Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    High Availability port forward to VIP -am i doing this right?

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    13 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digger30 @rcoleman-netgate
      last edited by digger30

      @rcoleman-netgate said in High Availability port forward to VIP -am i doing this right?:

      e a CARP VIP.

      yes it is a CARP VIP

      The outgoing internet still works on when the slave FW takes over so i'm just wondering have i made a config error or am i trying the impossible?

      R 1 Reply Last reply Reply Quote 0
      • R
        rcoleman-netgate Netgate @digger30
        last edited by

        @digger30 When you do the traffic push, what do you get on a packet capture? I would run it on both systems.

        Are they reporting properly as BACKUP and PRIMARY when you load CARP Status?

        Ryan
        Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
        Requesting firmware for your Netgate device? https://go.netgate.com
        Switching: Mikrotik, Netgear, Extreme
        Wireless: Aruba, Ubiquiti

        D 2 Replies Last reply Reply Quote 0
        • D
          digger30 @rcoleman-netgate
          last edited by

          @rcoleman-netgate Yes master FW is showing master status and the slave is showing BACKUP status.

          The slave updates correctly to MASTER status when it takes over

          1 Reply Last reply Reply Quote 0
          • D
            digger30 @rcoleman-netgate
            last edited by

            @rcoleman-netgate said in High Availability port forward to VIP -am i doing this right?:

            When you do the traffic push, what do you get on a packet capture? I would run it on both systems.

            i'll try this

            Just checking am i right in thinking that diagram 2 with the port forward to the shared VIP is the correct way to do this?

            R 1 Reply Last reply Reply Quote 0
            • R
              rcoleman-netgate Netgate @digger30
              last edited by

              @digger30 Not shared, really. Only Primary will get it.

              Ryan
              Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
              Requesting firmware for your Netgate device? https://go.netgate.com
              Switching: Mikrotik, Netgear, Extreme
              Wireless: Aruba, Ubiquiti

              D 1 Reply Last reply Reply Quote 0
              • D
                digger30 @rcoleman-netgate
                last edited by digger30

                @rcoleman-netgate Sorry unsure what you mean

                Should i put my router port forward to my VIP 192.168.1.1 in order for this to work as below?

                2.png

                R 1 Reply Last reply Reply Quote 0
                • R
                  rcoleman-netgate Netgate @digger30
                  last edited by

                  @digger30

                  HA isn't Clustering.

                  HA means if FW1 goes down FW2 will take over.

                  https://docs.netgate.com/pfsense/en/latest/highavailability/index.html

                  Ryan
                  Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                  Requesting firmware for your Netgate device? https://go.netgate.com
                  Switching: Mikrotik, Netgear, Extreme
                  Wireless: Aruba, Ubiquiti

                  D 1 Reply Last reply Reply Quote 0
                  • D
                    digger30 @rcoleman-netgate
                    last edited by digger30

                    @rcoleman-netgate yes i dont expect it to cluster, just the Slave FW has a different IP so unsure how to make the modem port foward to it once it takes over? I thought by forward to a VIP which is used by the master, the slave would then take over the VIP when it becomes the master FW?1.png

                    In the diagram below would you be able to port forward to 198.51.100.200 or would you only be able to port forward to 198.51.100.201 or .202 at one time only meaning HA fails when the master .201 FW goes down?

                    diagrams-example-carp.png

                    R 1 Reply Last reply Reply Quote 0
                    • R
                      rcoleman-netgate Netgate @digger30
                      last edited by

                      @digger30 Your destination on HA should always be the CARP address, not the destination firewall. If you do the firewall you will never achieve failover.

                      Ryan
                      Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                      Requesting firmware for your Netgate device? https://go.netgate.com
                      Switching: Mikrotik, Netgear, Extreme
                      Wireless: Aruba, Ubiquiti

                      D 1 Reply Last reply Reply Quote 1
                      • D
                        digger30 @rcoleman-netgate
                        last edited by

                        @rcoleman-netgate
                        All sorted :)

                        thanks for your help

                        The PFsense internal NAT port forward destination address had to be changed from WAN address to the VIP IP which is now working

                        R 1 Reply Last reply Reply Quote 0
                        • R
                          rcoleman-netgate Netgate @digger30
                          last edited by

                          @digger30 Perfect! Glad I could be of assistance.

                          Ryan
                          Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                          Requesting firmware for your Netgate device? https://go.netgate.com
                          Switching: Mikrotik, Netgear, Extreme
                          Wireless: Aruba, Ubiquiti

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.