@viragomann:

VIPs must be defined as IP Alias an must hook up on a CARP interface address to function and be synchronized to backup.

Not sure what you mean by this. I add VLAN interfaces to CARP clusters regularly and you don't have to do anything with IP Aliases.
The procedure is roughly-
Configure your switches with the new VLAN.
Create the vlan on both primary and secondary.
Assign the new vlan to a new interface, again on both primary and secondary.
Configure the new interface on both boxes- eg: primary 10.20.30.2 secondary 10.20.30.3
From now on, you just need to configure the primary:
Add a new CARP VIP (eg 10.20.30.1), configure the OB nat, firewall rules, etc.

drat, same issue here, but didn't fix it for me.  the moment I set this NAT rule I get nothing though.

@andrew4902:

Do you know if that feature is planned for a future release?

It should be possible on 2.2

@andrew4902:

I can see valid IP's needed on the LAN side for management purposes but why are IP's even needed on the WAN side except for the 1 floating WAN IP since it will be the default path to the Internet anyways?

Without valid IPs on both, the secondary will not be able to independently check for updates or install packages. There would also be no way to directly manage the secondary from a remote location. It couldn't do DNS resolution to a remote DNS server, or even sync its clock to a remote time server.

So the single IP method may be valid, but still not ideal.

We tried the whole reboot it, and that's not solved it.

We thought it may be a switch echo… but adding a port mirror shows that there are indeed 2 packets being transmitted.

I don't know what’s going on here  ... I'm open to any suggestions.

:-(

Hi Jason,

Thanks for clarifying this to me, had some stuff wrong on the second box. Got that all fixed up now as you described, but still, the setup does not failover yet.

There is 2 things I noticed, I don't know if it will tell you something but anyway:

1- I checked the CARP status while the first box's WAN was unplugged and the first box was still the "master". I guess that make sense in a way, since the LAN address still work fine. Do I need to add something in the CARP setting so that it checks the first box's WAN also?

2- When I go in the gateway status on the first box, the "GW_PF2 - LAN - 192.168.1.3" (If I take your example) always switch between "Online" and "Gathering data". What I mean there is that, if I keep refreshing the page, it always switch between the 2 modes.

Any other idea?

Thanks again for your time and your support!

I have tried this setup on two other pfsense boxes and it seems to work and passes traffic.

Thank you for the help

Hello,

I found my answer:

ensure the clocks are synced correctly.  one had ntp turned off, and the wrong timezone set.

Just like the last line in the "configuration synchronization problems" section of the 2.1 book.

–jason

I looked this up long ago, so I hope my memory serves. Basically, in BSD, the packets get to the kernel and then firewall decides on out to deal with it. So basically you are blocking outgoing connections and not inbound connections. So when you put in a WAN rule, you are putting in an allow out rule to the internal network.
You will need to google BSD networking/routing/firewalling to get more details.

Mm not sure if it is similar then, as I was using 2x pfSense.
So not CentOS as OS….

OK, so in my test setup at home, I have to use my 192.168.1.127 for its WAN IP (instead of the public 67.x IP's that I will have at my colo when it goes into production) and I have bridged the WAN/LAN interfaces. Gateway of 192.168.1.1 is setup on the WAN interface. Now this should allow me to use 192.168.1.0 ip's within my the network behind the pfsense device. Correct?

Now, with that bridge setup, how do I give the 192.168.0.0 subnet/vlan access to the internet?

my upstream provider uses a cisco gateway, when i asked them to show me how they routed the #.#.236.0/24 subnet to me, i was dumbfounded with how simple he made it look…

my static ip assigned to wan is #.#.232.12/24 (pfsense box)

from his CLi, he typed in a single command telling the cisco gateway to route any requests to 236.0/24 to be routed to 232.12/24,

the pfsense box was then configured with virtual ip / proxy arp, and from there i would assign 236.0/24 ip to lan hosts....

so, at this point, i have broken the /24 into smaller subnets (/30,/29,/25) creating new vlan interfaces, and configuring each vlan interface with /29 or /30... disabled dhcp within that vlan giving the host control over ip assignment

to me this is a waste of ip's being i loose two ip's to subnet id/broadcast just to provide a /29 or /30 to a single host....

is pfsense capable of doing what my upstream provider did?
per say, route requests to #.#.236.10-16/24 to their wan ip like he did thru cli?

Pushing 1Gbit/s through FW+NAT isn't very hard.  A modern Celeron or i3 will have no issues.

What exactly are the "network issues" that you're experiencing?

I found a workaround which is not ideal but allows me to move on.

I noticed that in fact i couldn't ping the LAN VIP if i was connected in WiFi to the active CARP appliance.
So basically instead of having two active hotspots, I just had to make sure the hotspot was disabled on the active CARP appliance.

To do so here is what I did:

1 - Modify /etc/devd.conf to point to custom rc.carp scripts

... # CARP notify hooks. This will call carpup/carpdown with the # interface (carp0, carp1) as the first parameter. notify 100 {     match "system"          "IFNET";     match "type"            "LINK_UP";     match "subsystem"          "[a-zA-Z0-9_]+_vip[0-9]+";     action "/etc/rc.carpmaster.custom $subsystem"; }; notify 100 {     match "system"          "IFNET";     match "type"            "LINK_DOWN";     match "subsystem"          "[a-zA-Z0-9_]+_vip[0-9]+";     action "/etc/rc.carpbackup.custom $subsystem"; }; ...

2 - Create /etc/rc.carpmaster.custom

#!/bin/sh /etc/rc.carpmaster $1 ifconfig ath0_wlan0 down /usr/local/sbin/pfSsh.php playback svc restart racoon

3 - Create /etc/rc.carpbackup.custom

#!/bin/sh /etc/rc.carpbackup $1 ifconfig ath0_wlan0 up

So basically, when an appliance becomes master:

It runs the usual carp scripts It disables the hotspot It restarts racoon (to make sure IPSEC connection are restarted)

when an appliance becomes master:

It runs the usual carp scripts It enables the hotspot

Having the same SSID and both appliance not too far from one another makes it almost transparent to end-users (about 30 seconds service interruption in case of a CARP failover).

AFTER your box is up and running (not so well as you write), call the ISP and ask them to clear the cable modem's ARP table.  If it starts working (for a little while), then you are seeing the same thing I'm seeing which only started within the last few weeks.

Somehow, the router in the cable modem puts the interface's actual ip in its ARP table with the first VIP mac address.  Then, it puts the VIP's mac address in it's table for the pf router's actual interface card ip.

The result is no traffic gets through.  Traffic addressed on the link to the vip has the interface address and so it gets dropped.  Traffic addressed to the VIP on the link has the interface's IP and that gets dropped.  I still don't have an answer.

This turned out to be a simple mistake on my part combined with a UI problem.

When creating the SYNC interfaces - I had clicked "Insert my local MAC address" in the MAC address field, thinking it would populate using the NIC's MAC address, not the machine I am logging in from. When I realized it didn't, I blanked the field, assuming it would revert to its own MAC if the field was blank.

Not so. My originally entered MAC address remained with the interface even after the field was blanked and saved, resulting in a loop.

Changing the MAC addresses such that they do not conflict solved the issue.