Multiple link to the same ISP Gateway and failover



  • Hi,
    I have 2 pfSense with HA and CARP configured.
    The WAN interfaces are both linked to the default gateway (172.16.0.177), something like this:

    [pfSense1]172.16.0.181 –------------------------------ [ISP Switch 1] –--- [ISP Router 1]
                  [CARP WAN]172.16.0.180                          ||            [GW IP 172.16.31.177]
    [pfSense2]172.16.0.182 –------------------------------ [ISP Switch 2] –--- [ISP Router 2]

    The master was pfSense1, but a few days ago we experienced a failure in the link between pfSense1 and ISP Switch 1.
    I thought that the failover capabilities would have switched CARP and services from pfSense1 to pfSense2, but I was wrong: I had to power off pfSense1 in order to let pfSense2 to take over CARP and services.

    Is there a way to instruct pfSense to demote itself when it can't reach the default GW, or, if this is already the expected behaviour, in there anybody who has an idea of what is wrong in my configuration.

    Thank you!



  • A 'link' failure between FW1 and SW1 should cause a failover.  If the link didn't actually go down (let's speculate that they screwed up your vlan) then to the best of my knowledge, failover will not occur.


  • LAYER 8 Netgate

    I don't think CARP is dependent on link state.  It's dependent on hellos, so a misconfigured VLAN would result in a failover.

    It should have failed over, with pfSense 2 becoming master on 172.16.0.180

    A failure between one of the ISP routers and that switch should trigger their gear to fail over.

    I suppose it's possible if receive traffic at pfSense 2 was impeded but transmit traffic was reaching the switch, that pfSense 2 would think pfSense 1 was alive (hellos received) and not fail over.  I'm not sure if CARP does checking for bi-directional traffic.



  • Thank you.
    Actually failover didn't occur at all.
    pfSense1 was unable to reach the gatway (the link started to flap, but without IP connection, and after e few minutes it stayed down), while pfSense2 was ok but it remained in slave state. The only thing I could do was to power off pfSense1 from ILO because I wasn't  even able to reach the GUI from LAN. As soon as I powered off pfSense1, the slave became master.

    So there's no way to instruct pfSense to "demote" itself when it can't reach the default gw?

    Thank you.


  • LAYER 8 Netgate

    Well, you can disable CARP on the master in Status > CARP (failover)

    I think there are a couple new widgets in 2.2.1 that deal with resetting the demotion score or something.  I haven't looked at it yet.

    Yeah: https://doc.pfsense.org/index.php?title=2.2.1_New_Features_and_Changes#VIP.2FCARP


Log in to reply