@viragomann said in Can't get to Internet from LAN VIP:

the default gateway doesn't accept upstream traffic from this subnet

Yeah, I asked the data center this question (again), and that was it. 🙄 So apparently it was routing inbound but not allowing replies or outbound.

Thanks for being a sounding board.

@rcoleman-netgate OK thanks Ryan. That was my suspicion. Just trying to get all the rules set up before launch.

@seeking-sense said in Moving from 5 static IP to only 1. : (:

Are there any third party service that "tunnels" static / public IPv4 addresses? Likely it would be cost prohibitive if there is such an animal.

What do you want to tunnel and how should this work?

The thing is, there can only be a single service listen on the single port and IP.
So you have to declare what do your need exactly. What does this mean:

VM #1 Web, VM #2 Mail, VM #3 NAS, etc...

I guess you can run all these services on different ports on pfSense WAN address, apart from "web" (HTTP/S, port 80 and 443). The latter you can treat with the HAproxy package.
HAproxy can look into the HTTP host header and can redirect certain host names to different backend servers.
This works pretty well.

@jasjitchopra It used to be the case to sync states, but not since 22.01, see
https://docs.netgate.com/pfsense/en/latest/highavailability/pfsync.html#pfsync-and-physical-interfaces

Edit: to clarify, the hardware doesn't have to be identical for HA, but the interfaces/interface order needed to be. If the routers have the same packages and usage then it would help if they are reasonably close in spec.

@rico Thank you!
I configured the second WAN with SFP cable on IX0 interface

Ok everything is ok now.
The sync problem was a bad rule on pfsync interface.
Thanks again for your help and have a nice week end

You must allow for MAC Address changes, Promiscious MOde, and Forged Transmits on the port group to the VM for any interface that uses CARP. I created a single trunk portgroup that has these settings and only use it for my pfSense box.

@amoschb said in HA - NO ENOUGH WAN IP Addresses:

So the question is: if only 1 available WAN IP, can we build a HA pfsense?

Yes but the backup won't be active until the primary fails. It is also not supported by TAC so if you have issues, purchase TAC support, and come to us and we see that config we won't touch anything related to a HA issue with it.

Sometimes you can get your ISP to give you a single static and let you have two DHCP addresses (for the WAN on the two HAs) and go that route.

Hi
thanks to the help.

I have made a HA between Pfsense plus firewall and Pfsense CE for backup .
in production i have many problem like some network disconnection .
My pfsense plus firewall has a lot of rules , nat inbound and outbound, 46 VLAN , 6 public VIP .
My question is when deploying the HA , the backup firewall must be empty of rules befor activate HA to let the Xmlrpc sync rules automaticaly exept rules of sync interfaces ?
because i have exported config xml then i changed what i want like ip interfaces to match the prerequisties oh HA, but rules are the same on both firewall .

thank you

Well, it looks like my expectations about the self-protection were wrong! I found in the system logs of the pfSense firewalls that it was flagging the checks from zabbix as an attack, and would periodically block all access from the zabbix server IP. I was able to whitelist that IP from the login protections, and I haven't seen any issues since. I still have no idea why this issue only manifested for the backup firewalls and not the master ones, seeing as their configurations are nearly identical, but hopefully this helps someone else in the future!

Hello
Like said on documentation :
pfsync Synchronize Peer IP

If left blank, the firewall will send state data using multicast to all hosts on the chosen Synchronize Interface.

In practice, state synchronization is more reliable when sent directly and not via multicast.

@empbilly said in Compatibility between VRRP and CARP:

The vlans I have are in a lagg with 4 physical interfaces.

Would this be a problem?

No. In former pfSense versions the network ports for a (virtual) network interface have to be the same same on both nodes. E.g. the port for VLAN 305 has to be lagg0.305 on both.

Configuring a lagg was a way to achieve this if the hardware was different.
But as far as I know, this is not necessary anymore since FreeBSD 12. However, I configured it only this way.

Do I need to have one network (10.10.10.0/24) or can it be one IP only (10.10.10.1) for each VIP in the vlans?

You have to configure each IP and as well the VIP with the correct mask.

I have the vlan ADM_LAN with the network 10.60.0.0/23 and GW 10.60.0.1

On pfsense backup can I put the GW 10.60.0.2?

If you have 10.60.0.1 already configured as gateway on all your internal machines it might be easier to turn this into the CARP VIP and change the interface IP on the primary to anything other, maybe 10.60.0.2 and use 10.60.0.3 for the secondary.

Another point is that we have an AD in our infrastructure, and the AD IP is the DNS in some vlans. How does this work with VIP?

This has nothing to do with HA. It should work like before.
Maybe I'm getting you wrong?

@viragomann Or put the pfblocker file on an inside network that both nodes have ready access to. Sync it to a reachable server or something.

@thale

BTW:

CARP IP on LAN interface works fine and no any issues.
The packet loss issue is only happened on CARP IP on WAN interface.

@nikim
Simply hit "Add new patch", enter a description like "CRL lifetime fix" and the patch ID below and save it.

pfSense will pull and apply the patch then.