Transparent Bridge + CARP, possible ?


  • HI All,

    I'm totally new here, like the software very much, but don't know if I'm asking in the right forum.

    I want to make 2 firewalls in failover-mode using CARP.

    Something I can;t figure out the following:

    I want to use my firewalls as Transparent bridge, will this give any problems for this setup ?

    Because of the fact that I will only use public IP's I thought about giving the CARP-ip's for communication between the systems using a normal 192.x.x.x range because these 2 nodes will only communicate over a crosscable on a specific interface.

    SOme other not CARP related question that I can;t figure out also is the following:

    For transparent bridging, do I need to set every public IP of ever server also at the WAN-side of the firewall ?

    I hope someone can make this clear to me.

    Thanks !

    Matt


  • I was just about to post a topic about this as well, as I am confused about how one would go about creating a transparent firewall and use carp at the same time (two interfaces bridged, one for carp syncing). Has anyone ever done this?

    Thanks!
    – james


  • Search the forum.


  • My apologies, I don't mean to hijack a thread here but I think my issue is the same as Matts.

    Searching for transparent + carp didn't come up with too much. The document http://doc.pfsense.org/index.php/Setting_up_CARP_with_pfSense seems to be similar to what I am  thinking. However, I have a question about that setup diagrammed there: what exactly happens when one of the links go down?

    For example, if the primary WAN link went down (someone tips on a wire :-P), the backup would take over the virtual WAN IP via CARP. What happens to the LAN virtual ips? I don't see how the setup works if the LAN side of things doesn't switch over as well. I feel like I am missing something about CARP :-(

    Second question would be similar to the above but what if the links were bridged instead?

    Thanks for any and all help!


  • I can't confess to understand exactly how it does it but when one of the links to the master fails (either LAN or WAN) it fails over almost instantly on both interfaces to the slave.

    I have tested this by yanking the LAN or WAN interface out of the master and by the time I get back to my desk to check it has all failed over.

    I think there are some issues with CARP and bridges but I seem to remember someone posting a sort of solution that was better than STP.



  • Hi,

    Thanks for the kind link. I was searching the forum, but in some strange way I got 0 results for some time.

    I have read about the spanning tree option, this migt be a good idea, but this solution is also what I really like, thanks a lot !!