Carp failover - pfsense 2.2.6



  • I have two servers of the pfsense with version 2.2.6, and i try to do a redundancy carp failover both them.

    I tried to do the carp failover and I discover some possible bugs how for example:

    I have six interfaces in the two firewall's in with static IP both them, so when i applied the carp FAILOVER.
    I have to renew the Ip wan INTERFACE to continue the navigation by the internet

    The same behavior occurs to tre others interfaces.


  • LAYER 8 Netgate

    You're trying to CARP a DHCP WAN interface? I don't think that's supported at all. Get a static /29.



  • Hi, thank you for reply,

    I don't use DHCP in wan interface, In all my interfaces I use static IP.


  • LAYER 8 Netgate

    I have to renew the Ip wan INTERFACE to continue the navigation by the internet

    Then I guess I don't know what this means.

    Example:

    .1 CARP
    .2 Primary interface
    .3 Secondary interface

    The HA node that is MASTER responds on .1

    It all works fine.



  • @Derelict:

    I have to renew the Ip wan INTERFACE to continue the navigation by the internet

    Then I guess I don't know what this means.

    My guess, has one IP statically configured on WAN and same on both systems, so has an IP conflict. The gratuitous ARP from the save and apply on WAN ("renew") temporarily "fixes" (read: wins the secondary the IP conflict for the time being).

    Can't put the same IP on multiple systems.



  • Hi cmb,

    Thank you for reply,  in my case, i am not the same Ip in the wan interface i  am try the follow configurartion for wan interface

    pfsense one –> x.x.159.247
    pfsense one --> x.x.159.243
    Ip carp interface wan --> x.x.159.242

    When I try to apply the failover in the interface, i have this problem type.

    Obs: I am an Autonomo System and the gateway of my wan interface is an hsrp that i have both two routers with BGP


  • LAYER 8 Netgate

    I am not aware of any bugs in CARP.

    About the only thing I can think to suggest you check is for another CARP/VRRP setup on the same subnet with the same VHID? Maybe the other side isn't really HSRP but is VRRP and you're both using 1 or n?

    A look at the ARP cache might tell a story.



  • Hi Derelict,

    Thank for reply,

    I am using HSRP both two routers BGP, I am conected in two diferent's autonomo systems.
    The first that  I Applied the carp Failover, I can applied, but when I was tested, Turn off the primary firewall to the secondary firewall
    become the primary firewall.

    I see very problems with the cache of the Ip's in my interfaces. For exemple, In my all the interfaces I am using static Ip's
    And after the time, I had to renew the Ip of the WAN interface, because I can not go out to wan.

    I am not to understand this behavior

    After the I had to renew the Ip of my wan interface to continue go out to wan.

    Complementing, I made the carp in my firewall that have six interfaces, I made in all the interfaces.

    Best Regargs.



  • You have to NAT your outbound traffic to a CARP IP. Not clear whether or not that's the case. Otherwise all your existing connections will be dead because they're trying to use the primary's WAN IP which doesn't exist on the secondary.


  • LAYER 8 Netgate

    Yeah it's probably time to post your Firewall > Virtual IPs, Firewall > NAT, Outbound screens.

    And you don't have to power down the primary to test. Just temporarily disable CARP on Status > CARP for basic functionality testing.


Log in to reply