@marama said in HA + VIP + MultiWAN Issue (no internet on slave):

@keyser ok, will do.
I'm a bit afraid of removing the "any", since I need to be sure to include all the relevant networks in the alias. Do I also have to include the ipsec and openvpn networks, translations/mapping networks... ?
Is there a way to leave "any", but then have explicit NAT rule handle the firewall traffic?

Yes, you need to have vpn networks and such in the alias as Well.
I normally always make an alias called private networks i use for stuff like that.
It contains:

192.168.0.0/16
172.16.0.0/12
10.0.0.0/8

That way any private (internal thing - including future uses) is covered - But not the FW and its public addresses.
Btw - that same alias is Very good in internet access allow rules instead of ANY. Use it as destination with the NOT (!) feature.

@kd Ah, I think using your own modem it is intended as a passthrough. Around here, business Comcast accounts provide the 10.1.10.x subnet and NAT. Useful for plugging in a laptop to bypass the client's router, to test.

My home modem is accessible at 192.168.100.1 but I don't think it provides NAT out. It doesn't have a "bridge mode" setting as it just passes the public IP through to my router or a laptop.

@Foxi352

Thank you for the links. I see, it is a difficult issue. I wish they had the CARP as option to take the functionality of a virtual interface (with DHCP/MAC, etc) , rather than just IP. So this can be shared between the firewalls.

It seems i have few issues:

DHCP - perhaps setting WAN as static IP would work untill the next lease, need to check MAC spoofing.. Not sure how to handle this for the two interfaces. Folks seem to use some scripts to have the interface UP and down

Perhaps I will manually plug the WAN cable when needed , if i can not find a workaround :).

thanks for your time

@wesleywillis said in VIP setup for web hosting:

I confirmed that I only get that block as described under 'Simple IP Subnet on WAN':

Yes, in this case you'd probably better go with Proxy ARP, so you can cover the whole subnet with a single VIP assignment.
It is a good way, when you want to forward the whole subnet behind pfSense.

So I'm assuming it's easiest to just setup NAT 1:1 as such:
External IP: 1.1.1.3/26
Internal IP: 10.0.10.3/26

Possibly you may have to state the network address here, when using network type.

@viragomann

Your suggested settings worked perfectly for my setup thankyou👍 👍 👍

I would like to have more than one XMLRPC destination as well to sync firewall rules and aliases to all my nodes.
A daisy chain as expected here is not a reliable solution.
Many Packages (e.g. pfblocker) already allow to sync to multiple hosts so I guess the limitation is only the GUI.

@lionelmarais said in SyncNic Failing with Error 32602:

I was able to sync the image with the same version

That is good to hear..

what gets done and reported is two totally different scenarios lol

To be honest, sadly I don't think that is something limited to any specific part of the world or agency hehahehe

@im-thatoneguy https://youtu.be/VnBnnh81G7w?t=3915

Not supported. Use SLAAC or two separate pools

@viragomann
Thank you very much, that did the trick!

@erode Can you put Suricata on LAN instead? That will 1) avoid scanning any packets that would normally be blocked by the firewall anyway, and 2) show the LAN IP of devices for the alerts.

@netblues said in Secondary router in HA setup web GUI unresponsive:

@bp81 said in [Secondary router in HA setup web GUI unresponsive]
, or I will devise a way to harden web gui access from within the authenticated user vlan to only authorized machines. I am also considering setting up the Azure MFA extensions for NPS and just protect the web gui login with RADIUS that is itself backed by AD authentication and multifactor authentication via Authenticator app. That's not my first choice because an internet outage could lock me out of my web gui. (/post/1014732):

You can always disable the antilockout rule for authenticated users lan and just allow authorised ip's
A good password on top is probably all you need.
AD authentication opens up another attack surface too.
as for 2fa, its a very bad idea for the exact reasons you just mentioned.

Now, since ip's can be changed, mac's can be spoofed how much security is enough security for you.?
You could also utilise a jump-host
where you could ssh and portforward remote ports when needed, or use windows and rdp to the device first, and then login to pf.

This is probably a topic for another thread. We have good wifi security (RADIUS backed authentication) and pretty good physical security (ie, no one is walking in and plugging in a laptop to an open network port). We have the guest VLANs blocked for any traffic to the web gui as well. So is this good enough? Probably, for the moment.

Over the years our security efforts have been focused towards external threats, but the company is getting large enough now I have to start thinking about internal actors as well. This is a conversation I'd like to have on this particular issue, because I have to start somewhere, but it's probably best to go into its own topic.

@netblues Hey netblues, thank you very much, after carefully scrolling through the VLAN config on the swtich, it appears that I did not commit my settings, after rebooting both the switch and netgates, the issue disappeared.

kind regards
kkit

@joezyz said in CARP/HA Multi WAN redirect each IP to LAN IP:

That is exactly how I have it set up right now, and it is not forwarding.

What? Port forwarding or 1:1?

Should the Virtual IP be a CARP, IP Alias, Proxy ARP, or Other? I currently have it as CARP.

Both CARP and IP Alias can be used.
It's not necessary to add all your public IPs as CARP, since this type generates some overhead network traffic.
You need at least one CARP IP, the others can be added as IP Alias and hook up on the CARP IP.

Did you also add a firewall rule to allow the access?
In port forwarding rules you can set associated filter rules or simply "pass" to allow the access. When using 1:1 you have to configure rules by yourself.

Is pfSense the default gateway on the device you've forwarded traffic?

Maybe you can post screenshots so we can verify the settings.