HA/CARP/VIPs

• M

  CARP/HA, SYNC and XMLRPC SYNC explained
  • mk6032  

  3
  0
  Votes
  3
  Posts
  3195
  Views

  M

  Thanks for the excellent reply. I've retested as you suggested by entering persistent maintenance and there is no packet loss that way (perst maint, reboot, leave persist maint). I am still having a small problem with freeradius xmlrpc sync between the two but I posted that in a separate topic (see https://forum.pfsense.org/index.php?topic=135864.0). Regards, Matt
• N

  XMLRPC doesn't sync, CARP works
  • nanas3  

  3
  0
  Votes
  3
  Posts
  11
  Views

  N

  Thanks @Derelict for the fast reply! I don't think my configuration is "violating" any of those requirements. I even have everything set to "allow any". Rules on sync interface on secondary: Rules on sync interface on primary: I have same username (admin) and port on both nodes WebUI, I'm using the same username to setup the XMLRPC sync section.
• C

  OpenVPN HA Sync failover
  • cmhddti  

  8
  0
  Votes
  8
  Posts
  61
  Views

  

  @JeGr said in OpenVPN HA Sync failover: Wouldn't that only happen if you manually shutdown the primary node? Just curious, as in a failure (e.g. uplink down) case, no one would get the exit notify as the line is down? But yeah in an update scenario where you shut down the primary for updating, it would definetly cut links quicker than a timeout. Of course a hard failure will probably not send anything from the OpenVPN process. Those are actually pretty rare compared to setting maintenance mode. An interface down event would (unless the down interface was necessary to send the disconnect advisories)
• E

  I'm told only Cisco can do this.....
  • edlentz  

  5
  0
  Votes
  5
  Posts
  72
  Views

  

  You don't need much hardware, for some lab experience a virtualized pfSense environment should do fine. -Rico
• R

  Pfsense HA and openvpn client
  • rafel.amer  

  4
  0
  Votes
  4
  Posts
  534
  Views

  N

  Expanding on the scenario above, which works fine, suppose a situation that we need the openvpnclient to be able to use multiple links in case one fails. (not concurrently). So I have created a vpnclient_gateway_group, and put 2 carp vips in the group, with priority 1 and 2 respectively. Vpn client works as expected, however whenever I do a simple change on master pf instance, (my favorite is changing the graphs display from inverse to simple and back) secondary vpn client kicks in, primary is also up leading to vpn havoc.. I need to go to secondary and stop openvpn service to recover. Switching this config to use the same carp vip directly (without gw redanduncy) eliminates the issue. Is thus supported? Or is it a bug? on pfsense 2.4.4_p2
• P

  Dual WAN CARP/HA Config with ARP traffic issues
  • ProgressCity  

  2
  0
  Votes
  2
  Posts
  23
  Views

  

  The only interface that should respond to ARP is the interface that holds that MAC address. If the Comcast device is also responding, it is broken. This should NOT be the end of the world if everything it does is perfect from a CARP perspective but I suspect it is not. The ONLY frames that should ever be sourced from a CARP MAC address (like 00:00:5E:00:01:0xVHID) Is the CARP advertisement itself from the current MASTER node. No other traffic should ever be sourced from that MAC address. ARP responses for the WHO HAS the CARP VIP will be sourced from the interface MAC address and contain 00:00:5E:00:01:0xVHID in the ARP protocol payload in IS AT. What you are posting does not provide enough information because both the ARP payload and the source/dest MAC addresses of the frames themselves all matter here. All of this pretty much has to work perfectly. This would not be the first time an ISP device was not compatible with CARP/HA because of games it wants to play.
• M

  Slow connection using CARP interface
  • maguiar  

  2
  0
  Votes
  2
  Posts
  26
  Views

  

  There is nothing special about CARP/HA here. It's all just MAC addresses, IP addresses, and ARP. If there is something being treated differently about it it must be upstream in your environment.
• 

  Admin user not fully synced?
  • JeGr  

  3
  0
  Votes
  3
  Posts
  37
  Views

  

  I'll create a ticket then, thanks for the second brain ;) Edit: Opened it as #9539 in Redmine
• A

  How to do use this NAT?
  • akong77  

  36
  0
  Votes
  36
  Posts
  332
  Views

  

  What, specifically, is not working?
• F

  I think VIP and internal servers
  • froussy  

  9
  0
  Votes
  9
  Posts
  42
  Views

  F

  Thanks a lot! you cant imagine the help you just gave me! :) Frank
• N

  WAN "disabled" after adding a VIP
  • Nicola  

  5
  0
  Votes
  5
  Posts
  65
  Views

  

  Just as I'm curious: I thought 2.4.4(-p1+) was already config rev 19.1? At last that's what my cluster systems tell me in system log?
• 

  A communications error occurred while attempting to call XMLRPC method restore_config_section
  • Mr_JinX  

  2
  0
  Votes
  2
  Posts
  23
  Views

  No one has replied

• D

  Pfsense with HA closing sessions when apply any rule.
  • diogo_falcomer  

  9
  0
  Votes
  9
  Posts
  423
  Views

  

  Again, the proper forum for documentation feedback is the give feedback link on the page.
• L

  CPU load/loss of Packets after 2-3 days with HA-setup
  • lutzministrator  

  1
  0
  Votes
  1
  Posts
  25
  Views

  No one has replied

• A

  Problem of CARP with IPSEC
  • anass131  

  13
  0
  Votes
  13
  Posts
  103
  Views

  A

  @JeGr thank you for your reply finally i found the problem it was related with GNS3 because my 2 sites are connected with it. the cloud's i used to represent my LAN block the VIP of the LAN when i shutdown the Master.
• S

  How can make Dependency between 2 Vhid Group
  • sina  

  1
  0
  Votes
  1
  Posts
  24
  Views

  No one has replied

• R

  Multiple Public IPs Assigned directly to machines
  • rby  

  8
  0
  Votes
  8
  Posts
  44
  Views

  

  Huh? No a router can not have the same networks or overlapping networks on multiple interfaces, ie its wan and lan.. But if the /29 is routed to you this would never be the case since your wan would be the transit network and wouldn't overlap with your routed /29 This has zero to do specific with pfsense - and is just basic 101 routing. Here lets do an example... isp .1 --- 1.2.3.0/30 --- .2 wan pfsense opt .1 --- 4.5.6.0/29 --- devices .2, .3, .4 etc.. And sure pfsense could also have lan network in 192.168.1.0/24 Now your isp routes 4.5.6.0/29 to your 1.2.3.2 address.
• N

  XMLRPC sync operation timed out
  • noel.alanguilan  

  6
  0
  Votes
  6
  Posts
  39
  Views

  N

  Okay. Noted. Thank you.
• N

  HA with Netgate + esxi
  • nikkopegmail.com  

  1
  0
  Votes
  1
  Posts
  35
  Views

  No one has replied

• I

  This topic is deleted!
  • instatakipler  

  1
  0
  Votes
  1
  Posts
  11
  Views

  No one has replied

• R

  messed up dhcpd.conf (and probably other settings)
  • rolandk  

  1
  0
  Votes
  1
  Posts
  14
  Views

  No one has replied

• H

  OpenVPN with Radius not working correctly with HA
  • Hans70  

  3
  0
  Votes
  3
  Posts
  26
  Views

  H

  I spoke too soon, it's still not working 100% of the time. When the backup-pfsense is entering MASTER-status, not all of the time Radius gets started correctly, sometimes I see the following in the Radius-logfile, right afster started it gets stopped again: Mon Apr 15 14:16:21 2019 : Info: Ready to process requests Mon Apr 15 14:16:21 2019 : Info: Signalled to terminate Mon Apr 15 14:16:21 2019 : Info: Exiting normally
• J

  VM In promiscuous mode cause phisical Pfsense in ha mode using carp unable to route between internal networks
  routing carp vmware • • jgngnj  

  2
  0
  Votes
  2
  Posts
  57
  Views

  

  Sorry. I have no idea what you are even asking. The basic things that need to be changed to run pfSense HA in VMware ESXi are described here: https://docs.netgate.com/pfsense/en/latest/highavailability/troubleshooting-high-availability-clusters.html?highlight=esxi#hypervisor-users-especially-vmware-esx-esxi
• P

  NTP not running on backup FW?
  • pete.s.  

  11
  0
  Votes
  11
  Posts
  47
  Views

  P

  So now everything worked fine for a little while. But then I saw this: Using a shell on pfsense I can ping each NTP server and I can also use ntpdate to set the clock. So basically it's not a firewall or routing problem I think. NTP log doesn't show anything unusual or different compared to the master firewall. I'll keep looking.
• 

  Multiple WAN HA setup (No Multi-WAN LB or FO)
  • _neok  

  3
  0
  Votes
  3
  Posts
  48
  Views

  

  You can probably get away with having only one proper WAN with two single-address WANs as long as: All addresses are static (not DHCP, PPPoE, etc) You ensure that the default gateway in the routing table is always the interface where the secondary can get out (has its own routeable interface address) The main issue is that the secondary can access the internet (get updates, resolve DNS, etc) when it is CARP BACKUP.
• G

  Recovering HA device
  • groupie02  

  3
  0
  Votes
  3
  Posts
  59
  Views

  J

  Is there a quick way to copy the config from the secondary over to the replaced device? We had a similar failure here.
• V

  CARP both becoming master on a subnet
  • ViniciusBr  

  5
  0
  Votes
  5
  Posts
  67
  Views

  V

  Thanks, I will continue my investigation, if I have any further information or questions I will get back to this topic. Thanks
• P

  Maybe a bug with sync of descriptions of firewall rules
  • pete.s.  

  3
  0
  Votes
  3
  Posts
  27
  Views

  P

  OK, I found the problem. https://github.com/pfsense/pfsense/blob/master/src/etc/rc.filter_synchronize A bunch of these lines: $config_copy['nat']['outbound']['rule'][$x]['descr'] = remove_special_characters($config_copy['nat']['outbound']['rule'][$x]['descr']); The function remove_special_characters strips out everything but a-z, A-Z, 0-9 _ - + Should have maybe used the function htmlspecialchars instead to get special characters encoded instead of stripping them. Also having the xml in UTF-8 allows you to put a lot of international characters in the xml file. Anyway, it's looks like it's been working like this for years.
• M

  CARP limiters and Traffic Shaping
  • matrox.gr  

  2
  0
  Votes
  2
  Posts
  39
  Views

  

  I was able to reproduce both of those bugs. We've hit similar things in the past. I created new issues for them: Limiters: https://redmine.pfsense.org/issues/9468 ALTQ Shaper: https://redmine.pfsense.org/issues/9469
• T

  Pfsense HA setup Issue
  • ted_ks  

  4
  0
  Votes
  4
  Posts
  55
  Views

  

  All changes that are synced.
• A

  Set failover peer ip on dhcpd the client can't get ip.
  • akong77  

  15
  0
  Votes
  15
  Posts
  112
  Views

  

  check the clocks on both nodes
• M

  Bridge WAN VIP to Interface Guidance
  • mgbolts  

  5
  0
  Votes
  5
  Posts
  53
  Views

  

  A 255.255.255.252 netmask is only a /30. Please send the actual addresses in a chat. That makes zero sense and it's impossible to help you without knowing what they actually are.
• T

  OpenVPN (Public VPN Services (i.e. PIA, NordVPN) - What makes them disable or not
  • talaverde  

  8
  0
  Votes
  8
  Posts
  101
  Views

  T

  As posted in other thread... @Derelict Thanks for the tips. I got it to work. I didn't really understand what you meant, but I agreed it seemed like a NAT issue. I found a separate thread where you said the 'NAT Addresss" should be the VIP address. So, I made sure to change all the WAN1 and WAN2 mappings to the VIP addresses. (I tried this once in the past, but I didn't think it worked. I must have not refreshed it or something) https://forum.netgate.com/topic/119782/solved-setup-manual-outbound-nat-section-in-pfsense-docs-unclear-to-me/4 Anyway, after using the VIP addresses in the NAT mappings, it fixed the WAN1 to be online at all times. Thanks!
• T

  CARP working properly, except WAN1 packetloss on Backup until Master
  • talaverde  

  4
  0
  Votes
  4
  Posts
  91
  Views

  T

  @Derelict Thanks for the tips. I got it to work. I didn't really understand what you meant, but I agreed it seemed like a NAT issue. I found a separate thread where you said the 'NAT Addresss" should be the VIP address. So, I made sure to change all the WAN1 and WAN2 mappings to the VIP addresses. (I tried this once in the past, but I didn't think it worked. I must have not refreshed it or something) https://forum.netgate.com/topic/119782/solved-setup-manual-outbound-nat-section-in-pfsense-docs-unclear-to-me/4 Anyway, after using the VIP addresses in the NAT mappings, it fixed the WAN1 to be online at all times. Thanks!
• G

  HA on AWS
  • gvecchi  

  5
  0
  Votes
  5
  Posts
  48
  Views

  G

  @Derelict thank you so much, have a nice day!
• 

  DNS resolve for internal hosts in HA and peer-to-peer OpenVPN
  • iorx  

  11
  0
  Votes
  11
  Posts
  54
  Views

  

  Success! Tried it out live now. Shutdown machine #1. Branch Office lost its connection to the Main Office for about 10 seconds. This is OpenVPN reconnecting. After OpenVPN peer-to-peer reconnected. Resolving from AD DNS works! TIL: So, multiple domain overrides is the way to go for internal name resolution in this scenario with AD DNSs. Goal achieved with HA, AD DNS and OpenVPN peer-to-peer. Branch Office is not a sitting duck when Main Office is not available. Normal DNS function maintained. Branch Office AD DNSs reach-ability is kept when HA is failed over. Kudos to all! Brgs,
• 

  CARP-Switch to secondary FW if primary can't reach GW
  • plant  

  2
  0
  Votes
  2
  Posts
  32
  Views

  

  No. Each node in an HA cluster needs to have the same set of WANs, you can't fail over for a gateway event.
• M

  Creat virtual ip on Pfsense
  • Mr.Trieu  

  4
  0
  Votes
  4
  Posts
  236
  Views

  M

  @rico Thank you very much
• M

  CARP preempt does't work
  • mylos  

  18
  0
  Votes
  18
  Posts
  148
  Views

  M

  0_1552590318279_dump.pcap
• T

  VIP addresses stop working
  • TitanSystems  

  9
  0
  Votes
  9
  Posts
  237
  Views

  

  They should be routing the packets destined for the new subnet to an address on the existing subnet. That is the proper way to do that. I believe the fix was applied to the correct side there. Good to know EPB came through.