAN, configuring a gateway pool and adding firewallrules that utilize the pool as gateway.

    Hmm, if I'm getting it right - it means I'll end up with two machines, each one with 4 NICs (WAN1, WAN2, LAN, OPT/SYNC), both of them allocating 6 WAN IPs in total (CARP for WAN1 and CARP for WAN2). And of course I would have to provide WAN2 subnet to Location1 and WAN1 subnet to Location2 - this involves setting up two more VLANs to separate that WAN traffic from each other and other traffic over those 200 metres between two buildings…

    This looks sophisticated... But if it worked it would be VERY failover capable ;)

    Thanks for the suggestions.



  • In the proposed scenario,

    when you talk about adding firewall rules that utilize the pool as gateway, these rules must be added in the LAN interface, isnt it ?

    and the gateway IPs in the load balacer configuration must be the WAN and WAN2 CARP addresses, isnt it ?

    If so, i'm trying to make this setup working in a wmare test environment, no luck for now, i'll keep trying.

    I supose it will work, so , do you think that if i have 2 offices with this configuration, will be possible to do IPSEC between the WANs CARP addresses ?

    Do you know if possible, with this setup,  to substitute the load balacer by OLSR to have a more "intelligent" traffic routing ?

    Thanks!!



  • @jmhoms:

    when you talk about adding firewall rules that utilize the pool as gateway, these rules must be added in the LAN interface, isnt it ?

    That is right, you have to make the rule on the interface the traffic comes in from.

    @jmhoms:

    and the gateway IPs in the load balacer configuration must be the WAN and WAN2 CARP addresses, isnt it ?

    No, you use their gateways (it's a gateway pool). If you use the latest snapshot you'll have these as pulldown options so there is no footshooting with this setting anymore.
    Don't forget to set your firewall>nat, outbound to advanced outbound nat to utilize your CARP VIPs.

    @jmhoms:

    If so, i'm trying to make this setup working in a wmare test environment, no luck for now, i'll keep trying.

    I have heard that CARP is not happy inside vmware. Haven't tried it myself though.

    @jmhoms:

    I supose it will work, so , do you think that if i have 2 offices with this configuration, will be possible to do IPSEC between the WANs CARP addresses ?

    Yes, just have a look at the failover tab at vpn>ipsec. I have a setup running in this configuration.


Locked