CARP: adding additional Interface/VLAN

hphan082 · Mar 26, 2015, 6:13 AM

Hi everyone,
I'm looking into deploying CARP for my company. Due to the nature of our business, I frequently add and remove VLAN interfaces on the firewall, almost weekly.
How would I handle that with a pair of pfsense in HA? During initial setup, I know I have to assign real IP to the VLAN interface on each firewall, and create a CARP VIP.
After the firewall is running in HA, do I still have to add new VLAN interface directly to each firewall, and create the VIP? Or should I be ok with just adding the VLAN and VIP from the Primary firewall, and the configuration will replicate over to the 2nd one?

I'm guessing I have to manually add to each firewall, but I just want to confirm before messing around with it.

Derelict · Mar 26, 2015, 8:25 AM

When you add VLANs and interfaces to a node in a high availability pair, the changes are not synced. When you finally add the CARP VIP to the master, that is synced.

I'm sort of new to pfSense HA, but I've been spending a bit of time with it lately and this is what I have learned:

pfSense (pfsync) syncs based on the internal interface designator. These are wan, lan, and optX. It doesn't care what your pretty interface name is.

It doesn't matter if you don't use the physical, untagged interfaces. Assign them to pfSense interfaces first thing. Make each HA node match exactly.

This was tricky for me because the master node I was trying to sync had VLAN 81 on re2 as OPT1 due to the way I built it without HA in mind. So I had to do the same on the new, backup node before I could sync effectively.

Then you want to sync. I used the procedure in the 2.2 book.

If you do not do this and you have GUESTLAN on an internal designator of opt2 on one node and opt1 on another, it will not work.

A High Availability pair of nodes must be treated very carefully. It works fine, but you can shoot yourself in the foot very easily.

I just brought a new VLAN interface up on my HA pair. This is what I did:

MASTER
Interfaces > (assign) Create VLAN 82 on re2
Interfaces > (assign) New interface OPT6 assigned to VLAN 82 on re2
Interfaces > OPT6 Enable and set IPv4 address to 172.22.82.2/24

None of that was synced to the backup node

BACKUP
Interfaces > (assign) Create VLAN 82 on re2
Interfaces > (assign) New interface OPT6 assigned to VLAN 82 on re2
Interfaces > OPT6 Enable and set IPv4 address to 172.22.82.3/24

Again, none of that was synced.

I then verified that .2 could ping .3 and .3 could ping .2

MASTER
Firewall > Virtual IPs Create CARP VIP on OPT6 on 172.22.82.1/24

THIS was synced, with reasonable defaults on Backup to ensure it was Backup. (Base 1 Skew 0 on Master and Base 1 Skew 100 on Backup) Master node was master on the new VIP and backup was backup.

hphan082 · Mar 26, 2015, 10:10 PM

thank you Derelict. This makes total sense.

wizard-010 · Nov 8, 2024, 5:47 AM

i have the exact set up but not able to sync