• Forcing FW failover, FW + Router configuration

    Locked
    12
    0 Votes
    12 Posts
    7k Views
    A

    I just experienced something similar (or same) while setting up two new 1.2.3 based embedded routers.  pfsync is working fine (over a dedicated interface)
    I created 3 vips (LAN,LAN2,WAN) in that order, vhid's: 1,2,3.  The interfaces would fail over separately - I unplug WAN, it fails over to router2, but LAN stays on router1, and obviously does not provide upstream connectivity.

    In desperation, I removed LAN2 and WAN vips, and recreated just WAN vip (LAN vhid:1, WAN vhid:2).  Now LAN+WAN seem to fail over together when WAN cable is pulled.  In fact, it all seems to work OK (except DHCP which I'll start a separate topic on) except that when we fail-back to router1, WAN VIP shows as "master" on both machines!  I have to do some more checking as to whether this is affecting anything, but it seems pretty strange.

  • MOVED: Dual WAN - two ISP testimonials

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • 1 Wan in DHCP and multiple CARP on LAN

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • Master/Slave in 1.2.3-RELEASE

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    T

    Thanks for your prompt answer.
    It is what I needed.

    Regards.

  • CARP IPs Broken

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • Email feature when FW enters failover mode…..

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • CARP Load balancing

    Locked
    2
    0 Votes
    2 Posts
    4k Views
    J

    I note that we've been here before, I had a good read of:
    http://www.mail-archive.com/support@pfsense.com/msg07031.html

    Do we have an official stance on this ARP load balancing functionality now?

  • I need an IP on the wan if (vr0 not ng0)

    Locked
    4
    0 Votes
    4 Posts
    3k Views
    N

    http://doc.pfsense.org/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN
    [/ quote]

    I've seen that, but so much time ago I used redir and it could just redir tcpp ports. and I need an udp redirect :(

    I read the readme from newest version and no mention of udp also

    thanks anyway :)

    none

  • Public IP in DMZ / Proxy ARP

    Locked
    2
    0 Votes
    2 Posts
    3k Views
    C

    You can bridge. Short of a routed subnet or NAT, that's your only option. Details in the book.  http://pfsense.org/book

  • CARP and squid

    Locked
    3
    0 Votes
    3 Posts
    3k Views
    C

    Only where the package itself supports it, a few of them do but not all.

  • When connecting Pfsense with Carp to the WAN the link fails

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    C

    Conflicting IP or VHID likely.

  • Fault tolerant colocation setup

    Locked
    2
    0 Votes
    2 Posts
    3k Views
    C

    @stevekez:

    Is the kind of setup I describe possible and if so what things do I need to look at when configuring such a thing?

    That's one of the most common types of setups I help our support customers deploy. Works great. My presentation from DCBSDCon covered this type of setup. http://www.youtube.com/watch?v=aElQidbWUxA

    The book has a lot of content that goes over things you need to consider here.  http://pfsense.org/book

    @stevekez:

    If there are problems with the above description (such as LAG not working between multiple switches, as I've already identified as a potential gotcha  :-[),
    [/quote]

    Only lagg with bonding (LACP, EtherChannel) tends to be a problem there. The failover mode is what people generally use for their servers between switches like that.

  • CARP/Redundancy with public /30 vlans

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    C

    You need a /29 minimum per interface for CARP. The routed public IP scenario is covered in depth in the book. http://pfsense.org/book

  • Hundreds of VIPs: CARP or Proxy ARP?

    Locked
    6
    0 Votes
    6 Posts
    6k Views
    C

    @juliansomers:

    However, your reply troubles me somewhat: when you say

    don't use PARP with two firewalls, it won't failover properly and will cause problems.
    could you be more specific? What are the problems that I can expect, other than the PARP VIPs not being available on the slave firewall when a failover happens?

    That was assuming you put them on both firewalls. If you only put them on one it won't be a problem, but won't fail over either. The proper solution is to have your provider route the additional subnets to one of your CARP IPs, then you can use Other VIPs and will have proper failover.

  • Virtual IP - works only first in the list?

    Locked
    5
    0 Votes
    5 Posts
    3k Views
    U

    @GruensFroeschli:

    So you created an NAT rule for each VIP?
    Did you also create a firewall rule for each VIP?

    Sure, I have one NAT rule for one VIP and one OPT1 rule (just to be a clear test). I have no other rules for OPT1 and port TCP 3389 (but I have rule for WAN):

    Virtual IPs:
    95.XX.XX.36/32 P ARP
    95.XX.XX.37/32 P ARP
    95.XX.XX.38/32 P ARP

    NAT rule:
    OPT1 TCP 3389 192.168.28.5 (ext.: 95.XX.XX.37) 3389 TestRDP

    OPT1 rule:
    TCP * * 192.168.28.5 3389 *

    This configuration works only when .37 is the first line in VIPs… If it is second ot third it doesn't work.

  • Carp… I have looked but no succes....

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    A

    As far as i know each box needs a 'real' wan ip which for carp ha would require a minimum of 3 wan ips from your isp, 1 virtual 2 physical.

  • Completely sync packages from primary to secondary

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    A

    Packages have to be manually installed on each box.

  • Virtual IP On LAN - Very Slow takeover

    Locked
    3
    0 Votes
    3 Posts
    3k Views
    A

    Hi Dotdash

    Cheers for the response, i have changed the CARP LAN address range as you suggested and currently it seems to be taking over addresses correctly. I dont actually need a class A for my DMZ either it just happens to be that this is how it was configured originally and as i have many servers in the DMZ and it works im not going to reassign them all. The reason i have assigned the adskew to 5 and not 0 is so that i can add in my main pfsense firewall into the cluster and gradually get it to take over addresses by assigning them as 0 on it.

    Anyway cheers for the assistance, if i have any more probs ill post back…i should know in a day or two if everything is working fine.

  • CARP Virtual IP failover works, but rules sync does not

    Locked
    6
    0 Votes
    6 Posts
    4k Views
    H

    Yup, I looked at that. $600 for 5 hours of support, of which I'd need perhaps 30 minutes? I would have happily paid $100 to resolve this, but $600 is significantly more than both firewalls cost me ;)

    Either way, I've got no real plans to look at pfSense again for this application. It's going to cost me £20 to produce a redundant PSU unit for the firewall. On the off-chance that the WRAP board should fail, I can handle 10 minutes of downtime. I've only ever had PSUs fail though, so I'm not particularly worried.

    CARP was a "nice feature to have" not a "must have", so I'll stick with m0n0wall.

    HB

  • Don't get VIP working

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    dotdashD

    I doubt that your wan connection has a /4 subnet mask. That's something like 270 million addresses in your subnet. A /29 would seem more correct. xx.yy.169.64/29 would be 65-70 usable.
    CARP VIPs need to be created with the correct subnet mask. e.g. xx.yy.169.66/29
    Proxy ARP VIPs use a /32 mask. I think 'other' VIPs use a /32, but I haven't used them in a while. Other type VIPs may not work for you depending on how the provider routes the IPs to you. Stick with CARP or Proxy-arp unless you have a compelling reason to use other vips.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.