and the gateway IPs in the load balacer configuration must be the WAN and WAN2 CARP addresses, isnt it ?
No, you use their gateways (it's a gateway pool). If you use the latest snapshot you'll have these as pulldown options so there is no footshooting with this setting anymore.
Don't forget to set your firewall>nat, outbound to advanced outbound nat to utilize your CARP VIPs.
I'm trying the same that jpinder70, but with 2 adsl connections (and later will try to setup a redundant balaced ipsec meshed network).
It seems obvious that each pfsense system must have a wan ip of each of the adsl/t1 connections in order to have a carp address for each connection. I only have 1 public static ip per adsl, and will belong to carp interface, because the traffic must go out with this ip, cos is the only routed to my connection by my isp. That way, as the wan adresses must be in the same subnet as the carp address, i will take 2+2 ip that not really belong to me, and i assume that my natted networks never will get to the real ips (anyway these probably doent have any public service that must be directly accessed by my users).
Actually i only have 3 nic in each pfsense. So i'm trying some setups to see if they work without need of 4rt nic, hope to hear your feedback.
I connected both adsl routers, and both wan of pfsenses to the same ethernet segment.
My pfsense1 sync to pfsense2. I tried also to activate that pfsense2 sync to pfsense1. It seems to work, but there is some delay when apply changes, maybe there is some kind of cyclic action :? i don't know if it's ok that setup.
Actually my wan of pfsense1 have the adsl1 public ip, and wan of pfsense2 have the adsl2 public ip. I setup a carp address for adsl1 subnet in pfsense1, and a carp address for adsl2 suvnet in pfsense2. I was expecting for an error in sync, because pfsense1 doesnt know about adsl2 subnet, and pfsense2 neither of adsl1 net. Pfsense system have sync and now i have the carp adresses in both pfsenses. Maybe is not necessary that both pfsesne to be in both wan subnets ?¿¿ i think that yes it's mandatory, because don't seem to work (no error in frontend anyway).
Assuming that both subnets are mandatory, i would like to know if it's possible to setup a wan interface with the two wan ips (1 per each adsl conn). Maybe with proxy arp virtual ip ?? i don't see any aliasing option to assign multiple ip to an interface in the frontend (like in rc.conf _alias method in freebsd). I read somewhere that is not recommended, anyone have any hint with this ? maybe this will be an issue in the way the traffic wil go out ??¿ maybe the balacer will not work properly ?
i keep monitoring this thread to see if the jpinder70 setup works.
okay this is what i found if you have a address of *x.x.x.25 and you also have a address of x.x.x.2 you will ned up with the same carp numbers. I have fixed it but still does not solve my problem of not being able to download files or email attachments. I have tried every suggestions mentioned on the forum. So i am open to new ideas
Here's how I solved this problem for our office (migrating a legacy 4.9 firewall with ipfw to pfSense).
The first thing I noticed is the lack of support for alias IPs (in the traditional definition of the concept, i.e. "ifconfig xxx0 188.8.131.52/27 alias").
So I went around the forums, and didn't find a good solution that wouldn't confuse CARP or require sticking a custom startup script in /usr/local/etc/rc.d/
One solution I did come up with, and that I have used before with success in NAT-before-tunnel IPSEC encapsulations, is as follows:
create Virtual IP of type "proxy arp" on the inside interface (Firewall -> Virtual IPs), for example "172.31.31.1/32" (what we use)
create a an advanced outbound NAT rule of the type: nat on EXT_IF inet from 172.31.31.0/24 to any -> (EXT_IF) round-robin
the tricky bit: route add 172.31.31.0/24 -iface INT_IF
Now the last part is tricky because the forms don't support -iface sis0 (the inside IF). Looking in the CVS code:
"Remove interface gateway option. It doesnt do what I wanted, and the same can be achieved by plugging in the next hop gateway."
Well, it would have done what I wanted :) Additionally, I am missing an example for the scenario described in the above commit message -- I am doubting about the correct way to go about doing this kind of forwarding with PF, through the pfSense interface...
So in the meantime I have an rc.d script doing "route add 172.31.31.0/24 -iface sis0" and everybody's happy. Hope the input helps, and hope real IP aliases will be introduced sometime in the future.
Not sure there was anything wrong with the package except it wasn't complete. ifstated is a pain to configure well although somewhere I think I have some code partially written using the latest OpenBSD code that I ported over. I might be willing to resurrect it, depending on how much it's worth to you..I'm trying to scrape together some cash for a new laptop right now. I think I have a fairly decent idea of what it is you're trying to accomplish, but I think a network diagram would help fill in a couple of the blanks for me.
I'm new to OpenBSD & pfSense and I'm currently looking into a pfSense cluster setup exactly as described in Fig.2 http://forum.pfsense.org/index.php/topic,1014.0.html.
In order to avoid having the switch as single point of failure I would like to connect each pfSense to a separate switch (which is interconnected with its own trunking feature).
I have come across the trunk(4) feature in OpenBSD which means I can setup two NICs as a virtual NIC and let them act as an active/standby pair (I guess the failure criteria is the media link up/down).
My question is would the CARP feature work on top of such a virtual NIC (setup IP, MAC….)?
Thanks for any hints,
FWIW, we don't run on OpenBSD. So, no this feature won't work and I dunno if it'd work as you describe in Open.
I have done all that you mention. I am using a dedicated interface for carp. Both carp interfaces are connected via the same vlan and xmlrpc updates are successful. I have not had the chance to swap out the nic for a pci-x nic yet, but I will start with a fresh install when I do. I will have to wait until the next maintenance window
No, each CARP IP is one IP, no matter what subnetmask it has. The subnet just has to match the subnet of the interface physical interface the CARP IP is running on. However you can use 1:1 NAT with subnetranges to map several vips to several internal IPs after you have created your VIPs
Each WAN needs to be a seperate Interface or the Natting won't work correctly. Also you would not be able to use policybasedrouting for sites that don't work with loadbalancing for example. If you have a vlan capable switch you can make this work with one physical interface and several vlan interfaces.
No, CARP IP and real interface IPs have to be within the same subnet. You could set up your WAN subnet to /29 and use 2 IPs that are out of your range for the real WAN IPs. This way you lose access to a few IPs at the internet but as this most probably are other customers of your provider that might not even run any public services this should be no problem. Just make sure the gateway IP and the CARP WAN IP is what your provider told you for the IP you have.
Another update. Hacom has pulled their boxes from their website. They've confirmed a serious issue with the PCI bus and are working to resolve the problem. They've since refunded me for my systems. Hope they get it resolved soon!
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.