pfSense English Support > CARP/VIPs

Getting pfsense to failover with a bridge using the CD-ROM platform

(1/2) > >>

This is how I setup a failover bridge.
I've read you can setup spanning tree to do this too, but I wanted something I know would always work since I have had issues with STP in the past.
I hope this helps someone else who really wants a failover bridge.
For the record I am using 1.2BETA1 live CD, 1.0.1 did not seem to work correctly with the necessary cron entries.

I configured a standard bridge.
Then I configured a third interface (OPT1) to manage the firewall.
I setup CARP with the following settings:
Synchronize Enabled
sync interface = management interface
Synchronize rules
Synchronize Firewall Schedules
Synchronize aliases
Synchronize Virtual IPs
And obviously setup the Sync to IP and password.

Next I created a virtual IP address on the management interface so CARP has something to work with.
This IP is not used for anything except to create a carp0 interface.

Then I created a scripts folder on the floppy disk
in the scripts folder I created a file named
if ifconfig carp0 | grep BACKUP>/dev/null 2>&1 ; then
        /sbin/ifconfig bridge0 down
        /sbin/ifconfig bridge0 up

Then I manually edited the config.xml file

In <system> I added:
<shellcmd>cp -R /tmp/mnt/cf/scripts /tmp;chmod +x /tmp/scripts/*;/sbin/ifconfig bridge0 down</shellcmd>

This copies the script(s) from the floppy to the /tmp disk and makes them executible.
It also shuts down the bridge on bootup.

In the <cron> section I added:

How it works:
The server that is the MASTER according to CARP will have it's bridge0 interface brought up via the script run from cron.
The server(s) that are not the MASTER wil have the bridge interface taken down via the script.
Failover usually takes 30-120 seconds.

It seems to work really well for me using managed and unmanaged switches on both sides of the bridge.


Very interesting! 

I'd be very leery of running this though if you don't have STP on your switches (if they're unmanaged, or it's disabled). This will likely create a temporary L2 loop upon failover, unless the entire system or one of the bridged interfaces fails. It also has the potential, if for some reason the bridges wouldn't be brought up/down properly, of creating a permanent L2 loop. For those that have never experienced a L2 loop, it means your network is going to completely stop working.

STP (on switches) would be much better than something of this nature, assuming the switch you're using isn't buggy. But it can be a real pain to properly configure STP if you're not very familiar with its intricacies and best practices, which can vary from one switch vendor to another. If not done right, it can cause all kinds of problems.

I agree that STP would be best if you have a managed switch.
Configured properly, having both bridges active at the same time should not be an issue.
However, I have also seen STP not work so well on some switches, I feel more comfortable having this solution to ensure that only one bridge is active at a time.

It should be noted that this solutions is not perfect.
If something goes wrong with CARP and both systems think they are the master you will end up with a loop and the bridge will quit working.


--- Quote from: eblevins on May 26, 2007, 01:49:40 am ---It should be noted that this solutions is not perfect.
If something goes wrong with CARP and both systems think they are the master you will end up with a loop and the bridge will quit working.

--- End quote ---

But don't you have this problem too when you use normal failover on pfsensen non-bridge firewalls ?

It should be the same buggy in that case.

Maybe we can work on a second check or somthing like it ?

When you have a disk-installation, it's just simple changing that shellcmd-line ?

Other, question, why do you use the management interface as the sync-interfaces and not a seperate one ? Just ran out of nics ?

Can you please descrive what you have done on what system ? OK, the Carp settings are known I think for everyone when reading the docs, but more about the scripts and the changements in files.

For the rest, the solution seems to be very nice, thanks !

Does really no-one use this solution ?


[0] Message Index

[#] Next page

Go to full version