Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Internet access on backup FW when using dynamic PPPoE over CARP IP

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    3
    6
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Foxi352
      last edited by

      Hi,

      In my homelab i have two pfSense VM's running on two distinct physical Proxmox servers:

      • 6 internal (V)LANs with CARP IP on each (V)LAN
      • 1 WAN with dynamic PPPoE on CARP IP over a VLAN by ethernet connection to fiber ONT
      • XMLRPC working fine for config sync
      • PFSync disabled (new public IP on PPPoE reconnection during failover)

      All is working fine. Except that the pfSense which is in backup state does not have Internet connection while on standby. While this is kind of expected, it is still a small drawback for updating packages for example. For now i disable the WAN interface on the MASTER which fails everything over to the BACKUP. The Backup then does PPPoE login and works as expected. During this time the MASTER does no longer have Internet access because of no PPPoE connection. When switching the MASTER's WAN back on everything falls back to the MASTER and works as expected. Of course this gives me like 10 seconds internet downtime on every switch, but it's for home use only.

      I want to improve this but am not sure how i could provide permanent Internet access to both's pfSenses, including the one in BACKUP state.

      I was thinking of adding a static high metric route on of the the MASTER's LAN IP's and vice-versa. This route could then provide Internet Access to the backup box where the PPPoE is down. But am not sure if that is a clean solution.

      Does anyone in a similar situation has a viable solution to tackle this problem ?

      Regards,

      Serge

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Foxi352
        last edited by

        @foxi352
        You can use gateway groups on both, which include the WAN gateway (Tier 1) and the respective other nodes LAN IP (Tier 2). Then set the gw group as default.

        Before you configure this, on the primary go to System > High Availability Sync and remove the check from Static Route configuration to avoid that the setting is overwritten on the secondary by the sync.

        F 1 Reply Last reply Reply Quote 0
        • F
          Foxi352 @viragomann
          last edited by

          @viragomann Wow, that works instantly (after also adding a CARP VIP as DNS server, letting it override by PPP).

          Thanks a ton !

          Serge

          1 Reply Last reply Reply Quote 0
          • K
            kd
            last edited by

            @Foxi352
            I am trying to create similar setup but with Dynamic DHCP with a single IP on the WAN side.

            Would you help me with more step-by-step details on how to setup CARP on WAN for this? (Gateways, Gateway groups, IPs on the two interfaces, physical connections)
            Single WAN dynamic DHCP IP, ISP expect specific MAC on the WAN

            I have setup my LAN side already (have 5 VLANs)

            i appreciate
            K

            1 Reply Last reply Reply Quote 0
            • F
              Foxi352
              last edited by Foxi352

              @kd The setup seems quite similar yet it is very different. PPPoE add's an extra Interface which is not the case for DHCP client. I am not sure if i can be of any help, but i will try nevertheless :-)

              I mainly used the following source: https://docs.netgate.com/pfsense/en/latest/recipes/high-availability.html

              I also have a bunch of other URL's, but they are all PPPoE HA related so i don't think they will help. I'll put them below anyways...

              The following link might be of interest to you, i think that's exactly your setup ? : https://www.reddit.com/r/PFSENSE/comments/blu5qa/pfsense_ha_with_carp_and_single_dhcp_issued_wan_ip/

              As for the Gateway groups this is in: System / Routing / Gateway groups
              I don't think your setup will be the same, so i don't know if this info is of great help to you. For me, on my primary PFS, i use the PPPoE interface as primary gateway. If that is down the primary forwards everything to the backup PFS which establishes the PPPoE then. See the setup here:

              Greenshot 2022-01-31 08.30.23.png

              Pay attention to configure the outgoing NAT as originating from the CARP IP

              Other PPPoE HA related URL's:
              https://forum.netgate.com/topic/135904/configure-an-pppoe-on-an-carp-if/5
              https://www.reddit.com/r/PFSENSE/comments/gjbrx2/ha_pppoe_setup_carp_oh_my/
              https://www.reddit.com/r/PFSENSE/comments/dnr5wf/help_ha_with_pppoe/
              https://www.reddit.com/r/PFSENSE/comments/af0v4n/setup_a_pfsense_pppoe_in_ha/

              1 Reply Last reply Reply Quote 0
              • K
                kd
                last edited by

                @Foxi352

                Thank you for the links. I see, it is a difficult issue. I wish they had the CARP as option to take the functionality of a virtual interface (with DHCP/MAC, etc) , rather than just IP. So this can be shared between the firewalls.

                It seems i have few issues:

                • DHCP - perhaps setting WAN as static IP would work untill the next lease, need to check
                • MAC spoofing.. Not sure how to handle this for the two interfaces. Folks seem to use some scripts to have the interface UP and down

                Perhaps I will manually plug the WAN cable when needed , if i can not find a workaround :).

                thanks for your time

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post