I am pretty sure I had a similar conversation about these CARP limitations on 1.2.3 in 09. At the time FreeBSD 8 was coming with pfSense 2 so Chris B. said this would have to be reviewed for the new release. I have not dug into the CARP change logs for FreeBSD 8 yet to verify it somehow didn't get the updates. Is it possible this got overlooked for the pfSense 2.x code base? As I know this was functional around 2006/2007 in OpenBSD as we had this same configuration implemented in on 4.2 (and I think back to 3.9/4.0) I just don't have retention back that far to confirm the configurations.
Thanks, Trevor Benson, Network Engineer A1 Networks Voice: 707-703-1041 For support issues please email [email protected] or call 707-703-1050 On Nov 14, 2012, at 4:09 AM, Oliver Schad <[email protected]> wrote: > Hi, > > pfsense enforces carp constraints which restrict usage of carp to a use > case where the host IP must be in the same network as the virtual IP. > > If I look into the BSD documentation I don't find this restriction. I > read in the OpenBSD documentation (sorry for that, but I don't find it > in the FreeBSD docs): > > "This is the shared IP address assigned to the redundancy group. This > address does not have to be in the same subnet as the IP address on the > physical interface (if present). This address needs to be the same on > all hosts in the group, however." > > Do you agree with this documentation on FreeBSD? If so I wish strongly > to remove the restriction in the pfSense software. > > We have a use case here, where we want to build up a HA solution with > some /29 IPv4 networks. If you assume that you get many public /29 > networks you don't want to assign for each pfSense a address from all > networks. > > Assume all addresses are in use with 1:1 NAT - you see the problem here? > I have to change many many many stuff here to make it work with a > pfsense HA cluster. Not everywhere is DNS used, find all clients which > uses this IP and port, make change requests to other companies ... > > The easiest way to migrate would be to make the "old" public IP the > virtual IP and give the devices one public IP from only one subnet or > give them no public host IP at all. In the second case the backup > device woudln't have a working default route but that would be okay in > this case. > > Change the setup is much more expensive, so no default route is the > better case. > > Regards > Oli > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
