Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Transparent Filtering Bridge + CARP/pfsync for HA?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Transparent Filtering Bridge + CARP/pfsync for HA? (Read 2158 times)
Joker535
Newbie
Posts: 1
Karma: 0
Transparent Filtering Bridge + CARP/pfsync for HA?
«
on:
July 10, 2019, 03:26:16 pm »
I have been running pfsense 2.3.4 as a Transparent Filtering Bridge with my /24 range of public IPs for a number of years now. The hardware I was using died so now its time for an upgrade (and move to opnsense).
I am considering running 2 identical pieces of hardware and I have read about CARP/pfsync for HA setups. All the documentation I find seems to refer to using different subnets in private ranges which I do not have the option to do. All of the servers behind the firewall have static public IP addresses (no DHCP and no NAT) all in the same subnet. I have a separate backend network connected to each server using static private IPs with no internet access (no gatway, no router, no DHCP). I also had a 3rd interface set up in pfsense with a backend IP for management gui access only.
Is it possible to run 2 Transparent Filtering Bridge setups in an HA (failover) configuration (via CARP/pfsync) in a single subnet?
Each machine would have a dedicated nic for WAN, nic for LAN, nic for the private backend (management), and a nic for pfsync (4 NICs per machine).
Is this feasible and if so is it a reliable setup? I don't want to spend any more time on it if it isn't.
Thanks
Logged
AlfonsoI
Newbie
Posts: 1
Karma: 0
Re: Transparent Filtering Bridge + CARP/pfsync for HA?
«
Reply #1 on:
July 10, 2023, 10:13:11 am »
Hello,
I have same use case. Have you been abled to test it?
I think it is not possible to make HA on Bridge. The reason is because CARP is working on IP protocol which is above L2 traffic enabled on both (LAN and WAN) Bridge interfaces. I guess you can attach a CARP virtual interface to the bridge interface and make HA on the administration Bridge interface. But if you have both firewalls connected to your core routers you might start to get some routing loop (spanning tree)
I would love to hear from anyone that has been abled to make it work.
BR,
Alfonso
Logged
goeranh
Newbie
Posts: 1
Karma: 0
Re: Transparent Filtering Bridge + CARP/pfsync for HA?
«
Reply #2 on:
May 03, 2024, 03:24:26 pm »
Hi,
I have the same use case and have been playing around with PFSense and bare FreeBSD for this and I always end up flooding myself with ARP packets until nothing on my networks responds anymore. I have tried to use CARP, ProxyARP and Other as Virtual ips to mitigate this, but got nowhere.
Currently we use two systems, periodically sync the configs, but mainly keep one as a cold-spare.
If anyone has any pointers on this I'd also love to know.
Kind regards
Göran
Logged
Patrick M. Hausen
Hero Member
Posts: 6812
Karma: 572
Re: Transparent Filtering Bridge + CARP/pfsync for HA?
«
Reply #3 on:
May 03, 2024, 03:30:52 pm »
You are building a bridging loop. The main reason being that in FreeBSD STP is off by default.
Edit the bridge interface, click on "Show advanced options", add all bridge member interfaces to "STP interfaces".
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Transparent Filtering Bridge + CARP/pfsync for HA?