1
General Discussion / VHID Group / CARP: Just to make sure
« on: February 07, 2019, 04:22:18 pm »
Hi there,
I've just got a couple of questions in regard to VHID groups - as the topic states, just to make sure. I've already read https://wiki.opnsense.org/manual/how-tos/carp.html as well as https://www.freebsd.org/doc/handbook/carp.html though I'm still a little bit confused.
Let's assume the following scenario:
We've got three physical nics. nic1 is wan, nic2 is lan, nic3 is directly connected to another OPNSense (HA configuration). On lan interface we do have 30 vlans and for every vlan we do have one public IP on the wan interface and two private IPs on the vlan interface (we're using HAproxy to forward requests from the public IP to the specific private IP in its specific vlan).
While this works perfectly fine, we're currently unsure about the correct use of the VHID group
1. to make sure that HA failover will happen if LAN or WAN break apart (which is not the deal, the deal is that all IPs of the vlan interfaces as well as the public IPs will be available on the second OPNSense and not just the IP of the wan Interface).
2. we believe we will reach the VHID limit of 255 in the OPNSense mask one day (currently the next usable VHID is 65) and hence we're wondering if the VHID should be unique, unique across physical interfaces or unique across virtual interfaces or unique about different ip networks or..
Currently our scheme looks like this:
We've also found the following:
Which sounds (if I do understand it correctly) quite like what we want and would be easier; to setup - However, since IP Aliases aren't synchronized in HA, this would be quite some work doing everything two times.
Thanks in advance
Jean
I've just got a couple of questions in regard to VHID groups - as the topic states, just to make sure. I've already read https://wiki.opnsense.org/manual/how-tos/carp.html as well as https://www.freebsd.org/doc/handbook/carp.html though I'm still a little bit confused.
Let's assume the following scenario:
We've got three physical nics. nic1 is wan, nic2 is lan, nic3 is directly connected to another OPNSense (HA configuration). On lan interface we do have 30 vlans and for every vlan we do have one public IP on the wan interface and two private IPs on the vlan interface (we're using HAproxy to forward requests from the public IP to the specific private IP in its specific vlan).
While this works perfectly fine, we're currently unsure about the correct use of the VHID group
1. to make sure that HA failover will happen if LAN or WAN break apart (which is not the deal, the deal is that all IPs of the vlan interfaces as well as the public IPs will be available on the second OPNSense and not just the IP of the wan Interface).
2. we believe we will reach the VHID limit of 255 in the OPNSense mask one day (currently the next usable VHID is 65) and hence we're wondering if the VHID should be unique, unique across physical interfaces or unique across virtual interfaces or unique about different ip networks or..
Currently our scheme looks like this:
- wan public ip1 = vhid 1
- wan public ip2 = vhid 2
- wan public ip3 = vhid 3
- vlan1 private ip1 = vhid 1
- vlan1 private ip2 = vhid 2
- vlan2 private ip1 = vhid 1
- vlan2 private ip2 = vhid 2
- vlan3 private ip1 = vhid 1
- vlan3 private ip2 = vhid 2
We've also found the following:
Quote
If your provider offers you a subnet of public IP addresses and you want to expose them for NAT or different services running on your Firewall, you will also have to add them to your HA setup. Since adding a VHID for every IP would make the CARP traffic very noisy, you can also add a new IP Alias and choose the correct VHID where the first CARP IP is configured. --https://wiki.opnsense.org/manual/how-tos/carp.html
Which sounds (if I do understand it correctly) quite like what we want and would be easier; to setup - However, since IP Aliases aren't synchronized in HA, this would be quite some work doing everything two times.
Thanks in advance
Jean