OPNsense Forum
English Forums => High availability => Topic started by: c-mu on September 07, 2022, 10:52:38 am
-
Hello,
I've been wondering for a while if I've been using CARP incorrectly for years and if I can't do better.
I have a lot of VLANs, currently around 80-100 I guess, mostly /29 networks for customer environments for security purposes.
Now I have also configured a CARP address for each VLAN, but is that really necessary?
Isn't it enough if I set up CARP only in the main network, for example, and set up a Virtual IP for all other interfaces/VLANs? As soon as a problem is detected in the main network, the master moves to the slave and with it all virtual IPs.
How would you do it?
Thank you!
-
I hope so! I'm looking to do something similar (with less VLANs) but I don't see how else you do it unless you can change state of all VLANs/networks on change of CARP state (after all, OPNSense is aware of the state of all networks)?
-
That is indeed the right way - CARP works, much like VRRP and HSRP, at layer 3.
-
Does it harm to use only carp addresses instead of virtual IPs for the other VLANs? That's what I use currently and it works...
-
The expected setup is to use CARP on all interfaces. Why wouldn't you?
If it was Cisco IOS instead of OPNsense you would have HSRP or VRRP on all interfaces, too.
I honestly did not know that virtual addresses would switch nodes in case of a failover. :) In fact: do they? Did anyone ever try?