Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    High Availability port forward to VIP -am i doing this right?

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    13 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rcoleman-netgate Netgate @digger30
      last edited by

      @digger30 What's the type of VIP you have for 192.168.1.1? It has to be a CARP VIP.

      Ryan
      Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
      Requesting firmware for your Netgate device? https://go.netgate.com
      Switching: Mikrotik, Netgear, Extreme
      Wireless: Aruba, Ubiquiti

      D 1 Reply Last reply Reply Quote 0
      • D
        digger30 @rcoleman-netgate
        last edited by digger30

        @rcoleman-netgate said in High Availability port forward to VIP -am i doing this right?:

        e a CARP VIP.

        yes it is a CARP VIP

        The outgoing internet still works on when the slave FW takes over so i'm just wondering have i made a config error or am i trying the impossible?

        R 1 Reply Last reply Reply Quote 0
        • R
          rcoleman-netgate Netgate @digger30
          last edited by

          @digger30 When you do the traffic push, what do you get on a packet capture? I would run it on both systems.

          Are they reporting properly as BACKUP and PRIMARY when you load CARP Status?

          Ryan
          Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
          Requesting firmware for your Netgate device? https://go.netgate.com
          Switching: Mikrotik, Netgear, Extreme
          Wireless: Aruba, Ubiquiti

          D 2 Replies Last reply Reply Quote 0
          • D
            digger30 @rcoleman-netgate
            last edited by

            @rcoleman-netgate Yes master FW is showing master status and the slave is showing BACKUP status.

            The slave updates correctly to MASTER status when it takes over

            1 Reply Last reply Reply Quote 0
            • D
              digger30 @rcoleman-netgate
              last edited by

              @rcoleman-netgate said in High Availability port forward to VIP -am i doing this right?:

              When you do the traffic push, what do you get on a packet capture? I would run it on both systems.

              i'll try this

              Just checking am i right in thinking that diagram 2 with the port forward to the shared VIP is the correct way to do this?

              R 1 Reply Last reply Reply Quote 0
              • R
                rcoleman-netgate Netgate @digger30
                last edited by

                @digger30 Not shared, really. Only Primary will get it.

                Ryan
                Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                Requesting firmware for your Netgate device? https://go.netgate.com
                Switching: Mikrotik, Netgear, Extreme
                Wireless: Aruba, Ubiquiti

                D 1 Reply Last reply Reply Quote 0
                • D
                  digger30 @rcoleman-netgate
                  last edited by digger30

                  @rcoleman-netgate Sorry unsure what you mean

                  Should i put my router port forward to my VIP 192.168.1.1 in order for this to work as below?

                  2.png

                  R 1 Reply Last reply Reply Quote 0
                  • R
                    rcoleman-netgate Netgate @digger30
                    last edited by

                    @digger30

                    HA isn't Clustering.

                    HA means if FW1 goes down FW2 will take over.

                    https://docs.netgate.com/pfsense/en/latest/highavailability/index.html

                    Ryan
                    Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                    Requesting firmware for your Netgate device? https://go.netgate.com
                    Switching: Mikrotik, Netgear, Extreme
                    Wireless: Aruba, Ubiquiti

                    D 1 Reply Last reply Reply Quote 0
                    • D
                      digger30 @rcoleman-netgate
                      last edited by digger30

                      @rcoleman-netgate yes i dont expect it to cluster, just the Slave FW has a different IP so unsure how to make the modem port foward to it once it takes over? I thought by forward to a VIP which is used by the master, the slave would then take over the VIP when it becomes the master FW?1.png

                      In the diagram below would you be able to port forward to 198.51.100.200 or would you only be able to port forward to 198.51.100.201 or .202 at one time only meaning HA fails when the master .201 FW goes down?

                      diagrams-example-carp.png

                      R 1 Reply Last reply Reply Quote 0
                      • R
                        rcoleman-netgate Netgate @digger30
                        last edited by

                        @digger30 Your destination on HA should always be the CARP address, not the destination firewall. If you do the firewall you will never achieve failover.

                        Ryan
                        Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                        Requesting firmware for your Netgate device? https://go.netgate.com
                        Switching: Mikrotik, Netgear, Extreme
                        Wireless: Aruba, Ubiquiti

                        D 1 Reply Last reply Reply Quote 1
                        • D
                          digger30 @rcoleman-netgate
                          last edited by

                          @rcoleman-netgate
                          All sorted :)

                          thanks for your help

                          The PFsense internal NAT port forward destination address had to be changed from WAN address to the VIP IP which is now working

                          R 1 Reply Last reply Reply Quote 0
                          • R
                            rcoleman-netgate Netgate @digger30
                            last edited by

                            @digger30 Perfect! Glad I could be of assistance.

                            Ryan
                            Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                            Requesting firmware for your Netgate device? https://go.netgate.com
                            Switching: Mikrotik, Netgear, Extreme
                            Wireless: Aruba, Ubiquiti

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.