Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP VIP & fail-over

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    2
    2
    2.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Falko
      last edited by

      i hope you can give me some pointers while moving from iptables to pfsense
      since pfsense seems to have the better failover solution than iptable (ipcluster)
      i want to set up 2 pfsense firewalls and have some questions
      first my structure/idea after that are my questions

      NET
      ___________________________
                |               
        .|~.  .~~~~~~~~~~.
        |  FW1      |  |  FW2      |
        |  HW: atom  |  | HW: "VBox" |
        ```|||||  ``````````````       |||||                ====+=+++++=+==========+=========+========   __|_    _|__      __|_      __|__ |WS01|  |WS02| .. |WSXY| .. |OTHER| ..           ```````

      That is the current Configuration
      at the moment i only use firewall 1 (FW1)
      it is a debian box with iptables that has an atom cpu as hardware
      and i think about switching to pfsense to get some fail-over and (best case) load balancing

      the rules for in/outbound traffic and traffic between the vlans are simple and i dont see a problem converting them
      if i read the manual/websites correctly i can replace netmap with Proxy ARP
      therefore i could get the same configuration i have now

      now to the "new" stuff
      i have an intel server that has some (2-3) unused NICs and virtualbox installed
      my idea is to use carp to get some fail-over and perhaps load balancing
      (

      most workstations get a public ip to avoid logging their connections
      a shared public ip would be great for 2 public services

      now to the questions:

      • can i use multiple CARP VIP as a base for a 1:1 NAT? (i need 10-20 1:1 NAT ip addresses)
      • is it more useful to use multiple default gateways (iproute2) in the linux machines or a set of shared LAN CARP VIP? (one for each VLAN)
      • do i need a specific switch support/configuration to enable the in/outbound CARP VIPs? (i have a cisco switch)
      • i using LACP ports with CARP a problem?

      would be great to get some insight :)

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        @Falko:

        now to the questions:

        • can i use multiple CARP VIP as a base for a 1:1 NAT? (i need 10-20 1:1 NAT ip addresses)

        Yes.

        @Falko:

        • is it more useful to use multiple default gateways (iproute2) in the linux machines or a set of shared LAN CARP VIP? (one for each VLAN)

        Having multiple default gateways on the Linux machines will introduce complications unless you're doing policy routing within Linux. Without policy routing, you'll have issues because only one default gateway will be used, and that will route return traffic out the wrong way in some cases. Single homing everything is easiest for that reason.

        @Falko:

        • do i need a specific switch support/configuration to enable the in/outbound CARP VIPs? (i have a cisco switch)

        If it's a real Cisco switch and not a Linksys Cisco, should be fine. The Linksys Cisco switches at times have security-related settings enabled that break multicast. It's also possible to break multicast on a real Cisco switch but such configs are very uncommon.

        @Falko:

        • i using LACP ports with CARP a problem?

        no, lots of people do that.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post