@blak111:

You could also accomplish this using static only DHCP entries for the machines on each firewall if you don't have VLAN capable switches.

Yeah.
We did that at the last LAN party i helped organize.
But if you cannot get your guests to register their MAC before the party it's a pain in the ass…
People check in; someone has to go to their place and get their virus-check and their MAC, go back to the checkin, add their MAC to the list at the correct place....
Maybe in the end too much of a hassle.

Hi,

I have a simpler setup with just WAN and LAN.  The WAN has 5 static IPs.  I wanted to forward the ports to the servers internally.  The primary IP assigned responded very fast.  But the other VIP have very slow response.  To make a valid test, I forwarded the http port of each static IP to an internal IP of the same internal server (with differnet LAN IP respectively) using virtual host, serving the same exact content.  I've tried using VIP as CARP, PARP, and other.  All have performance issue on the VIPs.  Does any one know the causes to this?

Thanks,
Tommy

BTW:  I'm using pfsense version 1.2.1 RC2. I have 0 In/Out errors on status > NICs.

FWIW, there is some discussion of this here: http://forum.pfsense.org/index.php/topic,7039.0.html

CARP supports active/active setup, but pfsense doesn't (at least not out of the box).
If you want such advanced configuration i would advise you to study CARP and fix pfsense to be in active active (switches are important too in this case). If you do it, post a detailed description on how you did it, so others can follow.

The easier option would be just to upgrade hardware of your firewalls. If you have such traffic you have to have enough money. You could even buy support from Sullrich i'm sure he would help you set up active/active freebsd install if you paid for it. :-)

I haven't used virtual server pools and other related stuff with pfsense yet, but it should be nothing more that a bunch of DNAT rules. For those you need VIP (virtual IPs). I would recommend you to go and create one CARP VIP then try to use then in your load balancing options.

Af far as i know pfsense doesn't have to be BGB aware (i could be wrong thou).
You would set it up the same way if there were no BGP, just make sure that both firewalls are connected to all networks.

I guess noone understands your post.
How can you still access (measure the pings) if you remove the VIP and NAT rule? If you remove those then you cannot access the user behind in LAN from internet, so you cannot measure it.

'cause no one responded i'll try.
What kind of load balancing do you do? Outbound internet load balancing or inbound load balancing to servers.

Hello

I think I posted to soon, i discovered that I had a slight misconfiguration in one of the firewalls interfaces settings, it was set as a /24 when it should have been /25 so there for the new subnet I was adding was encompased ino the /24 range.

I will post back if im still having the issue, I just reconfigured the firewalls and rebooting the backup one

So far it looks good I can actually route through that network onto the internet now

Sorry for wasting your time.

No the vlans are vlans. Each of our customers are on their own vlan behind the firewall with public address on their machines. We route through the firewall to the public addresses, no nat or port forwading. Everything in the forum seems to be with nating and port forwarding from the public ip's on the WAN to private ip's.

This is the current setup that we are trying to cluster.

WAN Gateway              FW1 WAN              Vlan1 interface          Customers machine
xxx.xxx.58.145<–-->xxx.xxx.58.148<------->xxx.xxx.53.1<--------->xxx.xxx.53.2

Thanks

Rick

For the people that have been reading this hoping for answers to my questions, maybe I can help you out.
From a newbie standpoint, I have this working:

my ignorance was in understanding that virtual ips, thus this forum being CARP/VIPs, is the key to using CARP/pfsync

Here's what I have that is working in a small test environment:
box1:
WAN: public IP
LAN: 10.2.1.1/16
OPT1: 192.168.10.10

box2:
WAN: public IP
LAN: 10.2.1.2/16
OPT1: 192.168.10.11

In the CARP settings I am sychronizing everything and using the 192 addresses as the peer sync addresses for each box respectively.  Box1 has 192.168.10.11 and the webGUI password entered at the bottom of the page on the CARP settings. Box2 has these boxes left blank.

Under virtualIPs I created a new local address of 10.2.1.4/16 associated with the LAN interface that is of type CARP.  Put in a VHID password and bahm, CARP up and running.
You can post beginner level questions and I can try to pass on the little bit I've learned.

Dotdash i sent you a private message with a clarification of how things are setup

Apparently it was it.. I had to simply reboot the two FW.

Weird..

Now it's working fine.. (have been for two days)

Thank you for your support! ;)

Create a VIP PARP with the Outside address you are wanting to use. .5 I assume.
Go over to the Load Balancer Tab/section

Create the Pool first, your web servers Create the Virtual Server this is the Same IP Address as the VIP

The VIP is going to be your Outside address and the Pool is going to be your in side address
Also don't forget to create Firewall Rules to allow the Web traffic from the outside interface to the inside interface.

Also When create the Virtual Server it will ask you for a "Pool down" server I used an old server matching my 2 production Web servers as my Pool down server it is Really slow so I didn't want it in the round robin but it is a nice fail back plan…

Hope this helps

Never mind. I was looking for load balancing on UDP but I learned that verion 1.2 only supports TCP load balancing.

Excellent! Now if only there was a way to sync FreeRADIUS between machines in a carp cluster. But I can solve that problem through other methods, aka a single system on the LAN that isnt one of the pfSense boxes.

@dotdash:

You don't want 'other', but here is some info: http://forum.pfsense.org/index.php/topic,3987.msg24632.html#msg24632
You can use CARP on a stand alone system. Just use a unique vhid for each VIP. Set the password to whatever, it doesn't matter.

ok, thank you a lot.

I have set the CARP, with unique vhid and any password, and ping, port forwarding etc.. works

thank you , once more..

Yes, it can work! I have it working on vmware-server 1.0.7, Linux host.

read this: http://www.ogris.de/docs/vmware-server-vrrp.html
and this: http://mark.foster.cc/blog/2008/10/pfsense-and-carp-on-vmware-server.html

Basically a small hack the vmnet driver.

I don't think this will work on ESX though, just vmware-server.

CARPDEV is what is really needed for this, but it's still not working well. Depending on your setup, you may be able to use Other VIPs. See this thread: http://forum.pfsense.org/index.php/topic,7039.0.html
You could also try adding alias IP's http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf and then adding CARP IPs.