Two separate pfsense clusters on same layer 2 and subnet

paulm

Hi

We are currently running a pfsense cluster in one DC using CARP. In another DC, which has an L2 link between them, we need to setup a separate pfsense cluster on the same subnet/L2 to be a secondary gateway. We are basically getting some transit in from another provider into this new DC and migrating some services over to it, however both clusters need to remain online with the L2 in place.

Are there any issues with doing this? Do I just need to ensure that the VHIDs and passwords are different?

Thanks, Paul.

paulm

Can anyone assist please? Thanks

podilarius

I have not personally attempted this, but know a little about CARP, I think you are correct.
As long as the VHIDs are different, you should be able have the pfSense machines with CARP in the same L2 switch (even if linked by distance).

We did do a similar move, but since I was moving the equipment, we just used a single firewall for a few days at the new site until the equipment moved over.
After which, we just restored an updated config on each of the cluster members that contained the new IPs.

awebster

I have 3 clusters of pfSense running on a nework and they all co-exist well.
You absolutely need to ensure that the VHID is different between each cluster set, and also that it does not overlap any other CARP or VRRP instances running on the same L2.
If you are using IPv4 and IPv6, you also need different VHID for each protocol.