• Use carp but don't need failover

    Locked
    11
    0 Votes
    11 Posts
    4k Views
    dotdashD

    Hmm, that's an interesting workaround. You just added an OPT interface with the public, and then it let you add the CARP IPs on the WAN? I never tried that. I'm glad you got everything working.

  • Multiple WAN Subnets - VIPS / CARP

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    E

    Aghhh….just saw those, Oh well, looks like I need to move some IPs around then!

  • Carp and Non contigenous IP's

    Locked
    5
    0 Votes
    5 Posts
    2k Views
    J

    I agree mate, however just about to upgrade to 100Mb WAN connection, so upgrading the firewall with new Dell R200 with Intel Quad NIC, can't really afford both at present, so going to use the original firewall as failover (have found pfsense so stable I don't think it'll be needed, you can never tell hardware failures etc) so not overly worried about failover as long as it'll support the connection albeit at a lower speed.

    Cheers for your help.

    J

  • Question abaout failover and CARP

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    C

    1)  I'm not sure what you mean by WAN access as opposed to Internet access, but if you mean the network that pubip[1-3] are in, then yes.  Same with the Internet (assuming that you've set up NAT and firewall rules allowing access in the first place.

    2)  PFSense will replicate rules from the "master" machine to the other machine as long as you have configured CARP (in the CARP Settings under Firewall->Virtual IPs->CARP Settings) to do so.

  • Carp not working correctly on internal firewalls

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    S

    Figured out where i was going wrong on this - on the first set of firewalls i was using VHID 1 /2 and the same for the second internal firewalls, silly mistake - after setting the internal to VHID 3 /4 it is all working correctly. ;D

  • Adding (moving) another block of addresses to WAN

    Locked
    5
    0 Votes
    5 Posts
    3k Views
    W

    Which version are you using. I've been trying to do the same thing and I can't get thenew PARP addresses + NAT to work ?

  • Adding an Additional subnet to the WAN interface

    Locked
    3
    0 Votes
    3 Posts
    3k Views
    W

    Yes, that's exactly what I did. I added a PARP IP via the Virtual IPs menu and allowed it to auto create the rule for me (allowing HTTP back to the web server running internally).

    I then added an additional rule allowing ICMP to internal address. Both rules are created on the WAN interface and reference the internal address that I'm allowing traffic to.

    I've done this many times for IP's that are on the WAN interfaces primary network.

    I then used the packet capture option to sniff the traffic destined for the PARP address on the WAN side and I do see both ICMP and HTTP traffic hitting the WAN interface when I test the respective protocols.

    I then did the same thing sniffing the LAN interface to see if there's any packets being sent to the internal NAT's IP - and I don't see anything. I've also run a packet sniffer on the web server to ensure that I'm not missing something and that traffic is in fact not hitting the machine somehow - there's nothing coming out on the LAN side.

    Downloading the config XML and looking at the version element - it says I'm running version 2.9. Looking at index.php it says I'm running 1.2-RC1 (built on Sat Jul 21 13:42:54 EDT 2007 )

    Thanks
    Warrick

  • Carp Status

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    C

    That's what happens when multicast traffic isn't passed properly. Some switches block or break multicast.

  • Does deleting a Virtual IP cause the system to Reboot?

    Locked
    6
    0 Votes
    6 Posts
    3k Views
    C

    Yeah it didn't appropriately warn before 1.2.1, it's supposed to do that. CARP interfaces can't be removed on a running system. You don't have to reboot right away, but the VIP won't be removed until you do.

  • CARP not working? Why?

    Locked
    4
    0 Votes
    4 Posts
    3k Views
    GruensFroeschliG

    This doesnt really make much sense.
    Set the subnet to what you actually have on the main WAN IP.

  • 0 Votes
    6 Posts
    4k Views
    dotdashD

    You can also do it this way: http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf

  • CARP Problem - Fatal trap 12: page fault while in kernel mode

    Locked
    6
    0 Votes
    6 Posts
    4k Views
    C

    Hrm, there shouldn't be any way even when you're switching from proxy ARP to CARP to accomplish that. I know the input validation works when adding, maybe it's missing when switching from one type to another. Thanks for the report.

  • PfSense box not aware of a subnet that appears only in NAT configuration.

