OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • VHID Group / CARP: Just to make sure
« previous next »
  • Print
Pages: [1]

Author Topic: VHID Group / CARP: Just to make sure  (Read 2995 times)

chanijean

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
VHID Group / CARP: Just to make sure
« on: February 07, 2019, 04:22:18 pm »
Hi there,

I've just got a couple of questions in regard to VHID groups - as the topic states, just to make sure. I've already read https://wiki.opnsense.org/manual/how-tos/carp.html as well as https://www.freebsd.org/doc/handbook/carp.html though I'm still a little bit confused.

Let's assume the following scenario:

We've got three physical nics. nic1 is wan, nic2 is lan, nic3 is directly connected to another OPNSense (HA configuration). On lan interface we do have 30 vlans and for every vlan we do have one public IP on the wan interface and two private IPs on the vlan interface (we're using HAproxy to forward requests from the public IP to the specific private IP in its specific vlan).

While this works perfectly fine, we're currently unsure about the correct use of the VHID group

1. to make sure that HA failover will happen if LAN or WAN break apart (which is not the deal, the deal is that all IPs of the vlan interfaces as well as the public IPs will be available on the second OPNSense and not just the IP of the wan Interface).

2. we believe we will reach the VHID limit of 255 in the OPNSense mask one day (currently the next usable VHID is 65) and hence we're wondering if the VHID should be unique, unique across physical interfaces or unique across virtual interfaces or unique about different ip networks or..

Currently our scheme looks like this:

  • wan public ip1 = vhid 1
  • wan public ip2 = vhid 2
  • wan public ip3 = vhid 3
  • vlan1 private ip1 = vhid 1
  • vlan1 private ip2 = vhid 2
  • vlan2 private ip1 = vhid 1
  • vlan2 private ip2 = vhid 2
  • vlan3 private ip1 = vhid 1
  • vlan3 private ip2 = vhid 2

We've also found the following:
Quote
If your provider offers you a subnet of public IP addresses and you want to expose them for NAT or different services running on your Firewall, you will also have to add them to your HA setup. Since adding a VHID for every IP would make the CARP traffic very noisy, you can also add a new IP Alias and choose the correct VHID where the first CARP IP is configured. --https://wiki.opnsense.org/manual/how-tos/carp.html

Which sounds (if I do understand it correctly) quite like what we want and would be easier; to setup - However, since IP Aliases aren't synchronized in HA, this would be quite some work doing everything two times.

Thanks in advance
Jean
Logged

spark5

  • Newbie
  • *
  • Posts: 18
  • Karma: 1
    • View Profile
Re: VHID Group / CARP: Just to make sure
« Reply #1 on: November 09, 2022, 11:34:32 am »
hi, we are running in the same problem.

is it possible, to have more than 255 virtual carp interfaces?

thanks a lot for help ...

kind regards,
ronny
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • VHID Group / CARP: Just to make sure
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2