CARP failover and VLAN addition



  • We will start using pfSense with CARP failover and 10 VLANs. After I put it under production environment, what could happen if I add another VLAN on the primary node?

    This is what I am thinking.

    1. Add a new VLAN on the primary node
    2. Create a new virtual IP for the VLAN I created
    3. Configure DHCP server
    4. Configure NAT rule for outbound (WAN IP –> WAN CARP IP)

    At the step #3, I think I need to enter the IP of the VLAN gateway on the backup node. Basically, if I want to add a new VLAN, do I have to log on to both devices?

    Or, if this kind of change may be risky, should I just made a enough number of VLAN in advance?

    Thank you.



  • VLANs and other interface configurations are not synchronized to the backup pfSense. The other configurations you need will be if the CARP setup is made accordingly.

    VIPs must be defined as IP Alias an must hook up on a CARP interface address to function and be synchronized to backup.

    Nevertheless, it is no risky to make this later when you need it.



  • Thank you very much.



  • @viragomann:

    VIPs must be defined as IP Alias an must hook up on a CARP interface address to function and be synchronized to backup.

    Not sure what you mean by this. I add VLAN interfaces to CARP clusters regularly and you don't have to do anything with IP Aliases.
    The procedure is roughly-
    Configure your switches with the new VLAN.
    Create the vlan on both primary and secondary.
    Assign the new vlan to a new interface, again on both primary and secondary.
    Configure the new interface on both boxes- eg: primary 10.20.30.2 secondary 10.20.30.3
    From now on, you just need to configure the primary:
    Add a new CARP VIP (eg 10.20.30.1), configure the OB nat, firewall rules, etc.


Log in to reply