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    G

    @GruensFroeschli:

    Diagram:

    internet
                    |
                    |
       [WAN] 10.10.10.2/27
               pfSense   [OPT1] 192.168.1.1/25 –------ servers
      [LAN] 192.168.10.1/24
                    |
                    |
                clients

    Can you please clarify where you have the 10.20.20.0/26 subnet?
    Are these IP's used directly on the servers or as VIP's on the WAN?
    Was the 10.20.20.0/26 subnet assigned to you by your ISP? (since these are public IPs)

    The 10.20.20.0/26 subnet is allocated for the real IP addressing needs of some boxes that reside in the 192.168.1.0 subnet (OPT1)
    It only exists in the 1:1 NAT configuration page and the NAT-ing is done on the WAN interface.
    I didn't make any VIP for this subnet, except for the PAT-ing of the LAN Yes, this real-ip subnet is unique

    If so you could add these public IP's to the servers directly.
    –> Assign 10.20.20.1 to the pfSense.

    This actually is the option that I am considering too. It involves changes on the servers though so was trying a workaround.
    The case is that if this was a new installation that would be my approach from the begining.
    This was an existing setup that worked having an openbsd box in place before I used pfSense as a way better managed PF solution, especially for the non-BSDers.

    Basically: if you 1:1 NAT something you cannot access this forward from the inside itself.
    Use for that normal port forwards, since pfSense is able to reflect normal portforwards.

    Search the forum for my username and "normal portforward" since i posted in quite a few threads how to do that.

    Another alternative is, that you use 1:1 NAT from the outside, and for access from the inside you set up split DNS.
    This is described here.
    http://forum.pfsense.org/index.php/topic,7001.0.html

    Thank you for this tip :)
    Found lots of interesting info there and the especially the text about adding aliases on the physical interfaces is very interesting.
    If I remember correct this was what I did, adding the 1:1 IPs as aliases on the WAN that is, on the previous box to make it see this, otherwise "virtual" subnet, as local thus appearing on the fw's routing table.
    The way I understood the whole VIP concept made me think that it was the way to make something similar.
    SplitDNS would be a viable option too if this was an isolated enviroment (not different links going to different places interconnecting private networks which share the same NSs)

    Thanks again for your time!

    George

  • Has anyone tried load balancing MySQL?

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    C

    If the responses aren't coming back, it sounds like the servers are missing their default gateway or have it set to something other than pfSense.

  • Failover - what gets synced?

    Locked
    5
    0 Votes
    5 Posts
    3k Views
    P

    Do CARP IP addresses work with load balancing?

  • CARP w/ LB & 3x WAN

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    dotdashD

    Active/Passive is currently the only supported configuration.
    You are correct in that you should add a dedicated interface for the sync.
    The carp tutorial is a good place to start: http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm

  • 0 Votes
    3 Posts
    3k Views
    E

    Hi thanks for the reply.  I have not looked at this in a while as it did not seem possible and as of yet it is not possible.

    We do use multihomed DNS, however it is not ideal as there is no failover, if a server goes down, DNS does not automatically remove or change the DNS record, which means there is a failure and no response for x% of requests made (depending on how many host are in the loop).

    I will still like to find a solution for this, if possible without having to fly out to the data centre to reconfigure the entire network :)

    Thanks

  • Two PS-Sense server in a virtual enviroment for redunancy

    Locked
    6
    0 Votes
    6 Posts
    7k Views
    F

    I posted some responses from dotdash, I still have few things not quite configured correctly.

    I created by second PF-Sense machine by copying my first box.  The only difference is the IP address and the name of the server.

    I have following Settings:
    Synchronize Enabled
    Synchronize Interface - OPT2
    pfSync sync peer IP 192.168.17.2
    Synchronize rules
    Synchronize NAT
    Synchronize IPsec
    Synchronize Virtual IPs
    Synchronize traffic shaper
    Synchronize to IP 192.168.30.2
    Remote System Password (username reset to ADMIN and password set to match on both servers

    Added Virtual IP to the Master machine
      Type = CARP
      Address  192.168.17.2 /24
      matched the VIP password
      VHID group 1
      Advertising Frequency 0

    Rules
    OPT2
    All traffic set to pass between servers

    When I bring up the second server CARP comes up with FW1 as master and FW2 as backup.  However I see two issues at that point I see even with 192.168.14.2 added as a second gateway, I can't access the internet and IPSEC tunnels appear to be up on both firewalls.

    I really want to get this running due to my occasional virtual server issue.
    Many thanks,
    RC

  • Bug with webgui for load balancer status?

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    N

    <taps microphone="">hello, is this thing on?

    :D</taps>

  • Virtual IP in CARP environment

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.