Netgate SG-1000 microFirewall

Author Topic: possible to CARP between SG-4860 and a VM ?  (Read 146 times)

0 Members and 1 Guest are viewing this topic.

Offline warmadmax

  • Newbie
  • *
  • Posts: 5
  • Karma: +1/-0
    • View Profile
possible to CARP between SG-4860 and a VM ?
« on: August 11, 2017, 05:56:55 am »
hi everyone,

is it possible to use CARP between a pFsense appliance and a Community Edition VM install?

or do the installs have to be identical to work correctly???

any big gotcha's i'd run into if it is possible?


Cheers

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21097
  • Karma: +1375/-25
    • View Profile
Re: possible to CARP between SG-4860 and a VM ?
« Reply #1 on: August 11, 2017, 08:17:34 am »
While it is possible, it isn't ideal.

In order for pfsync to synchronize states correctly, the physical interface names have to match. You can use HA/CARP without pfsync, in most cases people wouldn't notice it much since things will normally reconnect without much fuss. Ongoing connections would be interrupted, web browsers might take a few moments to recover as they discover they have to make new connections, etc. Depending on what your environment is those could be either minor irritations or major concerns.

You can sort of work around that by using LAGG and VLANs to abstract the interfaces names and fool pfSense. It's kind of ugly, but it works around that.

Otherwise, so long as you have the same number of interfaces configured and they are assigned in the same order, other parts would be fine. You will need to make sure your hypervisor and vswitch are configured appropriately to allow CARP to function. Check the wiki for that info.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline warmadmax

  • Newbie
  • *
  • Posts: 5
  • Karma: +1/-0
    • View Profile
Re: possible to CARP between SG-4860 and a VM ?
« Reply #2 on: August 11, 2017, 08:59:32 am »
sounds like a can of worms i dont really want to be opening on myself!

Its a single site with remote vpn users, long as the SG-4860's rock solid, we should be fine.



Cheers JimP