@im-thatoneguy https://youtu.be/VnBnnh81G7w?t=3915

Not supported. Use SLAAC or two separate pools

@viragomann
Thank you very much, that did the trick!

@erode Can you put Suricata on LAN instead? That will 1) avoid scanning any packets that would normally be blocked by the firewall anyway, and 2) show the LAN IP of devices for the alerts.

@netblues said in Secondary router in HA setup web GUI unresponsive:

@bp81 said in [Secondary router in HA setup web GUI unresponsive]
, or I will devise a way to harden web gui access from within the authenticated user vlan to only authorized machines. I am also considering setting up the Azure MFA extensions for NPS and just protect the web gui login with RADIUS that is itself backed by AD authentication and multifactor authentication via Authenticator app. That's not my first choice because an internet outage could lock me out of my web gui. (/post/1014732):

You can always disable the antilockout rule for authenticated users lan and just allow authorised ip's
A good password on top is probably all you need.
AD authentication opens up another attack surface too.
as for 2fa, its a very bad idea for the exact reasons you just mentioned.

Now, since ip's can be changed, mac's can be spoofed how much security is enough security for you.?
You could also utilise a jump-host
where you could ssh and portforward remote ports when needed, or use windows and rdp to the device first, and then login to pf.

This is probably a topic for another thread. We have good wifi security (RADIUS backed authentication) and pretty good physical security (ie, no one is walking in and plugging in a laptop to an open network port). We have the guest VLANs blocked for any traffic to the web gui as well. So is this good enough? Probably, for the moment.

Over the years our security efforts have been focused towards external threats, but the company is getting large enough now I have to start thinking about internal actors as well. This is a conversation I'd like to have on this particular issue, because I have to start somewhere, but it's probably best to go into its own topic.

@netblues Hey netblues, thank you very much, after carefully scrolling through the VLAN config on the swtich, it appears that I did not commit my settings, after rebooting both the switch and netgates, the issue disappeared.

kind regards
kkit

@joezyz said in CARP/HA Multi WAN redirect each IP to LAN IP:

That is exactly how I have it set up right now, and it is not forwarding.

What? Port forwarding or 1:1?

Should the Virtual IP be a CARP, IP Alias, Proxy ARP, or Other? I currently have it as CARP.

Both CARP and IP Alias can be used.
It's not necessary to add all your public IPs as CARP, since this type generates some overhead network traffic.
You need at least one CARP IP, the others can be added as IP Alias and hook up on the CARP IP.

Did you also add a firewall rule to allow the access?
In port forwarding rules you can set associated filter rules or simply "pass" to allow the access. When using 1:1 you have to configure rules by yourself.

Is pfSense the default gateway on the device you've forwarded traffic?

Maybe you can post screenshots so we can verify the settings.

@hpa_support Better to use two managed L2 switches with VLANs. Then you only need 2 switches for as many VLANs as you need.

A basic setup is something like:

2 x pfsense devices (i.e. CARP MASTER and BACKUP) 2 x Managed L2 switches

Plan VLANs and configure on pfSense, i.e.

VLAN 10 - WAN1 (provider 1) VLAN 11 - WAN2 (provider 2) VLAN 20 - LAN VLAN 30 - Phones etc

Run 1 cable from each of the pfsense device to each switch (2 cables leaving each pfsense device, 4 cables in total). Configure as trunk ports on the switch so pfSense can pass traffic for any VLAN. Cross connect the two pfsense devices on another network port to handle pfsync.

Now configure VLANs on pfSense on those interfaces, pfsync on the cross-connected port, you can have as many VLANs as you need (WAN, LAN, DMZ, phone, etc) without extra switches or cables now.

You will want to cross-connect (or stack) the L2 switches between each other (configure as trunk ports) so they can pass the CARP heartbeat as well as any other VLAN traffic across switches. Consider enabling spanning tree on the switches to save yourself some frustration if you accidentally create a loop.

@cjbujold providing the details of what exactly was the problem and how you solved it could help someone in the same boat in the future.

@pfsense2090
Basically you need at least 3 IPs for CARP in each network. One for each box and one CARP VIP. So you should have 3 public IPs on each WAN for proper functionality.
Though it is possible to set it up with a single public IP and use private IPs on the boxes, it might be tricky and have disadvantages.

What is your DSL WAN, a PPP or DHCP? Both are not compatible with CARP. So you probably have to use another router on this line.

I managed to get redirects working but it redirects to private service address which is obviously not accessible from outside

mbamtray_2021-12-01_21-50-12.png

Ok i found bug A) i have choose TYP = ssl / https(TCP mode) .... thats the reason i got only the TLS options etc. But if i create this ACL - save - confirm - go back - try to change the option again there are all the other options availible which shouldn´t be chooseable. Thats why this Rule will be delete after - save - confirm - but without any error.

How ever this way is to buggy and cost to much time. I got an other way to get my wildcard domain certs now on a much easier way then befor using my hosting provider and their api (Hetzner).

Thx for read anyway.

bye Maik

Just a bit of help for anyone still dealing with this issue. Here in Chattanooga, TN we have EPB Internet that times out vip's after 4 hours of no arp. This thread has been extremely helpful. It is a bit easier to implement now. If you install the Filer and Cron package from package manager, you can drop this script right into a file and edit if needed. Schedule right from the GUI. No more ssh needed.

The only hiccup I ran into was when I copied the above script, I didn't notice that the <? was missing at the beginning and it kept failing until I hit the shell to see what was happening.

BTW, @rightnow version works perfectly on 2.5.1-RELEASE