HA/CARP/VIPs

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

C

1:1 NAT and Multiple Public IPs

• Aug 10, 2006, 1:24 AM • cdcarter Mar 19, 2007, 11:58 PM

3

0
Votes

3
Posts

4.0k
Views

M Mar 19, 2007, 11:58 PM

I had same problem, to map multiple WAN IP's to internal LAN/DMZ IPs. Example: 212.xx.xx.xx => 10.xx.xx.xx

First I make Virtual IPs for every of my external IP (212.xx.xx.xx.) but it was not possible to use NAT 1:1 settings!
You have to use "NAT Port Forward" insted. In the "External address" drop down you will see all your Virtual IPs and you can easy map them to your internal IPs and choose desired ports/ranges.
I

Problem with pfSync

• Mar 17, 2007, 11:21 AM • itou Mar 17, 2007, 11:21 AM

1

0
Votes

1
Posts

2.1k
Views

No one has replied
C

Virtual IP problem…

• Mar 15, 2007, 7:23 AM • cybervolkan Mar 16, 2007, 12:48 PM

5

0
Votes

5
Posts

2.7k
Views

C Mar 16, 2007, 12:48 PM

Finally I did what I want… :)

1 - I've created a vip (proxyarp).
2 - I've added a 1:1 nat for my LAN ip for vip
3 - I've added a port-forward for My LAN ip for ports 1-65500

Now it work properly...

But I couldn't solve high traffic on carp vips. ???
R

Carp sync issue with load balancing

• Mar 6, 2007, 4:54 AM • rwalker Mar 12, 2007, 2:36 PM

2

0
Votes

2
Posts

2.0k
Views

R Mar 12, 2007, 2:36 PM

Looks like some people have read my post, but no response, also the ticket has not been touched….

Here is the link to the ticket http://cvstrac.pfsense.com/tktview?tn=1262. Will someone acknowledge this?
H

CARP - IPSEC - failover - listen (500) in racoon.conf

• Mar 2, 2007, 7:24 PM • heiko Mar 4, 2007, 9:57 PM

8

0
Votes

8
Posts

4.4k
Views

H Mar 4, 2007, 9:57 PM

Hello Scott,

maybe later. It doesn't greatly matter.

Greetings from Germany and special thanks for your help.

Heiko
C

Setting up CARP cluster for LAN and WAN VIPs at the same time

• Feb 26, 2007, 2:26 PM • captain kirk Mar 2, 2007, 2:49 PM

15

0
Votes

15
Posts

6.8k
Views

H Mar 2, 2007, 2:49 PM

danke, jetzt habe ich es
gruß
heiko
J

Just a question about carp and vlans

• Feb 27, 2007, 10:49 PM • Juve Feb 27, 2007, 11:16 PM

2

0
Votes

2
Posts

2.2k
Views

H Feb 27, 2007, 11:16 PM

Should work.
B

VIP for LAN shows BACKUP status on both servers

• Feb 24, 2007, 3:27 AM • bbrazeal Feb 26, 2007, 6:25 PM

9

0
Votes

9
Posts

4.5k
Views

H Feb 26, 2007, 6:25 PM

CARP is mainly broadcastingtraffic. Have a look at http://www.countersiege.com/doc/pfsync-carp/ to see how it works.
B

2 of 3 CARP VIP's work

• Feb 23, 2007, 5:07 PM • bill_mcgonigle Feb 26, 2007, 11:20 AM

7

0
Votes

7
Posts

4.8k
Views

H Feb 26, 2007, 11:20 AM

Correc t, you need first a virtual IP to add 1:1 mappings (at least if we are not talking abou the real wan interface IP). On top of that you need firewallrules to let the desired traffic pass of course.
H

