Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    CARP: adding additional Interface/VLAN

    HA/CARP/VIPs
    2
    3
    1862
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hphan082 last edited by

      Hi everyone,
      I'm looking into deploying CARP for my company. Due to the nature of our business, I frequently add and remove VLAN interfaces on the firewall, almost weekly.
      How would I handle that with a pair of pfsense in HA? During initial setup, I know I have to assign real IP to the VLAN interface on each firewall, and create a CARP VIP.
      After the firewall is running in HA, do I still have to add new VLAN interface directly to each firewall, and create the VIP? Or should I be ok with just adding the VLAN and VIP from the Primary firewall, and the configuration will replicate over to the 2nd one?

      I'm guessing I have to manually add to each firewall, but I just want to confirm before messing around with it.

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        When you add VLANs and interfaces to a node in a high availability pair, the changes are not synced.  When you finally add the CARP VIP to the master, that is synced.

        I'm sort of new to pfSense HA, but I've been spending a bit of time with it lately and this is what I have learned:

        pfSense (pfsync) syncs based on the internal interface designator.  These are wan, lan, and optX.  It doesn't care what your pretty interface name is.

        It doesn't matter if you don't use the physical, untagged interfaces.  Assign them to pfSense interfaces first thing.  Make each HA node match exactly.

        This was tricky for me because the master node I was trying to sync had VLAN 81 on re2 as OPT1 due to the way I built it without HA in mind.  So I had to do the same on the new, backup node before I could sync effectively.

        Then you want to sync.  I used the procedure in the 2.2 book.

        If you do not do this and you have GUESTLAN on an internal designator of opt2 on one node and opt1 on another, it will not work.

        A High Availability pair of nodes must be treated very carefully.  It works fine, but you can shoot yourself in the foot very easily.

        I just brought a new VLAN interface up on my HA pair.  This is what I did:

        MASTER
        Interfaces > (assign) Create VLAN 82 on re2
        Interfaces > (assign) New interface OPT6 assigned to VLAN 82 on re2
        Interfaces > OPT6 Enable and set IPv4 address to 172.22.82.2/24

        None of that was synced to the backup node

        BACKUP
        Interfaces > (assign) Create VLAN 82 on re2
        Interfaces > (assign) New interface OPT6 assigned to VLAN 82 on re2
        Interfaces > OPT6 Enable and set IPv4 address to 172.22.82.3/24

        Again, none of that was synced.

        I then verified that .2 could ping .3 and .3 could ping .2

        MASTER
        Firewall > Virtual IPs Create CARP VIP on OPT6 on 172.22.82.1/24

        THIS was synced, with reasonable defaults on Backup to ensure it was Backup. (Base 1 Skew 0 on Master and Base 1 Skew 100 on Backup)  Master node was master on the new VIP and backup was backup.

        1 Reply Last reply Reply Quote 0
        • H
          hphan082 last edited by

          thank you Derelict. This makes total sense.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy