CARP with two NICS?
-
Hi, I'm new to pfSense and BSD for that matter. I need to have failover for my firewalls and CARP seems the way to go. However, I only have two NIC cards in the boxes I am using, and no way to add more (1U servers and no riser cards). Any suggestions would be appreciated. I was wondering if I could use the serial interface for pfSync?
Thanks in advance
Nate -
You can run pfsync on LAN too. However this would add some broadcast traffic to your LAN segment. Other option is to use vlan's.
-
I am using the LAN for pfSync right now and it seems somewhat buggy. I think the extra broadcast traffic is what is causing the issues. I have six servers behind pfSense using 1:1 NAT, and NAT reflection (Port Forwarding and Virtual IPs) exposed through public IPs. I have two VIP's (CARP) setup, one for the LAN and one for the WAN as well as DNS Forwarding. Three of the servers are web servers, two are database, and one is web and database. Any issues with this config? I will try the vlan and report back. However, if you think there may be an issue with my setup, please let me know.
Thanks again,
Nate -
How do you use 1:1 NAT for 6 servers with only one VIP at WAN? This somehow sounds like an invalid setup. Please tell us a bit more about how you set things up.
-
I have Proxy ARP VIP's for the servers and one CARP VIP for each of the interfaces (WAN & LAN). Sorry about the confusion.
-
Why not move the ProxyARP VIPs to CARP too? This way they would become redundant as well. Btw, 1:1 nat won't work with nat reflection. Nat reflection only works for portforwards. Are you tresting this from outside your network coming from WAN or are you testing from inside?
-
I do have port forwarding setup for the servers. I had the 1:1 NAT setup before I realized I needed the port forwarding for reflection and just left the 1:1 NAT in tact. I know that is redundant, but it isn't hurting anything, or is it? I have extensively tested this setup both internally and externally. It seemed to work for a little while and then something got screwed up and I can't figure it out. It seemed that periodically some of the web sites behind the pfSense boxes would be very snappy and then a short time would pass and then they would be very slow to respond, if they responded at all. The web traffic wasn't any greater at any given time, it was very little traffic if any at all at any given time. That is what brought me to the conclusion that it might be the fact that I am running CARP/pfSync on the LAN interface. I hope this sheds more light on my situation. Thanks for all you patience.
-
http://doc.pfsense.org/index.php/Setting_up_CARP_with_pfSense
-
Somehow sounds like Masterstatus is swapping back and forth. Can you verify that this is not happening?
-
Actually this is exactly what is happening. For some reason the backup will become the master node for the LAN while the primary will remain the master for the WAN. When I pull out the cables for the WAN and LAN on the backup, the primary seems to grab the WAN and LAN and all is well. I have no clue why this is happening. It seems to happen at random. I will try to setup a vlan for pfSync and do some abuse testing. I will be able to report back on this sometime late tomorrow. I wish I had a better understanding what was going on so I could give you more info. Thanks for all the help so far.
-
pfsync and carp shouldn't interfere with each other. Swapping Master/Backup status can only be related to CARP, not to pfSync.