pfSense HA LAN Interfaces Only

CloudNode

@viragomann I also just noticed since i made this NAT mode change from auto to hybrid and also adding the mapping on my backup PF; after the reboot, it reverted back to auto and got rid of the mapping as my master sync'd over. Should i be making this change on my master then?

viragomann

@iptvcld
Yes, you can add this rule to the master as well. It won't be used there anyway.

CloudNode

@viragomann i did this on the master now and i saw it synced over to the backup. I rebooted the backup again as well.

I ran a packet capture on the LAN (backup pf) and i see a few of these lines. IP: 76.64.x.x is my wan
10:54:16.598225 IP 76.64.x.x > 8.8.8.8: ICMP echo request, id 13920, seq 321, length 9

but GW still shows offline

When i run a ping to 8.8.8.8 using backup, i get this

PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=115 time=2.599 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 1 packets received, 66.7% packet loss
round-trip min/avg/max/stddev = 2.599/2.599/2.599/0.000 ms

viragomann

@iptvcld said in pfSense HA LAN Interfaces Only:

I ran a packet capture on the LAN (backup pf) and i see a few of these lines. IP: 76.64.x.x is my wan
10:54:16.598225 IP 76.64.x.x > 8.8.8.8: ICMP echo request, id 13920, seq 321, length 9

Even if the WAN cable is disconnected??
I was assuming that the WAN is offline, so not clear, why it use the WAN IP.

CloudNode

@viragomann That is correct Sir; i do not have my WAN connected to my backup pf right now

viragomann

@iptvcld
Not clear, what's wrong here.
As first step for troubleshooting you can remove the monitoring IP from the LAN gateway on the backup. Hence it should monitor the masters LAN and the gateway state should get online.
But not sure if the failover will work after.

CloudNode

@viragomann I ran a packet cap again and i am seeing those monitoring requests come in as well:

11:14:31.073869 IP 8.8.8.8.853 > 192.168.2.81.17018: tcp 0
11:14:31.073887 IP 76.64.x.x.11762 > 8.8.8.8.853: tcp 0

CloudNode

@viragomann When i remove the monitoring ip from the GW; yes it puts the master LAN IP in there and yes it shows Green and Online but no internet.

Ah i really hoped this would have worked out; was such a nice idea to have.

viragomann

@iptvcld said in pfSense HA LAN Interfaces Only:

I ran a packet cap again and i am seeing those monitoring requests come in as well:
11:14:31.073869 IP 8.8.8.8.853 > 192.168.2.81.17018: tcp 0
11:14:31.073887 IP 76.64.x.x.11762 > 8.8.8.8.853: tcp 0

So you're using 8.8.8.8 for DNS resolution as well.
Possibly that's an issue when you've stated the WAN gateway in System > General Setup.
However, when using this IP for gateway monitoring, pfSense will automatically add a static route and point it to the respective gateway. So there might be a conflict.

As mentioned above, you can use any other public IP for gateway monitoring which is responding to pings. It might be a good idea, to use another IP.

Also you should have a check at System > Advanced > Miscellaneous > State Killing on Gateway Failure.

For further testing you can set the WAN gateway as down manually on the backup.

CloudNode

@viragomann Correct; i am using 8.8.8.8 and 8.8.4.4 as DNS Res via system > gateway.

I have now changed my GW monitoring IP to 1.1.1.1 on the secondary pf. Also on the secondary pf i have placed a CHECK under System > Advanced > Miscellaneous > State Killing on Gateway Failure.

