Messages

1

High availability / Re: CARP connections to switches in MLAG

« on: January 08, 2024, 10:06:15 am »

Thanks Patrick and mimugmail. I think there may be a misunderstanding about my question. I am asking about the configuration on the switch. I had thought that the switch (or in my case switches in MLAG) should have no bonding between the ports that connect from the switch to the firewalls because I was under the impression that when a new CARP group master takes over it issues a Gratuitous ARP (GARP). This would mean that, in principle, the switch should see the GARP and update its MAC address table. However, this does not seem to be working - hence my question. For me, when the CARP master changes traffic gets dropped.

2

High availability / Re: CARP connections to switches in MLAG

« on: January 07, 2024, 10:25:00 am »

Hi mimugmail, I am not sure what you mean by "bond over both members". I don't understand how to get the switch LAGG to play with CARP. Here are the issues as I see them:

Active-backup
The challenge here is ensuring that the switch's active link aligns with the CARP master firewall. Without an automatic mechanism to align the active switch port with the CARP master, this setup could lead to misalignment where the active switch port is connected to the standby firewall.

Broadcast
This guarantees that the active CARP firewall always receives the traffic, regardless of which one is master, but if a firewall leaves the CARP group (say because CARP is disabled for maintenance) it will start handling duplicate traffic.

3

High availability / CARP connections to switches in MLAG

« on: January 06, 2024, 06:21:53 am »

Here is my setup:

                       VIP (WAN)
                            |
         ------------------------------
         |                                     |
         |                                     |
  -------------     pfSync     -------------
 | Firewall 1 | <---------> | Firewall 2 |
  -------------                    -------------
         |                                     |
         |                                     |
         |                                     |
  ------------       MLAG       ------------
 | Switch 1 | <-----------> | Switch 2 |
  ------------                      ------------
         |                                     |
         ------------------------------
                            |
                      LACP (LAN)

I have 2 firewalls in a CARP group. Each firewall connects to a Mikrotik switch and these switches are in an MLAG configuration with their onward ports bonded in LACP.

Question: How should the switch ports to the firewalls be configured?

MLAG allows the switches to appear to external hardware as though they are connected to a single switch. Bonds are created across the physical switches (i.e. an LACP bond will have 1 port of the bond on each switch so that an entire switch can go down and the link survive). How should the ports connected to the firewalls be bonded? Clearly LACP is not correct because the firewalls will not negotiate this correctly on their end as the firewalls act independently of each other. My other options are:
- active-backup
- broadcast

Am I correct in assuming that if Switch 1 were to go down that Firewall 1 would detect a dead connection and demote itself and so Firewall 2 take over?