Multiple VLANs in HA config

nick.loenders · Feb 21, 2022, 1:24 PM

Re: Adding VLANs in HA Config
As in this previous post ( /topic/166871/adding-vlans-in-ha-config )
I also have 1 WAN, 1 LAN cable connected to a switch. But I have a LAN, VLAN2, VLAN3, and VLAN4. On the master Netgate it is all ok, but the VLANs are not synced to the 2nd Netgate.

I read something about adding a VIP for each VLAN, but I tried this and it did not help.
Can anyone help me out here?

I also am working from a remote location now and I can access Netgate-1 (master-firewall) to change things, but I am unable to access Netgate-2 to check if all is synced ok??

SteveITS · Feb 21, 2022, 3:24 PM

@nick-loenders said in Multiple VLANs in HA config:

working from a remote location now and I can access Netgate-1 (master-firewall) to change things, but I am unable to access Netgate-2

I can help with this part. We have set up a NAT forward from our office IP on the -1 router to redirect a port to -2's LAN IP:443.

Note if you use a hostname it may warn of a rebinding attack. See System/Admin/Alternate Hostnames.

dotdash · Feb 21, 2022, 3:33 PM

@nick-loenders
You treat a vlan interface like any other interface. Keep the OPTx and name consistent on both systems. You put an ip on the primary and on the seconday, and then add the vips. Make sure the switch ports are configured to carry the vlan.

nick.loenders · Feb 22, 2022, 8:43 AM

@dotdash Hi, the VLANs work fine, but they don't get synced to the second firewall.
I have this now:

🔒 Log in to view

But if I look on FW1 I see this:

🔒 Log in to view

But if I look on FW2 I only see this:

🔒 Log in to view

So where should I add/change what, so it does sync to the FW2 ?

nick.loenders · Feb 22, 2022, 8:54 AM

@steveits I added a NAT rule:

🔒 Log in to view

and a rule:
🔒 Log in to view

But it does not help?

nick.loenders · Feb 28, 2022, 1:55 PM

Anyone?

viragomann · Feb 28, 2022, 6:02 PM

@nick-loenders
The suggested outbound NAT rule has to be added to the LAN.
It's meant to access the secondary node via VPN. It is described in the docs here: Troubleshooting VPN Connectivity to a High Availability Secondary Node

Regarding the VLANs:
This behaves as regular interfaces. Means, you have to configure the VLAN on both nodes and assign different IP addresses to each.
Then on the primary go to Firewall > Virtual IPs and add a CARP VIP to each of the VLANs.

nick.loenders · Mar 2, 2022, 10:39 AM

@viragomann That document says nothing.

But I managed to get that to work.

for the VLANs, I created the VLANs manually on the FW2, and that seems to do the trick...
Stupid it does not sync them and all we need to add is a VIP.

But I still do have 1 fault , the VLAN4 is now primary on both devices ?

🔒 Log in to view

viragomann · Mar 2, 2022, 1:48 PM

@nick-loenders said in Multiple VLANs in HA config:

That document says nothing.

The document descripes what its title implies and is the solution to your additional question in your first post.

But I still do have 1 fault , the VLAN4 is now primary on both devices ?

This indicates that the involved interfaces of both nodes are not able to communicate. If the secondary does not get advertisements from the master on this VLAN, it switch over to master.
So ensure the VLAN is also properly configured on the switch.

nick.loenders · Mar 2, 2022, 1:48 PM

@viragomann said in Multiple VLANs in HA config:

So ensure the VLAN is also properly configured on the switch.

omg , so stupid :)

Thx it all works now