CARP Preemption in RELENG_1 Snapshots

• Feb 25, 2007, 11:40 AM • heiko Feb 25, 2007, 2:05 PM

3

0
Votes

3
Posts

3.4k
Views

H Feb 25, 2007, 2:05 PM

Thanks a lot
Heiko
T

Dynamic DNS doesn't work with Dual Wan

• Feb 4, 2007, 9:58 AM • tritu Feb 24, 2007, 6:37 AM

9

0
Votes

9
Posts

18.5k
Views

T Feb 24, 2007, 6:37 AM

I'm not a fulltime programmer so I don't think like a geek. I just made it work for my case. If it's usefull, please feel free to use it. I will be very happy if I know that it's intergrated into pfsense. I can sleep with a happy face :)

The three main files that I modified are: filter.inc, dyndns.class, and pfsense-utils.inc (see attached files). As always, diff is really useful to checkout the differences. It's not much coding, here are all of my codes & modifications:

//
/ File: /etc/inc/filter.inc /
/ At the end of the function filter_configure_sync add /
/ the new wan_monitor() function in /
//

/* reload filter sync /
function filter_configure_sync() {
…
/ sync carp entries to other firewalls */
update_filter_reload_status("Syncing CARP data");
carp_sync_client();

/* WAN monitoring */
wan_monitor();

update_filter_reload_status("Done");

return 0;
}

function wan_monitor() {
global $config;
$failure = 0;
update_filter_reload_status("Debug: WAN Monitoring");

foreach ($config['filter']['rule'] as $rule) {
if ($rule['gateway'] <> "") {
$rulegw = $rule['gateway'];
}
}

foreach($config['load_balancer']['lbpool'] as $lb) {
$poolname = $lb['name'];
$servers = $lb['servers'];

if ($poolname == $rulegw) {
if($lb['behaviour'] == "failover") {
$routeto = exec("cat /tmp/rules.debug | grep route-to | cut -d '(' -f2 | cut -d ')' -f1 | /usr/bin/sed -e 's/^ //g'");
list($int, $gateway) = split(" ", $routeto);

$default_route = exec("netstat -rn | grep default | awk '{print $2, $6}'");
list($default_gw, $default_int) = split(" ", $default_route);

if ($default_gw != $gateway && $gateway <> "" ) {

$wan1_gw = $config['interfaces']['wan']['gateway'];
list($int_name, $monIP) = split("|", $servers[0]);

/* Double check by ping to the host monitor IP 3 times */
for ($i = 1; $i <= 3; $i++) {
$pingstatus = exec("/sbin/ping -c 1 -t 2 -q -Q $monIP | grep 'packet loss' | cut -d ',' -f3 | /usr/bin/sed -e 's/^ //g' | cut -d '%' -f1");

if ($pingstatus == 100) {
$failure++;
}
sleep (5);
}

/* If total failure is 3 times, then switch the default route /
if ($failure == 3) {
$switchroute = 1;
}
/ Switch back to WAN1 if the host monitor IP is pingable /
/ and the default gateway is on WAN2 */
else if ($failure == 0 && $default_gw != $wan1_gw) {
$switchroute = 1;
}
else {
$switchroute = 0;
}

update_filter_reload_status("Debug: Switch Route = $switchroute");
update_filter_reload_status("Debug: Total Failure time = $failure");
}
else {
update_filter_reload_status("Debug: Do nothing. Same route");
}

if ($switchroute == 1) {
update_filter_reload_status("Debug: Changing the default gateway to $gateway");
exec("/sbin/route delete default");
exec("/sbin/route add default $gateway");

update_filter_reload_status("Debug: Sending email notification");
$hostname = exec("hostname");
$subject = "$hostname has switched the default gateway to $gateway";
$msg = "This is an automate email notification that the default gateway has switched over to ";
$msg .= "$gateway\n";
$to = "email@company.com";
exec("/usr/local/bin/php /root/my-scripts/phpmailer/smtp.php "$subject" "$msg" $to");
}

