Failover with CARP in PF: Part Two

FailoverIn the previous article, I briefly discussed the advantages of using CARP with PF, as well as the difference between CARP and other protocols commonly used for redundancy. In this article, I will outline a hypothetical CARP implementation involving two redundant firewalls.

Keep in mind CARP addresses are virtual addresses. Unless you always have console access to all machines in your CARP group, you will almost always want to assign an IP address to the physical interfaces in order to be able to communicate with the host and be absolutely sure with which machine you are interacting. The convention is for the IP addresses assigned to the physical interface to belong to the same subnet as the virtual, shared IP address. In fact, the kernel will by default try to assign the CARP address to a physical interface that is already configured with an address in the same subnet as the CARP address. You can override this by specifying a different interface in the carpdev option in the ifconfig command string you use to set up the CARP interface.

A Hypothetical Two-Firewall CARP Setup

In this example, fw0 and fw1 will be the two firewalls. fw0 will be the master and will be used exclusively as long as it is up and running properly. fw1 is to be used only if fw0 goes down. They update and exchange state information over the CARP interface, if2. Both firewalls have a physical external WAN interface (if0), an internal LAN interface (if1), and two virtual interfaces for CARP: carp0, bound to if0, and carp1, bound to if1. Here is a brief overview of the network interfaces:

  • if0 is the external internet interface, and will only be sending CARPv2 broadcast packets to the other CARP firewalls. It will not be accepting any connections for any services.
  • if1 is the internal LAN interface. This will be used to broadcast CARPv2 packets to the other firewalls on the internal LAN.
  • if2 is the CARP synchronization interface. It is used to transfer the state information between the master (fw0) firewall to the backup (fw1) firewall. The link between the two interfaces can be a crossover cable or a secured switch. If you only have two firewalls and they are close to each other, a crossover cable is a good idea. As I noted in the previous article, keeping the CARP sync traffic on its own network is a good idea so no one can snoop on it.
  • carp0 is the external virtual CARP interface which will be bound to the physical network interface if0. It will be the public IP that will be moved from the master to the backup when the firewalls fail over. The carp0 IP in this example will be This is the IP that will be answering any public services the network hosts.
  • carp1 is the internal CARP interface which will be bound to the physical network interface if1. It will be the internal IP that is moved from the master to the backup when the firewalls fail over. The carp1 IP address in this example will be

This covers our outline of the hypothetical network. In the next part, I will cover configuration of our CARP firewall pool.

External Links:

Common Address Redundancy Protocol at Wikipedia

CARP Pf Firewall Failover at

Be Sociable, Share!

Speak Your Mind


© 2013 David Zientara. All rights reserved. Privacy Policy