HA - Does every VLAN needs a VIP?

Started by pepper_sprout, May 03, 2025, 02:49:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 03, 2025, 02:49:02 PM
Hi,

I have recently setup 2 OPNSense instances In HA.
I seems to work fairly well. When i shutdown the primary, the standby takes over.

So i have
WAN on igb0
LAN on igb1

I also have about 8 VLANs with the Parent being igb1.
I have setup a VIP for the WAN and also for the LAN

But i didn't set any VIP for the VLANs.

Is this correct? I'm seeing these warnings in the log
arp: <mac addr> is using my IP address 10.x.x.1 on vlan05!

But the HA seems to work, was just wondering if this could be a problem when a device connects to the vlan.

thanks,
May 03, 2025, 03:35:00 PM #1
If you want failover you must use a VIP. Both firewalls need a different fixed IP address on the VLAN and the CARP VIP switches from master to backup if necessary.

Also you should not use an interface with untagged IP configuration as the parent for VLANs. Tagged only or untagged only.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 03, 2025, 06:17:21 PM #2
Thanks for the great info Patrick, I will configure my VIPS for my VLANs accordingly and do some testing.

As for having an interface with untagged IP as the parent, would it create problems on the network?
So that means i should be using an extra interface, like igb2 as the parents for all my VLANs, and this one would only be Tagged?

thanks,
May 03, 2025, 06:35:45 PM #3
I'd recommend doing that. Or get rid of that untagged interface entirely and run all interfaces tagged.

If your switch insists on having a "native VLAN" or "PVID" on the trunk port, set it to something unused like 99 or 999.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions