CARP and DHCP – how to make them be friends

Posted on by

Hi all

I was working on a redundant firewall for the LAN - the server running VMware that it was running on crashed at 1am and it took nearly 15 hours to get it back online – and one of the prerequisites was that it had to get the address from DHCP.  The LAN gets a linkback to the local university by means of a pair of Ubiquiti AirGrid antennae and the computer the stuff runs on has the IP address that DHCP gives out, NATting the address to the firewall VM (that runs pfSense).  All well and good… until the hard drive fails.

I felt this would be an excellent application for CARP and set out creating a couple of VMs to test my theories.  pfSense, being based on FreeBSD, has CARP support so theoretically you could enable it on both nodes and set it to get its address from DHCP.  Unfortunately, it seems that you can’t simply throw “dhcp” into the hostname.carp0 file and hope for the best – life, it seems, is not that kind, and you wind up with a CARP interface stuck in INIT phase.

So what you need to do is give CARP a temporary static IP, then run dhclient in rc.local to pick up the address.  Whatever you do, DO NOT USE 0.0.0.0 – it will result in a default route to 0.0.0.0 that will block any and all traffic.  I’m not kidding.  It doesn’t even need to be on the same network – I use 1.0.0.1 – as long as DHCP comes in after the fact and overrides it.

I now have a DHCP-enabled CARP interface that stays up when one router bites the dust.  Nice.

Here are the config files I used:

/etc/hostname.carp0:

inet 1.0.0.1 255.255.255.255 NONE vhid 1 pass floppagoppagoo carpdev em0 description "Uplink cluster"

/etc/hostname.carp1:

inet 10.10.10.1 255.255.255.0 10.10.10.255 vhid 2 pass floppagoppagay carpdev em1 description "LAN cluster"

/etc/hostname.em0:

up description "Uplink interface"

/etc/hostname.em1:

up description "LAN interface"

That easy.  Oh, and if you want to run DHCP, I recommend using another system.  DHCP tends to fail terribly when a failover situation occurs.  You could do a periodic refresh of the DHCP leases between them, but it’s better to just have a separate system for the purpose, especially if you intend to run a captive portal.

Leave a Reply