When i try to ping 8.8.8.8 from the secondary; i get this timeout

PING 8.8.8.8 (8.8.8.8): 56 data bytes
92 bytes from 127.0.0.1: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 263f   0 0000  01  01 0000 127.0.0.1  8.8.8.8 

92 bytes from 127.0.0.1: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 b74f   0 0000  01  01 0000 127.0.0.1  8.8.8.8 

92 bytes from 127.0.0.1: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 66ba   0 0000  01  01 0000 127.0.0.1  8.8.8.8 


--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

I have marked my PPPOE WAN as down on the 2nd pf as well.
This is so bizarre..
I also have just an open rule for LAN

viragomann

@iptvcld said in pfSense HA LAN Interfaces Only:

When i try to ping 8.8.8.8 from the secondary; i get this timeout

You cannot use 8.8.8.8 for troubleshooting, since you direct it to WAN gateway.
However, for getting the DNS resolution work on the secondary when the WAN cable is connected to the primary, you should set the gateway to "none" for all DNS servers in System > General Setup.

I have now changed my GW monitoring IP to 1.1.1.1 on the secondary pf.

So try to ping 1.1.1.1 while taking a capture on the LAN interface.

CloudNode

@viragomann My master pf DNS settings like like this

and secondary pf is the same

When i ping 1.1.1.1 in seconday the packet capture just gave this

12:57:15.477198 IP 192.168.2.81 > 1.1.1.1: ICMP echo request, id 18433, seq 797, length 9

viragomann

@iptvcld said in pfSense HA LAN Interfaces Only:

When i ping 1.1.1.1 in seconday the packet capture just gave this
12:57:15.477198 IP 192.168.2.81 > 1.1.1.1: ICMP echo request, id 18433, seq 797, length 9

You should see the same on the masters LAN. Check that out, please.

CloudNode

@viragomann thats correct; i just ran a packet cap on master LAN and then sent a 1.1.1.1 ping from the secondary pf

13:05:44.735976 IP 192.168.2.81 > 1.1.1.1: ICMP echo request, id 18433, seq 1785, length 9

viragomann

@iptvcld
Well, so 1.1.1.1 is routed to the masters LAN address.
Now, if you take a capture on the masters WAN you should also see the ICMP packets to 1.1.1.1, but coming from the WAN IP.

If that's not the case, either the firewall rule or the outbound NAT on the master might failing anyhow.

CloudNode

@viragomann Ran a packet cap on master and i see this request 3 times

13:10:40.370864 IP 192.168.2.81 > 1.1.1.1: ICMP echo request, id 18433, seq 2360, length 9

seems to be coming from the secondary pf LAN IP still and not the WAN IP

Outbound NAT on master is this:

And LAN Rules

CloudNode

@viragomann Ran it again and i see this

13:17:05.527815 IP 76.64.x.x > 1.1.1.1: ICMP echo request, id 55322, seq 0, length 64
13:17:05.542715 IP 1.1.1.1 > 76.64.x.x: ICMP echo reply, id 55322, seq 0, length 64

then

13:17:05.562166 IP 192.168.2.81 > 1.1.1.1: ICMP echo request, id 34782, seq 78, length 9

PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=55 time=15.187 ms

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 1 packets received, 66.7% packet loss
round-trip min/avg/max/stddev = 15.187/15.187/15.187/0.000 ms

CloudNode

@viragomann Does this need to be unchecked under my WAN interface?
Block private networks and loopback addresses

viragomann

@iptvcld said in pfSense HA LAN Interfaces Only:

Ran it again and i see this
13:17:05.527815 IP 76.64.x.x > 1.1.1.1: ICMP echo request, id 55322, seq 0, length 64
13:17:05.542715 IP 1.1.1.1 > 76.64.x.x: ICMP echo reply, id 55322, seq 0, length 64

then
13:17:05.562166 IP 192.168.2.81 > 1.1.1.1: ICMP echo request, id 34782, seq 78, length 9

PING 1.1.1.1 (1.1.1.1): 56 data bytes

Strange!

Check the masters state table and filter for 1.1.1.1 after pinging from backup.

viragomann

@iptvcld said in pfSense HA LAN Interfaces Only:

@viragomann Does this need to be unchecked under my WAN interface?
Block private networks and loopback addresses

No, this is only for incoming packets. There is no need to allow private addresses on WAN.