Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP in multi-host environment

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    1 Posts 1 Posters 838 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chriscmc26
      last edited by

      Hi everyone,

      I am fairly new to using pfSense as a firewall, but I recently started working in a new position that deploys these firewalls on their VMWare hosts.  So far, I like it a lot.

      Unfortunately, I would like to make some changes to the setup to make things easier.  Let me share the setup real fast.

      We have 6 ESXi hosts in our environment that host any number of virtual servers ranging over 8 different subnets.  Currently, each host has a pfSense firewall loaded on a VM that protects VMs hosted on that specific host.  We have 3 virtual networks configured: WAN, LAN, and SERVERS.  The firewalls are on the LAN network, and anything that needs to be protected is on the SERVERS network.  Firewalls are set up in bridging mode to intercept traffic from the WAN interface and pass it on to the SERVERS interface.  If we don't need a server behind a firewall, we just move it up to the WAN interface.  (I should also note that we are on a larger corporate network that has other deparments and units and more firewalls further up the chain)  We do not have CARP set up, and none of the VMs are highly available.  Anytime we need to take a host down, we have to shut down everything on that host which means downtime on our servers.

      I have been talking with our team about moving to a highly available environment.  The question now becomes, how do we set up CARP on VMs that span multiple hosts.  I understand the networking side of things if the firewalls were hosted in front of the cluster, but these are hosted on the ESXi hosts themselves. I have seen plenty of guides on setting up CARP, that involved a single host, or if the firewalls are in front of the ESXi cluster on separate hardware.  But I haven't seen anything that talk about CARP spanning multiple physical ESXi hosts running as VMs.

      Anyone have any suggestions?

      I was thinking about just setting up the LAN network on each of the firewalls interfaces and enabling the sync, but I wasn't sure if this would work across multiple hardware hosts.  Plus, I only really need 2 VMs instead of 1 VM per ESXi host.  If the only way to do this is to keep all 6 firewalls and set it up as a sync, then that is fine.  I just needed a place to start looking.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.