Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
Bridge failover with CARP on OPNSense
« previous
next »
Print
Pages: [
1
]
Author
Topic: Bridge failover with CARP on OPNSense (Read 4946 times)
werner
Newbie
Posts: 10
Karma: 0
Bridge failover with CARP on OPNSense
«
on:
July 23, 2017, 08:14:29 pm »
Hi,
I'm in the middle of building a redundant firewall / ids solution where using NAT isn't really an option. So I was reading and experimenting a bit with bridging and CARP and how to use it for my situation.
I found some information on the pfsense forum that seems usefull but it is based on somewhat older versions and I'd like to be sure it won't be overwritten by updates of course.
I've seen two different solutions, one is based on a bridge for each firewall + an extra interface for management. By implementing a vip on the management interfaces there's a CARP interface that can be checked with devd. Once the state changes of the CARP interface a script is called and transfers the bridge into the right state.
https://forum.pfsense.org/index.php?topic=45971.0
The other solution uses ifstated to detect the state of the CARP interface and configures what to do with the bridge accordingly.
https://forum.pfsense.org/index.php?topic=6516.0
I also thought about STP but I think it won't work because both OPNSense firewalls will be virtual machines on VMWare. vSwitches themselves don't support STP and the physical switchports are due to the vSwitches shared between multiple vm's. So I don't think that's gonna work.
Both solutions, devd and ifstated seem to do what I want, just simply enable/disable a bridge together with a CARP interface when the router is primary or backup.
Are there any advantages / disadvantages for both methods ? Are they complete or am I (or the writer) missing something. And can I configure them manually without the risk of being overwritten in a future update of OPNSense ?
Any help pointing me in the right direction is appreciated, plan is to make a howto out of this so other people might benefit from it as well.
Best regards,
Werner Reuser
«
Last Edit: July 23, 2017, 08:16:15 pm by werner
»
Logged
werner
Newbie
Posts: 10
Karma: 0
Re: Bridge failover with CARP on OPNSense
«
Reply #1 on:
July 26, 2017, 02:27:16 pm »
No replies ?
No one has experience with a transparant firewall with HA ?
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Bridge failover with CARP on OPNSense
«
Reply #2 on:
July 26, 2017, 03:07:17 pm »
I think this setup is too specific. Normally the failover mode for bridges are bundled ports on the hardware which switch the network regardless the system is powered on.
http://www.nexcom.com/Products/network-and-communication-solutions/entry-level-appliance/entry-level-appliance/network-communication-nsa-1150/Specifications
Dual pair bypass ...
So when your system fails traffic will just be switched
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
Bridge failover with CARP on OPNSense