Carp interface



  • Hi,

    I just read the carp setup doc at : http://doc.pfsense.org/index.php/Setting_up_CARP_with_pfSense

    I am not sure I understand as it seems impossible to set the same vhid to vip as stated; when I assign a different one it seems to work BUT both nodes are labeled as masters, which does not really make sense, one should be labeled as backup.

    When I look at the network interface I get this:

    Master:

    ifconfig

    xl0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>mtu 1500
            options=9 <rxcsum,vlan_mtu>inet 172.16.2.1 netmask 0xffffff00 broadcast 172.16.2.255
            inet6 fe80::250:daff:fe0b:33e3%xl0 prefixlen 64 scopeid 0x1
            ether 00:50:da:0b:33:e3
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    fxp0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
            options=8 <vlan_mtu>inet 192.168.15.120 netmask 0xffffff00 broadcast 192.168.15.255
            inet6 fe80::2a0:c9ff:fef1:8e4e%fxp0 prefixlen 64 scopeid 0x2
            ether 00:a0:c9:f1:8e:4e
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    fxp1: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
            options=8 <vlan_mtu>inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
            inet6 fe80::2d0:b7ff:fe4e:683e%fxp1 prefixlen 64 scopeid 0x3
            ether 00:d0:b7:4e:68:3e
            media: Ethernet autoselect (10baseT/UTP)
            status: active
    lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
            inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
    pfsync0: flags=41 <up,running>mtu 1348
            pfsync: syncdev: xl0 maxupd: 128
    pflog0: flags=100 <promisc>mtu 33208
    carp0: flags=49 <up,loopback,running>mtu 1500
            inet 172.16.2.20 netmask 0xffffff00
            carp: MASTER vhid 1 advbase 1 advskew 0

    Backup:

    ifconfig

    fxp0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>mtu 1500
            options=8 <vlan_mtu>inet6 fe80::2d0:b7ff:fe68:dd1%fxp0 prefixlen 64 scopeid 0x1
            inet 172.16.2.2 netmask 0xffffff00 broadcast 172.16.2.255
            ether 00:d0:b7:68:0d:d1
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    vr0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
            inet 192.168.15.121 netmask 0xffffff00 broadcast 192.168.15.255
            inet6 fe80::250:baff:fe20:5353%vr0 prefixlen 64 scopeid 0x2
            ether 00:50:ba:20:53:53
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    xl0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
            options=8 <vlan_mtu>inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
            inet6 fe80::210:4bff:fe2a:5927%xl0 prefixlen 64 scopeid 0x3
            ether 00:10:4b:2a:59:27
            media: Ethernet autoselect (10baseT/UTP)
            status: active
    lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
            inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
    pfsync0: flags=41 <up,running>mtu 1348
            pfsync: syncdev: fxp0 maxupd: 128
    pflog0: flags=100 <promisc>mtu 33208
    carp0: flags=49 <up,loopback,running>mtu 1500
            inet 172.16.2.21 netmask 0xffffff00
            carp: MASTER vhid 2 advbase 1 advskew 10

    My question is: shouldn't I get the salve node labeled as backup instaed of master ?
    I only enable the master to copy its config over to the backup.

    Regards,</up,loopback,running></promisc></up,running></up,loopback,running,multicast></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,promisc,simplex,multicast></up,loopback,running></promisc></up,running></up,loopback,running,multicast></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,vlan_mtu></up,broadcast,running,promisc,simplex,multicast>



  • Ok, never mind,

    I figured it out, I had to enable Synchronize Virtual IPs on the master and voila.

    Great software guys, thank you very much!!

    ++



  • Hi,

    Ok, it seems to work ok BUT its main function (failover) is NOT working.
    All rules are copied ok BUT when I turn off the master, the slaves remains exactly as is, I mean it keeps its own ip address etc therefore the firewall is seen as down, in other words the backup is not taking over.

    I must have forgotten some obvious settings BUT I RTFM at least 10 times to look for what was missing, any hints?

    I did set the VIP on the SYNC interface, should it be on the WAN interface instead, I am not sure I understand fully how it is suppose to work, can anyone shed some light?

    Regards,



  • Try following http://pfsense.com/mirror.php?section=tutorials/carp/carp-cluster-new.htm , maybe you find the mssing checkbox by watching the tutorial  ;)



  • Ok, I've made it work!

    There is more info now on the tutorial, and it helped.

    Regards,



  • Which information was missing? I'll add it to the doc wiki if you let me know.



  • @hoba:

    Which information was missing? I'll add it to the doc wiki if you let me know.

    Well in the animated doc it mentions to check the box "preemption" which do not exist in the latest version of pfsense, so I had to figure it out logically. My problem was my comprehension of the VIP. Once understood that the VIP becomes the real ip used by the subnet, then it becomes easy.

    The VIP concept is not clear in the written doc.

    Regards,



  • We enable preepmtion by default now, that's why the box is missing (the tutorial was not updated regarding this). I'll have a lokk at the doc if it can be made more clear or more easy to understand.


Locked