Clarification on a few HA/CARP settings

[bx2]

Hello everyone,

I was looking to get some clarification on OPNsense HA/CARP settings as I've got two units I'm building for a remote office.

Connectivity from this remote office will be via IPSEC VPN back to HQ. No local DHCP will be used. DHCP will be provided by my AD DHCP servers for the time being.

1) "Always create Carp VIPs with the same subnet mask as it's parent interface. If the parent interface is /24, your Carp VIP should also be /24. Even though some sources claim that /32 will work, services like DHCP Failover will fail with peer holds all free leases."
https://docs.opnsense.org/manual/how-tos/carp.html#adding-multiple-carp-ips

My Core VLAN is a /28 and I assign .1 and .2 to be my OPNsense devices. .3 will be my Core VLAN Virtual IP.

The rest of my VLANs at this location are /24. So with the above documentation stating to use the same CARP Subnet Mask as the parent interface (Core VLAN = /28), is this a real issue if I have CARP IPs set for the rest of my VLANs as /24?


2) "When designing a high-availability CARP setup, the underlying switch infrastructure plays a critical role in ensuring proper failover and performance. Both firewall nodes should ideally reside in the same Layer 2 broadcast domain and preferably within a unified switching fabric."

I just wanted to confirm this. My two OPNsense firewalls will reside on VLAN 1100 (CORE VLAN) while my switch IP is part of my VLAN 32 (MGMT VLAN). The Default Gateway for VLAN 32 is the CARP IP of VLAN 32 (10.103.32.3) and the ports from the switch to each OPNsense FW are tagged with the required VLANs.

This should be fine, just want to clarify this as my broadcast domain for VLAN 1100 (Core VLAN) will have both OPNsense firewalls part of it.



3) I'm not clear on the impact on both firewalls and connectivity if one VLAN/interface doesn't have a rule to allow CARP packets.