4. CARP failover when GW fails

CARP failover when GW fails

  • K

    Hi,

    currently my setup is as follows. I have two firewalls with carp enabled. The WAN Interface is a physically one. The LAN interface is devided into multiple vlan's. I use on all Interfaces carp for failover. This is working flawless.

    So now i have the posibility to split both boxes to two diffrent housings. Between both housings i run a WLAN-bridge with VLAN's enabled. So i can bring the VLAN's for LAN and also for WAN to both housings. We would also have two independent ISP-Uplinks. One with 30M/4M and the second one with 4M/512k (which will be only used when the main uplink fails).

    CARP won't be the problem, because of the same VLAN's on both sides.

    My problem is the WLAN-bridge. When let's say the mainlink fails, pfsense will be active on main side and won't automatically change. All internet traffic from backup side, went through the WLAN-bridge to main side (LAN default GW - primary pfsense) and went back via the WLAN-bridge to backup WAN-GW, because the main WAN-GW fails.

    Is there a possibility to switchover carp if the GW on the main side fails to the backup pfsense on backup side?

    There is also a second topic in routing forum, but now i will only check the possibility to enable the automatic failover. ifstated can't help, because i can't bring down the physical interfaces, because then i don't have the possibility to receive carp messages on sync Interface, because sync Interfaces is only a vlan-interface.

    Thanks in advance,
    regards
    Herbert

    0
  • K

    Hi,

    can two CARP-groups per interface/vlan help?

    One carp for backupside with active on backup (carp-ip is the default-gw for backupside), and the second carp for mainside with active on main (carp-ip is the default-gw for mainside).
    This should solve the problem with double data traffic on WLAN-bridge, and also the load-balance the firewall,…

    What do you think?

    regards
    Herbert

    0
  • C

    CARP and multi-WAN are two separate, unrelated things. Though you could hack apinger's config to run a custom script that disables CARP when a WAN goes down and triggers a filter reload, and another one that re-enables it + a filter reload when a WAN comes back up.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy