@wesleywillis said in VIP setup for web hosting:

Let's say my ISP provides a public CIDR block: 1.1.1.0/26

Did you only get this block, or do you have a primary IP, which the block is routed to?

WAN IPv4: 1.1.1.2 (Should this be /26 as well?)

Yes.
Otherwise pfSense would complain that the gateway IP is outside of the WAN subnet.

You have to state the gateway in the WAN interface settings.

If you only have one block you need to assign each additional IP as type IP alias to WAN.
If the block is routed to the primary IP you can use the IPs in NAT rules without assigning them before.

NAT 1:1
Is it best to configure this per public IP, or the entire range?

Both is possible. You can also split the subnet into e.g. a /27 and some single IPs in the NAT rules.
If you use a subnet, the target IPs need to be sequentially, of course.

@crl said in Single WAN PPPOE Carp HA OpenVPN - remote LAN issue:

Issue symtom: since I transited to this HA setup, openVPN remote clients can only ping 192.168.1.1 but nothing else on the LAN network 192.168.1.0.
I am stuck despite googling a lot of posts relating to openVPN and CARP.

I don't think on any relation with the CARP setup.
Rather I guess, your LAN devices might block access from the remote site. You may have to configure the devices firewall properly to allow it.

How you get access to the secondary node from remote network over VPN is described in the docs: https://docs.netgate.com/pfsense/en/latest/troubleshooting/ha-vpn-secondary.html

It works for me but breaks openVPN, see Link.

@viragomann

Your suggested settings worked perfectly for my setup thankyou👍 👍 👍

I would like to have more than one XMLRPC destination as well to sync firewall rules and aliases to all my nodes.
A daisy chain as expected here is not a reliable solution.
Many Packages (e.g. pfblocker) already allow to sync to multiple hosts so I guess the limitation is only the GUI.

@viragomann That's what I did, or at least thought I did. Never could get it to work -- not even a ping.

I'll try again when I get some more round tuits :)

@lionelmarais said in SyncNic Failing with Error 32602:

I was able to sync the image with the same version

That is good to hear..

what gets done and reported is two totally different scenarios lol

To be honest, sadly I don't think that is something limited to any specific part of the world or agency hehahehe

@im-thatoneguy https://youtu.be/VnBnnh81G7w?t=3915

Not supported. Use SLAAC or two separate pools

@viragomann Wow, that works instantly (after also adding a CARP VIP as DNS server, letting it override by PPP).

Thanks a ton !

Serge

@viragomann
Thank you very much, that did the trick!

@erode Can you put Suricata on LAN instead? That will 1) avoid scanning any packets that would normally be blocked by the firewall anyway, and 2) show the LAN IP of devices for the alerts.

@netblues said in Secondary router in HA setup web GUI unresponsive:

@bp81 said in [Secondary router in HA setup web GUI unresponsive]
, or I will devise a way to harden web gui access from within the authenticated user vlan to only authorized machines. I am also considering setting up the Azure MFA extensions for NPS and just protect the web gui login with RADIUS that is itself backed by AD authentication and multifactor authentication via Authenticator app. That's not my first choice because an internet outage could lock me out of my web gui. (/post/1014732):

You can always disable the antilockout rule for authenticated users lan and just allow authorised ip's
A good password on top is probably all you need.
AD authentication opens up another attack surface too.
as for 2fa, its a very bad idea for the exact reasons you just mentioned.

Now, since ip's can be changed, mac's can be spoofed how much security is enough security for you.?
You could also utilise a jump-host
where you could ssh and portforward remote ports when needed, or use windows and rdp to the device first, and then login to pf.

This is probably a topic for another thread. We have good wifi security (RADIUS backed authentication) and pretty good physical security (ie, no one is walking in and plugging in a laptop to an open network port). We have the guest VLANs blocked for any traffic to the web gui as well. So is this good enough? Probably, for the moment.

Over the years our security efforts have been focused towards external threats, but the company is getting large enough now I have to start thinking about internal actors as well. This is a conversation I'd like to have on this particular issue, because I have to start somewhere, but it's probably best to go into its own topic.

@netblues Hey netblues, thank you very much, after carefully scrolling through the VLAN config on the swtich, it appears that I did not commit my settings, after rebooting both the switch and netgates, the issue disappeared.

kind regards
kkit

@joezyz said in CARP/HA Multi WAN redirect each IP to LAN IP:

That is exactly how I have it set up right now, and it is not forwarding.

What? Port forwarding or 1:1?

Should the Virtual IP be a CARP, IP Alias, Proxy ARP, or Other? I currently have it as CARP.

Both CARP and IP Alias can be used.
It's not necessary to add all your public IPs as CARP, since this type generates some overhead network traffic.
You need at least one CARP IP, the others can be added as IP Alias and hook up on the CARP IP.

Did you also add a firewall rule to allow the access?
In port forwarding rules you can set associated filter rules or simply "pass" to allow the access. When using 1:1 you have to configure rules by yourself.

Is pfSense the default gateway on the device you've forwarded traffic?

Maybe you can post screenshots so we can verify the settings.

@hpa_support Better to use two managed L2 switches with VLANs. Then you only need 2 switches for as many VLANs as you need.

A basic setup is something like:

2 x pfsense devices (i.e. CARP MASTER and BACKUP) 2 x Managed L2 switches

Plan VLANs and configure on pfSense, i.e.

VLAN 10 - WAN1 (provider 1) VLAN 11 - WAN2 (provider 2) VLAN 20 - LAN VLAN 30 - Phones etc

Run 1 cable from each of the pfsense device to each switch (2 cables leaving each pfsense device, 4 cables in total). Configure as trunk ports on the switch so pfSense can pass traffic for any VLAN. Cross connect the two pfsense devices on another network port to handle pfsync.

Now configure VLANs on pfSense on those interfaces, pfsync on the cross-connected port, you can have as many VLANs as you need (WAN, LAN, DMZ, phone, etc) without extra switches or cables now.

You will want to cross-connect (or stack) the L2 switches between each other (configure as trunk ports) so they can pass the CARP heartbeat as well as any other VLAN traffic across switches. Consider enabling spanning tree on the switches to save yourself some frustration if you accidentally create a loop.

@cjbujold providing the details of what exactly was the problem and how you solved it could help someone in the same boat in the future.

@pfsense2090
Basically you need at least 3 IPs for CARP in each network. One for each box and one CARP VIP. So you should have 3 public IPs on each WAN for proper functionality.
Though it is possible to set it up with a single public IP and use private IPs on the boxes, it might be tricky and have disadvantages.

What is your DSL WAN, a PPP or DHCP? Both are not compatible with CARP. So you probably have to use another router on this line.

I managed to get redirects working but it redirects to private service address which is obviously not accessible from outside

mbamtray_2021-12-01_21-50-12.png

Ok i found bug A) i have choose TYP = ssl / https(TCP mode) .... thats the reason i got only the TLS options etc. But if i create this ACL - save - confirm - go back - try to change the option again there are all the other options availible which shouldn´t be chooseable. Thats why this Rule will be delete after - save - confirm - but without any error.

How ever this way is to buggy and cost to much time. I got an other way to get my wildcard domain certs now on a much easier way then befor using my hosting provider and their api (Hetzner).

Thx for read anyway.

bye Maik

Just a bit of help for anyone still dealing with this issue. Here in Chattanooga, TN we have EPB Internet that times out vip's after 4 hours of no arp. This thread has been extremely helpful. It is a bit easier to implement now. If you install the Filer and Cron package from package manager, you can drop this script right into a file and edit if needed. Schedule right from the GUI. No more ssh needed.

The only hiccup I ran into was when I copied the above script, I didn't notice that the <? was missing at the beginning and it kept failing until I hit the shell to see what was happening.

BTW, @rightnow version works perfectly on 2.5.1-RELEASE

No, we have not attempted to utilize that.

@steveits Yes I need Snort on both interfaces, I like to know for example who from my family wants to download torrents.
I have Zabbix and FreeRADIUS package install along with Snort.

@joezyz
think about A Records later, first make the network work
configure it step by step
the gateway to the network will be the shared IP
it's easy only after you understand it