HA Setup
-
I have a problem with my firewall setup. I’ve configured a Netgate 4200 High Availability (HA) setup using CARP with four interfaces: WAN1, WAN2, LAN, and SYNC. FW1 is the primary firewall, and it works fine under normal conditions.
However, when the LAN port on FW1 goes down (for example, due to a cable being unplugged), FW2 takes over as MASTER for the LAN interface, which is expected. The problem is that WAN1 is still active and MASTER on FW1, because that interface is still up. As a result, traffic from the LAN on FW2 can no longer reach the internet, since WAN1 is still bound to FW1.
In other words, the LAN fails over, but the WAN does not, causing a disconnect between internal and external connectivity.
How should I configure this so that the WAN interface automatically fails over as well when the LAN interface goes down?
-
@laurens-DS are both devices 4200 and did you closely follow Netgate doc: High Availability Configuration Example?
Especially are all interface and device names the same as stated in the above link:
"Interfaces must be assigned in the same order on all nodes exactly. If the interface order is not identical, configuration synchronization and other tasks will not behave correctly. If any adjustments have been made to the interface assignments in the future, they must be replicated identically on both nodes."
-
@patient0 HA The HA is fine because if I put fw1 down fw2 takes over everything only the problem is if the lan fails on fw1 fw2 takes everything from the lan only it doesn't send anything out because fw1 is the main for the wan
-
@laurens-DS said in HA Setup:
The HA is fine
That's a bold statement since your HA is not working fine. A correct working HA is switching when either WAN or LAN is down, not only when you switch off the master.
But hey, as long as you are happy, why deliver any details of your HA setup ;)
-
@patient0 I rather meant that HA does work well when fw1 goes down then fw2 takes over everything. So that part is good and working. Only I do have the problem or would like a solution if 1 an interface stops working on fw1 that fw2 will take over everything. So the lan traffic can't go out because fw1 is still the master for outbound connections because he has connection to the internet
-
@laurens-DS I can repeat my questions from above:
"are both devices 4200 and did you closely follow Netgate doc: High Availability Configuration Example?
Especially are all interface and device names the same as stated in the above link:
"Interfaces must be assigned in the same order on all nodes exactly. If the interface order is not identical, configuration synchronization and other tasks will not behave correctly. If any adjustments have been made to the interface assignments in the future, they must be replicated identically on both nodes.""
-
@patient0 Yes devices are the 4200. I set them both up the same way and followed the documentation. Just wondering that the HA makes sure when one firewall fails completely then the other takes over. Does the HA control the function to make it switch if only 1 port fails and forward the traffic. To the WAN that is currently not listed as active on its firewall.
-
Test the HA pair in as many failure scenarios as possible. Additional tests include:
- Unplug the WAN or LAN cable --> FAIL
- Pull the power plug of the primary
- Disable CARP on the primary using both the temporary disable feature and maintenance mode
- Test with each system individually (power off secondary, then power back on and shut down the primary) --> WORKS
- Download a file or try streaming audio/video during the failover
- Run a continuous ICMP echo request (ping) to an Internet host during the failover
-
@laurens-DS said in HA Setup:
Unplug the WAN or LAN cable --> FAIL
If you unplug WAN or LAN on the master it should failover to the backup and make that one master.
Could be a lot of reasons; the diagram is from the Netgate doc, how is you setup?
- Is the naming of the interface and underlying device identical on both 4200?
- how are the firewall rules setup for the sync interface?
- HA configured correctly?
Easiest if you show the interface assignment on both, firewall rules for the sync interface, CARP interfaces and HA settings.
-
Okay, thank you for thinking with me. The problem was I had WAN2 set up but nothing stuck in yet because I don't have a 2nd provider right now. As a result the full failover is not done because it keeps limping on the port. So WAN2 was not used on fw1 and fw2 so i turned off = making the HA work!
-
@laurens-DS said in HA Setup:
The problem was I had WAN2 set up but nothing stuck in yet because I don't have a 2nd provider right now
That is not the classic HA from the documentation. What you're want to do is HA with Multi-WAN.
Have a read through Netgate doc: High Availability Configuration Example with Multi-WAN.
