HA - VRRP



  • Hi PfSense Staff,
        I was used Pfsense for 2 years, and was a big fan of Pfsense. When I setup Pfsense as Router, it still was great, But can not use HA with Other Router (like Cisco, Juniper,…). After searching, I know FreeBDS can use FreeVRRP, but when I try install FreeVRRP with Pfsense 2.01, errors say "Can not Create ng_eth, ng_bridge,..." which is a part of netgraph module. Pls help me enable netgraph interface which FreeVRRP need. With This, Pfsense will go to complete Router (like vyatta,...). Thx for your help!



  • How would you deal with the issue of state synchronization between master/slave ? (i.e. stateful failover)



  • @dhatz:

    How would you deal with the issue of state synchronization between master/slave ? (i.e. stateful failover)

    Hi dhatz,
              I want to setup Standalone PfSese Router(backup) that use VRRP with Other Router Vendor(Master) for Redundancy LAN Gateway, master/backup role can modify with Priority for each.



  • it's better if you use 2x pfSense :D CARP with state sync, much better than just VRRP



  • No reason to use VRRP when CARP is built in and does exactly the same thing.



  • @cmb:

    No reason to use VRRP when CARP is built in and does exactly the same thing.

    Because Most Cisco and Other Vendor do not support CARP, and Most have VRRP.


  • Rebel Alliance Developer Netgate

    I can only imagine lots of heartache and pain trying to failover between two different brands/architectures of routing equipment.

    In theory it may sound nice, but I find it hard to believe it would do what you want to do in reality.



  • @acc4all:

    Because Most Cisco and Other Vendor do not support CARP, and Most have VRRP.

    Which is completely irrelevant. You would never have one firewall failing over to another vendor's router or firewall. It's an incredibly bad idea, something no commercial firewall vendor supports for good reason.



  • @cmb:

    @acc4all:

    Because Most Cisco and Other Vendor do not support CARP, and Most have VRRP.

    Which is completely irrelevant. You would never have one firewall failing over to another vendor's router or firewall. It's an incredibly bad idea, something no commercial firewall vendor supports for good reason.

    here, I discuss about PfSense as Router (not Firewall).
    @jimp:

    I can only imagine lots of heartache and pain trying to failover between two different brands/architectures of routing equipment.

    In theory it may sound nice, but I find it hard to believe it would do what you want to do in reality.

    A Reason that the World need  the Standards. Why does PfSense can use OSPF with Quagga, because OSPF is the Standard, and VRRP is Standard too. Thx Mr.Cmd and jimp, I will try by myself.



  • Issues with HA are very different from protocols like OSPF or BGP.

    I repeat my previous question: how would you do state synchronization ?

    Unless you're only trying to do HA for a pair of pure IP routers (very rare scenario), in every other case you'd need to do state synchronization, which allows a firewall to copy its connection table to other backup firewall(s), so that connections will not be lost if a failover occurs.


Locked