Status > Gateways Diagnostics > Routes

Different tiers provide failover

Please see packet capture and diag>>states [image: 4.png] [image: 4.png_thumb] [image: 5.png] [image: 5.png_thumb]

Are you using Google 8.8.8.8 or 8.8.4.4 as your gateway monitoring destination?  If so, change it.  Google will drop packets thereby creating a false positive packet loss.

Manual reset of the states is a good idea when you change your rules in any significant way, Diagnostics > States >Reset States.

A quick update, just in case it can help anyone else trying to accomplish a similar task… @calebh: a single NAT rule got the job done! It almost did! My attention was redirected to another project before I could completely test the theory. Adding the NAT rule did, in fact, allow the Backup firewall to access the resources on the host in subnet A, however, the Master firewall could not access the same resources via the virtual IP. So it appears that a firewall in an HA cluster can not fully route packets to the VIP while it is the Master? If someone knows how to address that issue, please do share! To address the issue, in pfBlockerNG on the firewalls for subnet B, I've added both the real IP of the host in subnet A (this will be used by the Master), as well as the VIP used by the firewalls for subnet B (this will be used by the Backup). Which ever list entry isn't the one intended for the respective firewall will timeout on that firewall, but it will get the same content via the entry intended for it.

It doesn't sound like you actually understand what CARP is so I still have no idea what you are doing. Running CARP VIPs and HA with a pfSense bridge interface is not compatible.

You can definitely put an interface on the inside and 1:1 NAT addresses in the /28 to it but the hosts on the inside will have real addresses in RFC1918 private space and pfSense will have to NAT for them.

Yes, that is what I am trying to do, there was no firewall before, but as I said, this is causing some trouble

Thanks for answering, I'll look into it, because the place where I am installing this, has a server with a fixed 192.168.89.2 IP, and that can't be changed, since it's the domain server, any idea here?

Hello. Yes you are correct. I would want stealth mode. In modem mode i get stealth but in router mode i get closed. I am just concerned that in router mode the LAN , WAN , OPT1 are all in RFC1918 addresses and it seems that it might be routing between them Craig

@viragomann: @TPCoMatt: Do I add a 'static route' in pfSense?  If so, so I need to create a 'Gateway' at 2.2.2.247, so the static route has a gateway to go through? Yes. Basically you need two routes for accessing the internet: the upstream route and the downstream route. For the upstream route you have to set the ISP gateway as default gateway on the external firewall and select it in the WAN interface settings. On the secondary firewall you have to the same with the external FW's LAN address. For the downstream you need a static route on the external firewall. First set 2.2.2.247 as gateway (not default!) and then add a static route for 3.3.3.0/24 and select 2.2.2.247 for the GW to be used. Thanks!  That worked perfectly!!

Were are you running wireshark? I would try a packet capture on the pfsense interfaces and compare what is arriving to what it leaving, also trying looking over the pfsense logs, if it is doing anything to the packets and erroring it should so up here status > system > routing

They will be configuring their router in transparent mode, so your Pfsense WAN port will be facing the internet, you will need to configure Virtual IP's (VIP) for the 2 routed Ip addresses "51.52.103.153 and  51.52.103.154" and the important part, make sure any existing inbound nat rules are created using these Ip addresses VIP's are under firewall > Aliases NAT is under Firewall NAT

Yes, that is what you need. Note that if you are trying to segment those cameras, it is up to the Win7 router to filter what the cameras can and cannot access on the pfSense LAN segment. pfSense is not involved in communications between 10.0.1.0/24 and 10.0.0.0/24. You will have a pretty hosed asymmetric routing problem there that might help keep reply traffic from making it back though. I would, personally, use another interface on the firewall for that. If you need the windows PC on that segment, put it there.

Hi, All I see is a bunch of thing like this, they all look the same. 20:56:08.579383 ARP, Request who-has 192.69.162.161 tell 192.69.162.78, length 28 Sorry but that is up to your ISP to solve. They have to respond to ARP so the firewall knows what MAC address the gateway IP address can be found at on the WAN subnet. You might need to hire someone locally to get you running - especially someone who knows what it is that ISP needs.

That did resolve the connection solution. Thank you.

Have you tried to set pfSense WAN in DHCP mode?