Failover Bridged Setup using STP
-
Hi All,
We run some pfSense installations using the more normal CARP/VIP failover active/passive setup which are working nicely.
However we now have a requirement for a failover firewall pair that will be in a bridged configuration. I've been searching the boards
and FAQs etc for a couple of days and see that an STP setup is probably possible, however I couldn't find any info
on whether the firewall rules and state table could still be synchronized as with the CARP config.
I'll try attaching a network diagram of what we're hoping to achieve without buying some incredibly expensive hardware based solution.
I'd like to know if anyone is running a similar setup to the one i'm considering or if anyone can see any potential issues with my
proposed solution.
Also… we run MSTP internally on the switches and it seems that RSTP is what is in pfSense.. is this correct?
Thankyou in advance.
:-)
-
I guess either no-one has tried this or is sure that the config would work ?? :-(
-
CARP is incompatible with bridging. It is allegedly possible to work around this using STP, although this has not been tested by anyone and it would be a hack if it works.
-
AFAIK if the SYNC interface is not in the bridged interfaces and has an ip address than it should work!
but as submicron said it is not tested by anyone. -
No, they won't work that way. If you have bridged interfaces, you can't also have CARP IPs on the interfaces as well.
-
No, they won't work that way. If you have bridged interfaces, you can't also have CARP IPs on the interfaces as well.
Actually i said the opposite :):
If you have a bridge running and a spare interface not part of the bridge with an ip address and run carp intop of it then syncing shouldn't be a problem(theoritically). -
Thanks for replying everyone.
I'll try it out and report back with my findings as this really would be the holy grail for HA firewalls for us. :-)
-
@ermal:
No, they won't work that way. If you have bridged interfaces, you can't also have CARP IPs on the interfaces as well.
Actually i said the opposite :):
If you have a bridge running and a spare interface not part of the bridge with an ip address and run carp intop of it then syncing shouldn't be a problem(theoritically).I know you said the opposite, but I'm reporting from my findings of actually having tried to do it. It doesn't work. At least it didn't use to. I know you have specifically worked on a lot of this code Ermal, so you may understand it better than I do, but when I tried doing this before, the CARP IP addresses wouldn't come up on the bridge.
-
Oh, sorry yeah since carp(4) wan't recive notifications of link layer changes from bridge(4) and will not come up as an interface.
There is a PR open on FreeBSD for this and will be fixed soon, i think. You will need to force it to manually come up for it to work, i think i tested this curiously in my tests while working on code and must forced it manually to work.Sorry for the noise submicron you are right it is not supported and will not work by default.
-
No worries Ermal. I'm glad you looked at it, and maybe if things get changed with FreeBSD, this can be made possible in the future.