High availabillity system

  • Hi,
    i'm planning a high available system with redundant firewalls, switches and servers. See attached image. Currently i have Fig.1 configured, and it's working perfect.
    But the switch is the single point of failure, and the goal is to set up a system like fig.2.

    Is it possible to have two NICs from each pfSense connected to the LAN using CARP? How do i set up the two interfaces in addition to CARP?

    ![High availabillity.png](/public/imported_attachments/1/High availabillity.png)
    ![High availabillity.png_thumb](/public/imported_attachments/1/High availabillity.png_thumb)
    ![High availabillity.png_thumb](/public/imported_attachments/1/High availabillity.png_thumb)

  • It should work without the crossconnection of the pfSenses to the both switches (without additional OPTs). However, there is one condition uncovered, when the pfSense at the lower switch dies and the upper switch at the same time or vice versa).
    The problem with this setup is that CARP doesn't work with bridged interfaces and you would have to add a new subnet to the OPTs with a CARP VIP from this subnet.

  • You only need one connection to each switch.  If the switch your primary firewall is on, CARP will failover all interfaces to the secondary machine.  While not having to failover the firewall would be nice, it's really not the end of the world.


  • Thanks for your quick responses.
    I guess i will go for the attached solution, that will failover a fw in case the switch connected to the active fw goes down. You're right Bill, it's not the end of the world, though it would have been nice to implement the solution in fig.2.

    Does anybody know if Linux have support for the functionality that CARP offers. Like HSRP, VRRP or IPMP functionality. The connected servers need this functionality in the attached solution.

    ![High availabillity solution.png](/public/imported_attachments/1/High availabillity solution.png)
    ![High availabillity solution.png_thumb](/public/imported_attachments/1/High availabillity solution.png_thumb)
    ![High availabillity solution.png_thumb](/public/imported_attachments/1/High availabillity solution.png_thumb)

  • There are userland VRRP daemons.  There's also a userland CARP daemon (I can't speak to how good it is though) at http://www.ucarp.org/project/ucarp.

    FWIW, there's a small chance in the future we might be able to make use of FreeBSDs netgraph NIC bonding module, which would allow us to handle your request (I'm assuming you're running managed switches which support this).  I'm one Cisco switch short of being able to test something like this out, so it's likely to be some time before we'll put this in.  OTOH, I'm not sure Cisco supports "Split Multi-Link Trunking" - that may be a Nortel thing…and for that matter, I'm not 100% sure that the FreeBSD netgraph module for this supports it either (although it will support multi-link trunking to a SINGLE switch for sure).


  • Thanks for all your support guys. I'll stick to my proposed solution which i'm happy to use. I am very impressed by pfSense, and it's my absolute prefered firewall, and i have tested a few. Thank you very much.


Log in to reply