HA behind ISP modem/router

Urbaman75

Hi,

I'm going to try installing a HA configuration, having just one external IP on the ISP's modem/router.

Say we have:

xxx.xxx.xxx.xxx ISP external IP
192.168.1.1 WAN CARP VIP (assigned by the modem/router)
192.168.1.2 WAN Primary PfSense (assigned by the modem/router)
192.168.1.3 WAN Secondary PfSense (assigned by the modem/router)
10.0.10.1 LAN CARP IP
10.0.10.2 LAN Primary
10.0.10.3 LAN Secondary

How should I configure the NAT/Port forwarding/DMZ on the ISP's modem/router to make the system accessible from outside (say a VPN)?
Should I just NAT to the CARP VIP?

PS: I already have problems accessing via VPN the single instance I have running, so I am missing somethig (but I think that's a VPN config problem).

Thing is: what should I route the traffic to from the modem/router to keep it working when switching instances?

Thank you very much.

viragomann

@urbaman75
On the ISP router forward any to the CARP VIP.
So all incoming traffic is pointing to the CARP VIP and you can use this to forward the traffic behind pfSense or for running a VPN server on pfSense as well.

On the primary you have to configure the outbound NAT to use the CARP VIP.
Set it into manual mode, so pfSense should take over all automatic generated rules for manual editing.
Edit all rule for your internal networks sources and set the translation address to the CARP VIP, but leave the rules for localhost as they are.

Urbaman75

@viragomann Thank you very much, I'll try to get it done in the next few days, and I'll be back with feedback.

Urbaman75

Hi,

I'm still running into problems accessing the system through OpenVPN.
I run the wizard, set the user and certs, but the VPN does not connect.
Attached the Firewall logs (see the connection permitted to the WAN CARP IP and nothing more) and the OpenVPN logs (showing nothing happening).

What else should I look for to diagnose the problem?

Thank you.

Urbaman75

And here is a more complete Firewall log, showing both in and out permitted connections on UDP 1194, but nothing more.

viragomann

@urbaman75
The firewall log shows passed packets to 192.168.1.103 port 1194, but your OpenVPN server is listening on 192.168.1.101.

I suspect, you didn't change the forwarding IP to the CARP VIP on your router yet.

Urbaman75

@viragomann CARP IP is 103, Wan IP is 101 (102 secondary). Modem is forwarding to 103.
(Yes, I changed a little bit from my first post, sorry)

Should I then change Ovpn to listen on 103 instead of 101? Or forwarding port 1194 from 103 to 101?

Thank you very much!

viragomann

@urbaman75
So yes, then the modem is set correct, but you have to change the OpenVPN listening interface IP to .103.

Urbaman75

@viragomann switching to CARP VIP in the OpenVPN config solved the issue, now I'm getting to the LAN. Thank you very much for pointing me on the right direction!