Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    CARP with two NICS?

    HA/CARP/VIPs
    3
    11
    5039
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nlevesque last edited by

      Hi, I'm new to pfSense and BSD for that matter. I need to have failover for my firewalls and CARP seems the way to go. However, I only have two NIC cards in the boxes I am using, and no way to add more (1U servers and no riser cards). Any suggestions would be appreciated. I was wondering if I could use the serial interface for pfSync?

      Thanks in advance
      Nate

      1 Reply Last reply Reply Quote 0
      • H
        hoba last edited by

        You can run pfsync on LAN too. However this would add some broadcast traffic to your LAN segment. Other option is to use vlan's.

        1 Reply Last reply Reply Quote 0
        • N
          nlevesque last edited by

          I am using the LAN for pfSync right now and it seems somewhat buggy. I think the extra broadcast traffic is what is causing the issues. I have six servers behind pfSense using 1:1 NAT, and NAT reflection (Port Forwarding and Virtual IPs) exposed through public IPs. I have two VIP's (CARP) setup, one for the LAN and one for the WAN as well as DNS Forwarding. Three of the servers are web servers, two are database, and one is web and database. Any issues with this config? I will try the vlan and report back. However, if you think there may be an issue with my setup, please let me know.

          Thanks again,
          Nate

          1 Reply Last reply Reply Quote 0
          • H
            hoba last edited by

            How do you use 1:1 NAT for 6 servers with only one VIP at WAN? This somehow sounds like an invalid setup. Please tell us a bit more about how you set things up.

            1 Reply Last reply Reply Quote 0
            • N
              nlevesque last edited by

              I have Proxy ARP VIP's for the servers and one CARP VIP for each of the interfaces (WAN & LAN). Sorry about the confusion.

              1 Reply Last reply Reply Quote 0
              • H
                hoba last edited by

                Why not move the ProxyARP VIPs to CARP too? This way they would become redundant as well. Btw, 1:1 nat won't work with nat reflection. Nat reflection only works for portforwards. Are you tresting this from outside your network coming from WAN or are you testing from inside?

                1 Reply Last reply Reply Quote 0
                • N
                  nlevesque last edited by

                  I do have port forwarding setup for the servers. I had the 1:1 NAT setup before I realized I needed the port forwarding for reflection and just left the 1:1 NAT in tact. I know that is redundant, but it isn't hurting anything, or is it? I have extensively tested this setup both internally and externally. It seemed to work for a little while and then something got screwed up and I can't figure it out. It seemed that periodically some of the web sites behind the pfSense boxes would be very snappy and then a short time would pass and then they would be very slow to respond, if they responded at all. The web traffic wasn't any greater at any given time, it was very little traffic if any at all at any given time. That is what brought me to the conclusion that it might be the fact that I am running CARP/pfSync on the LAN interface. I hope this sheds more light on my situation. Thanks for all you patience.

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich last edited by

                    http://doc.pfsense.org/index.php/Setting_up_CARP_with_pfSense

                    1 Reply Last reply Reply Quote 0
                    • H
                      hoba last edited by

                      Somehow sounds like Masterstatus is swapping back and forth. Can you verify that this is not happening?

                      1 Reply Last reply Reply Quote 0
                      • N
                        nlevesque last edited by

                        Actually this is exactly what is happening. For some reason the backup will become the master node for the LAN while the primary will remain the master for the WAN. When I pull out the cables for the WAN and LAN on the backup, the primary seems to grab the WAN and LAN and all is well. I have no clue why this is happening. It seems to happen at random. I will try to setup a vlan for pfSync and do some abuse testing. I will be able to report back on this sometime late tomorrow. I wish I had a better understanding what was going on so I could give you more info. Thanks for all the help so far.

                        1 Reply Last reply Reply Quote 0
                        • H
                          hoba last edited by

                          pfsync and carp shouldn't interfere with each other. Swapping Master/Backup status can only be related to CARP, not to pfSync.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post

                          Products

                          • Platform Overview
                          • TNSR
                          • pfSense Plus
                          • Appliances

                          Services

                          • Training
                          • Professional Services

                          Support

                          • Subscription Plans
                          • Contact Support
                          • Product Lifecycle
                          • Documentation

                          News

                          • Media Coverage
                          • Press
                          • Events

                          Resources

                          • Blog
                          • FAQ
                          • Find a Partner
                          • Resource Library
                          • Security Information

                          Company

                          • About Us
                          • Careers
                          • Partners
                          • Contact Us
                          • Legal
                          Our Mission

                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                          Subscribe to our Newsletter

                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                          © 2021 Rubicon Communications, LLC | Privacy Policy