$is_carp_enable = get_carp_status();

if ($is_carp_enable == 1) {
foreach($config['virtualip']['vip'] as $carp) {
if ($carp['mode'] != "carp") continue;
$ipaddress = $carp['subnet'];
$carp_int = find_carp_interface($ipaddress);
$carp_status = get_carp_interface_status($carp_int);
update_filter_reload_status("Debug: $carp_status");
}
}

if ($carp_status == "MASTER") {
update_filter_reload_status("Debug: Updating with DynDNS");
exec("/etc/rc.dyndns.update");
}
update_filter_reload_status("Debug: End");
}
}
}
}

//
/ File: /etc/inc/dyndns.class /
/ Replace $wan_ip to use $this->_checkip() function to /
/ get the real WAN IP to use with Dyndns /
//

if(!$wan_ip)
$wan_ip = $this->_checkip();

function _checkip() {

//log_error("DynDns: Running _checkip() for real WAN IP");

exec("/usr/bin/netstat -rn | grep carp | awk '{print $1, $6}'", $getcarp);

list($gwip, $gwint) = split(" ", /usr/bin/netstat -rn | grep default | awk '{print $2, $6}');
$gwip = str_replace("\n", "", $gwip);
$gwint = str_replace("\n", "", $gwint);

if ($getcarp[0] <> "") {
foreach ($getcarp as $carpinfo) {

list($carpip, $carpname) = split(" ", $carpinfo);

$carp_int = $this->_getcarp_int($carpip);

if ($gwint == "$carp_int") {
$match = exec("echo $carpinfo | grep $carpname");
list($gwvip, $gwcarp) = split(" ", $match);
$ip = $gwvip;
}
}
}
else {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'http://checkip.dyndns.com');
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);

$data = curl_exec($ch);
curl_close($ch);

list($part1, $part2) = split(': ', $data, 2);
list($ip, $junk) = split('<', $part2);
}
return $ip;
}
/* End of function */

function _getcarp_int($carpip) {

global $config;

foreach($config['virtualip']['vip'] as $vip) {

if ($vip['subnet'] == "$carpip") {
$int_name = $vip['interface'];
$int = convert_friendly_interface_to_real_interface_name($int_name);
}

}
return $int;
}

/*
* Private Function (added 12 July 05) [beta]
* - Detect whether or not IP needs to be updated.
* | Written Specifically for pfSense (pfsense.com) may
* | work with other systems. pfSense base is FreeBSD.
*/
function _detectChange() {
global $config;
log_error("DynDns: _detectChange() starting.");

$currentTime = time();

$wan_ip = $this->_checkip();
$this->_dnsIP = $wan_ip;
$this->_dnsHost = $config['dyndns']['host'];

$previousIP = exec("/sbin/ping -c1 $this->_dnsHost | grep PING | cut -d '(' -f2 | cut -d ')' -f1");

log_error("DynDns: Previous DNS IP: {$previousIP}");
log_error("DynDns: Current WAN IP: {$wan_ip}");

if (file_exists($this->_cacheFile)) {
if(file_exists($this->_cacheFile))
$contents = file_get_contents($this->_cacheFile);
else
$contents = "";
list($cacheIP,$cacheTime) = split(':', $contents);

$this->_debug($cacheIP.'/'.$cacheTime);
$initial = false;
log_error("DynDns: Cached IP: {$cacheIP}");
} else {
conf_mount_rw();
$file = fopen($this->_cacheFile, 'w');
fwrite($file, '0.0.0.0:'.$currentTime);
fclose($file);
conf_mount_ro();
$cacheIP = '0.0.0.0';
$cacheTime = $currentTime;
$initial = true;
log_error("DynDns: No Cached IP found.");
}

/* use 2419200 for dyndns, dhs, easydns, noip, hn
* zoneedit, dyns, ods
*/
$time = '2160000';

$needs_updating = FALSE;

