Colocate / constrain CARP VIPs on different interfaces to same machine
We're testing the following setup:
[ gw1 ] [ gw2 ] \ / - - - - GW_VIP - - - - | | | | | | - - - - WAN_VIP - - - - / \ [ pf1 ] [ pf2 ] \ / - - - - LAN_VIP - - - -
LAN machines use LAN_VIP as their default gateway, and the two pfSense machines use GW_VIP as their default gateway.
The gateways use WAN_VIP to send traffic back towards LAN.
My question is - say pf1's WAN interfaces goes down (e.g. cable unplugged), then WAN_VIP will hop over to pf2. But LAN_VIP is still located on pf1.
So LAN machines send their traffic to pf1, which then can't forward the traffic further…
Is there a way to "tie" LAN_VIP and WAN_VIP together? I.e. ensure that they always reside on the same machine?
Or is there a better setup altogether in a situation like this?
If CARP is set up correctly and you unplug the WAN cable from pf1 pf2 becomes master and takes over all VIPs.
However, in virtual environments there are often malfunctions with CARP due to faults or misconfigurations of the virtual switches.
Oh, I didn't know that! So they already are tied together by default? Is there some kind of hierarchy? Or will any one CARP failover someplace else pull over all other CARPs as well?
As far as my experience goes it doesn't matter which interface fails, if any all CARP VIPs of this system become backup and the other box take them over as master.
From my experience, if any interface with a CARP address goes down, the entire system switches over. In case you are running a DMZ as well as LAN and WAN.
From my experience, if any interface with a CARP address goes down, the entire system switches over.
That's CARP pre-empt at work, which is enabled by default in pfSense.