@cs_l
No. I prefer a unique VHID for each CARP VIP though, but for proper function they only have to be unique within an layer 2 network.

@viragomann

Status > DHCP Leases

Pool Status
7c9ddad5-07aa-4d91-ac82-fbaf5ca332b7-image.png

It is now as "recover state". Regardless if I put pfbackup on the network, with Failover peer IP configured, it is still in "recover state".

@jaredadams
An http frontend doesn't accept IP addresses for comprehensible reasons.
This might only work in tcp mode.

@viragomann

Good, so this is the way it should work then, then i can stop suspecting this was related to the issues at hand, thx !

@alcamar said in HAProxy Weiterleitung zum nextcloud-Server:

Kann das hier dokumentieren, falls es ähnliche unbedarfte wie mich in Zukunft gibt.

Warum nicht? Nachdem der Threadtitel schon darauf hinweist, könnten Leute das finden.

Allerdings ist deine Konstellation wohl eher eine Seltenheit. Wie gesagt, üblicherweise läuft ein Webserver heutzutage nicht in einem virtuellen Verzeichnis.
Wenn HAproxy würde ich alle Anfragen einfach weiterleiten lassen und den Rest den Backendserver machen lassen. Dafür gibt es jede Menge Anleitungen.

Ich kämpfe aber noch mit Zertikaten beim CALdav. Eigentlich müsste nur die pfsense Zertifikate jonglieren, oder?

So wäre es wünschenswert. Funktioniert leider nicht immer. Ich weiß aber nicht, wie das bei Nextcloud ist. Meine betreibe ich nicht hinter einem Proxy.

Aber bezüglich DAV und HAproxy habe ich schon Threads gesehen. Aber ich denke, hier würdest du mit den beiden Suchbegriffen im Netz rascher brauchbare Ergebnisse finden als hier.
Die könnte man dann auf die Konfiguration in der pfSense GUI "übersetzen".

Deinen Punkt hinsichtlich Sicherheit des Ports 443 habe ich mir für die nächsten Überlegungen vorgemerkt.

Wenn du es geschafft hast, dass HAproxy die Anfragen in das virtuelle Verzeichnis von Nextcloud leitet und keine anderen zulässt, sollte es soweit eh sicher sein. Abgesehen natürlich, dass dir klar sein muss, dass die Nextcloud im Internet steht und damit ordentliche Zugangspasswörter braucht und aktuell gehalten werden muss.

@mrpete Well, there you go. No CARP VIP no status.

If you have MASTER/MASTER then you need to fix the layer 2 between that interface on both nodes.

And here's something from the log...

DHCPDISCOVER from d0:94:66:4b:51:b6 via vtnet9: peer holds all free leases

Thanks all for the suggestions. Digging into it...

@viragomann said in Can't get to Internet from LAN VIP:

the default gateway doesn't accept upstream traffic from this subnet

Yeah, I asked the data center this question (again), and that was it. 🙄 So apparently it was routing inbound but not allowing replies or outbound.

Thanks for being a sounding board.

@rcoleman-netgate OK thanks Ryan. That was my suspicion. Just trying to get all the rules set up before launch.

@seeking-sense said in Moving from 5 static IP to only 1. : (:

Are there any third party service that "tunnels" static / public IPv4 addresses? Likely it would be cost prohibitive if there is such an animal.

What do you want to tunnel and how should this work?

The thing is, there can only be a single service listen on the single port and IP.
So you have to declare what do your need exactly. What does this mean:

VM #1 Web, VM #2 Mail, VM #3 NAS, etc...

I guess you can run all these services on different ports on pfSense WAN address, apart from "web" (HTTP/S, port 80 and 443). The latter you can treat with the HAproxy package.
HAproxy can look into the HTTP host header and can redirect certain host names to different backend servers.
This works pretty well.

@jasjitchopra It used to be the case to sync states, but not since 22.01, see
https://docs.netgate.com/pfsense/en/latest/highavailability/pfsync.html#pfsync-and-physical-interfaces

Edit: to clarify, the hardware doesn't have to be identical for HA, but the interfaces/interface order needed to be. If the routers have the same packages and usage then it would help if they are reasonably close in spec.

@rico Thank you!
I configured the second WAN with SFP cable on IX0 interface

Ok everything is ok now.
The sync problem was a bad rule on pfsync interface.
Thanks again for your help and have a nice week end

You must allow for MAC Address changes, Promiscious MOde, and Forged Transmits on the port group to the VM for any interface that uses CARP. I created a single trunk portgroup that has these settings and only use it for my pfSense box.

@amoschb said in HA - NO ENOUGH WAN IP Addresses:

So the question is: if only 1 available WAN IP, can we build a HA pfsense?

Yes but the backup won't be active until the primary fails. It is also not supported by TAC so if you have issues, purchase TAC support, and come to us and we see that config we won't touch anything related to a HA issue with it.

Sometimes you can get your ISP to give you a single static and let you have two DHCP addresses (for the WAN on the two HAs) and go that route.