/* lets deterimine if the item needs updating /
if ($previousIP != $wan_ip) {
$needs_updating = TRUE;
log_error("DynDns: previousIP != wan_ip. Updating.");
}
if ($cacheIP != $wan_ip) {
$needs_updating = TRUE;
log_error("DynDns: cacheIP != wan_ip. Updating.");
}
$update_reason = "Cached IP: {$cacheIP} WAN IP: {$wan_ip} ";
if (($currentTime - $cacheTime) > $time ) {
$needs_updating = TRUE;
log_error("DynDns: More than 25 days. Updating.");
}
$update_reason .= "{$currentTime} - {$cacheTime} > {$time} ";
if ($initial == TRUE) {
$needs_updating = TRUE;
$update_reason .= "Inital update. ";
log_error("DynDns: Initial run. Updating.");
}
/ finally if we need updating then store the
* new cache value and return true
*/
if($needs_updating == TRUE) {
return TRUE;
} else {
return FALSE;
}

log_error("DynDns debug information: {$update_reason}");

}

filter.inc.txt
dyndns.class.txt
pfsense-utils.inc.txt
H

PPTP failover

• Feb 21, 2007, 6:59 AM • heureka Feb 21, 2007, 9:07 PM

3

0
Votes

3
Posts

3.2k
Views

H Feb 21, 2007, 9:07 PM

Excellent. Works perfectly. Thanks hoba.
N

CARP with two NICS?

• Feb 16, 2007, 4:36 PM • nlevesque Feb 19, 2007, 8:24 PM

11

0
Votes

11
Posts

5.8k
Views

H Feb 19, 2007, 8:24 PM

pfsync and carp shouldn't interfere with each other. Swapping Master/Backup status can only be related to CARP, not to pfSync.
J

CARP Master / Master

• Feb 7, 2007, 9:31 AM • jremme Feb 19, 2007, 6:51 PM

4

0
Votes

4
Posts

3.4k
Views

S Feb 19, 2007, 6:51 PM

http://doc.pfsense.org/index.php/Setting_up_CARP_with_pfSense
I

Quick carp/default gateway question

• Feb 8, 2007, 9:35 PM • IanSVT Feb 9, 2007, 2:01 PM

3

0
Votes

3
Posts

3.1k
Views

I Feb 9, 2007, 2:01 PM

Works like a charm. Thanks a bunch!
T

CARP + Dual WAN connection failover

• Feb 6, 2007, 2:48 AM • tritu Feb 8, 2007, 7:18 AM

6

0
Votes

6
Posts

4.0k
Views

T Feb 8, 2007, 7:18 AM

I have found out the root causes. It's not the problem with the switch. It was b/c of the firewall rules. When the FW outbound LAN rule got change to use the Failover pool, the default route is no long effective. When master & slave send out the broadcast message of VRRP to 244.0.0.18, it used the Failover for it routing table and Failover pool is only routed to either WAN1 or WAN2 which doesn't know the route of the internal LAN subnet. That's why stage MASTER/MASTER were on both machines. Once I create the new rule for LAN subnet to allow traffic to 244.0.0.18 using the default gateway, then it fixed the problem.

It's working great now. Disable on master –> switch over to salve. Enable back --> fallback to master.
W

CARP and Routed Real IP Subnet

• Jan 25, 2007, 10:32 AM • Wasca Jan 25, 2007, 12:20 PM

2

0
Votes

2
Posts

2.4k
Views

H Jan 25, 2007, 12:20 PM

Exactly
U

Kernel: carp3: incorrect hash

• Jan 23, 2007, 3:33 PM • ugur Jan 25, 2007, 11:23 AM

12

0
Votes

12
Posts

7.0k
Views

U Jan 25, 2007, 11:23 AM

thanks for yours help
P

Sync problem when removing alias

• Jan 18, 2007, 1:12 PM • prodius Jan 24, 2007, 10:59 PM

2

0
Votes

2
Posts

2.0k
Views

S Jan 24, 2007, 10:59 PM

This was a bug. Just fixed it.
B

Questions about Carp?

• Jan 16, 2007, 9:17 PM • browndawg74 Jan 17, 2007, 12:02 PM

5

0
Votes

5
Posts

3.0k
Views

B Jan 17, 2007, 12:02 PM

Thank you

126 / 129