On 03/22/2017 02:16 PM, hamid ashraf wrote: > I have 2 pfsense FW 2.3.3 p1 version, one is Master and Second is Backup. > CARP configured between both firewalls for IPv4 and all the configurations > are successfully syncing. When I configured the DHCPv6 on master firewall, > that configuration didn't replicated to the backup one and everything works > perfectly from outside to inside and vice versa on master. When firewall > failover IPv6 connectivity is gone. My questions: > > 1. Does pfsense does not support IPv6 Failover?
No, because the ISC DHCP daemon for IPv6 does not have any concept of failover baked in at this time. And last I heard, they are holding out waiting for an IPv6 DHCP failover standard to be written. There are a couple drafts floating around but last I saw, none have yet move beyond that stage. > 2. Does pfsense does not support DHCPv6 failover as I observed nothing has > been synced to backup firewall, related to DHCPv6? It could, but it doesn't, because of the above limitation. You have to manually configure a different range on both boxes, or use only SLAAC for automatic assignment. You could configure the same pool on both units but since the two units cannot share lease information, you end up relying on IPv6 DAD to prevent conflicts. Since the potential IPv6 address pool for a subnet is huge (/64), using a separate range on each unit shouldn't be a problem. But it does mean you have to configure them manually. > 3. Please suggest a design to get IPv6, IPv4 workig together in failover with > DHCPv6 synced between them and if the firewall failover it should be seemless. You have to setup each node manually for DHCPv6 but it works fine this way: Primary: * DHCPv6 enabled ** DHCPv6 set for a given range (say... xxxx:xxxx:xxxx:xxx0::1:0000-xxxx:xxxx:xxxx:xxx0::1:FFFF) ** DHCPv6 DNS server set to the LAN IPv6 CARP VIP * Router advertisements enabled ** RA set to Managed ** RA Router priority set to Normal ** RA interface set for the LAN IPv6 CARP VIP. Binding to the CARP VIP interface ensures that radvd only runs on the node which is master. ** RA DNS Server 1 set to the LAN IPv6 CARP VIP (or check the box to use the same settings as DHCPv6 server) Secondary: * DHCPv6 enabled ** DHCPv6 set for DIFFERENT range (say... xxxx:xxxx:xxxx:xxx0::2:0000-xxxx:xxxx:xxxx:xxx0::2:FFFF) ** DHCPv6 DNS server set to the LAN IPv6 CARP VIP * Router advertisements enabled ** RA set to Managed ** RA Router priority set to Normal ** RA interface set for the LAN IPv6 CARP VIP ** RA DNS Server 1 set to the LAN IPv6 CARP VIP (or check the box to use the same settings as DHCPv6 server) Then repeat that for each local interface (e.g. DMZ, guest network, etc) It may seem clunkier than its IPv4 sibling but they both transition at nearly the same rate. As an alternative, you could bind the RA daemon to the LAN directly and set the primary to high, secondary to normal or low. That way nodes would always know about both gateways and they would decide which one to use automatically. Jim P _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
