Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP: adding additional Interface/VLAN

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    4 Posts 3 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hphan082
      last edited by

      Hi everyone,
      I'm looking into deploying CARP for my company. Due to the nature of our business, I frequently add and remove VLAN interfaces on the firewall, almost weekly.
      How would I handle that with a pair of pfsense in HA? During initial setup, I know I have to assign real IP to the VLAN interface on each firewall, and create a CARP VIP.
      After the firewall is running in HA, do I still have to add new VLAN interface directly to each firewall, and create the VIP? Or should I be ok with just adding the VLAN and VIP from the Primary firewall, and the configuration will replicate over to the 2nd one?

      I'm guessing I have to manually add to each firewall, but I just want to confirm before messing around with it.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        When you add VLANs and interfaces to a node in a high availability pair, the changes are not synced.  When you finally add the CARP VIP to the master, that is synced.

        I'm sort of new to pfSense HA, but I've been spending a bit of time with it lately and this is what I have learned:

        pfSense (pfsync) syncs based on the internal interface designator.  These are wan, lan, and optX.  It doesn't care what your pretty interface name is.

        It doesn't matter if you don't use the physical, untagged interfaces.  Assign them to pfSense interfaces first thing.  Make each HA node match exactly.

        This was tricky for me because the master node I was trying to sync had VLAN 81 on re2 as OPT1 due to the way I built it without HA in mind.  So I had to do the same on the new, backup node before I could sync effectively.

        Then you want to sync.  I used the procedure in the 2.2 book.

        If you do not do this and you have GUESTLAN on an internal designator of opt2 on one node and opt1 on another, it will not work.

        A High Availability pair of nodes must be treated very carefully.  It works fine, but you can shoot yourself in the foot very easily.

        I just brought a new VLAN interface up on my HA pair.  This is what I did:

        MASTER
        Interfaces > (assign) Create VLAN 82 on re2
        Interfaces > (assign) New interface OPT6 assigned to VLAN 82 on re2
        Interfaces > OPT6 Enable and set IPv4 address to 172.22.82.2/24

        None of that was synced to the backup node

        BACKUP
        Interfaces > (assign) Create VLAN 82 on re2
        Interfaces > (assign) New interface OPT6 assigned to VLAN 82 on re2
        Interfaces > OPT6 Enable and set IPv4 address to 172.22.82.3/24

        Again, none of that was synced.

        I then verified that .2 could ping .3 and .3 could ping .2

        MASTER
        Firewall > Virtual IPs Create CARP VIP on OPT6 on 172.22.82.1/24

        THIS was synced, with reasonable defaults on Backup to ensure it was Backup. (Base 1 Skew 0 on Master and Base 1 Skew 100 on Backup)  Master node was master on the new VIP and backup was backup.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • H
          hphan082
          last edited by

          thank you Derelict. This makes total sense.

          1 Reply Last reply Reply Quote 0
          • W
            wizard-010
            last edited by

            i have the exact set up but not able to sync

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.