OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: The Sky Heart on December 03, 2017, 03:59:46 am

Title: IP Alias on top of CARP VIP
Post by: The Sky Heart on December 03, 2017, 03:59:46 am

Hi Guys,

I'm trying to configure 2 OPNSense in HA mode, I did the initial configs and the HA configs, everything works fine, but I have a lot of Public IP Subnets that are routed, I was testing with 2 /24 Subnet so I made the first subnet as the main interface IP's
fw1: x.x.x.2
fw2: x.x.x.3
carp VIP: x.x.x.1

the second subnet I added a static route then added another CARP VIP x.x.2.1, this setup works fine, but as I mentioned I have a lot of Public /24 IP's and I don't want to have VHID for each CARP VIP.

in pfsense there is an option to create an IP Alias on top on the CARP VIP but I can't see that option in OPNSense, also if I add the IP as a normal IP Alias that IP is not synced to the second firewall, so I guess to be able to sync all Virtual IP's they should be a CARP IP's.

please any help or more information on this would be appreciated I honestly don't want to switch to pfsense because of this reason.

Thanks 

Title: Re: IP Alias on top of CARP VIP
Post by: mimugmail on December 03, 2017, 06:15:19 am

Hm, normally you should be able to choose the correct VHID at IP Alias.

Title: Re: IP Alias on top of CARP VIP
Post by: franco on December 03, 2017, 08:46:46 am

Hi there,

This was added in 17.7.1:

https://github.com/opnsense/changelog/blob/4c9af494a75da82af104f96c73bd0d68bb7bf4dc/doc/17.7/17.7.1#L35


Cheers,
Franco

Title: Re: IP Alias on top of CARP VIP
Post by: The Sky Heart on December 03, 2017, 10:03:08 pm

Hi Guys,

Thanks a lot for your Reply,

but seems this doesn't work for me,

I created a CARP VIP on a VLAN Interface, as I mentioned this works fine, but if I add an IP Alias on the VLAN interface using the same VHID then both firewalls become master for the CARP VIP, and I can't see that the new IP Alias has been synced to the other Firewall, so either i'm adding it a wrong way or there is another issue.

and I'm using OPNsense 17.7.8-amd64 on both Firewalls.

I checked this issue https://github.com/opnsense/core/issues/1779
which exactly what I'm facing but seem's you guys have fixed in 17.7.1 as @franco mentioned.

Title: Re: IP Alias on top of CARP VIP
Post by: The Sky Heart on December 03, 2017, 10:13:54 pm

Here is a little more information with screenshots,


the Main CARP VIP is on VLAN interface, which is VLAN 1050, so this what happens if I add another CARP VIP using the same VHID,

https://gyazo.com/33c83e8383788254403f5684b8650369

and if I add the IP as an IP Alias like here
https://gyazo.com/5826eea43cf6a9476f353b4ca005d9ef

then both firewalls become master for that CARP interface.

Title: Re: IP Alias on top of CARP VIP
Post by: The Sky Heart on December 04, 2017, 02:57:41 am

Hi again,


ok it seem's that we have to add the IP Aliases on each firewall, pfsync seem doesn't sync the IP Aliases, after adding the IP Alias to the backup firewall the IP status changed correctly and now the master is master and the backup is backup, this doesn't happen in pfSense when you add an IP Alias on top of a CARP VIP pfsync sync the ip to the other node.