• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Carp & nat/firewall rules

HA/CARP/VIPs
2
8
8.1k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    dbuckle
    last edited by Jan 28, 2006, 11:32 AM

    Hi,

    I've built a 2 node WRAP cluster - works fine.

    I can't get the services (HTTP, SMTP etc) exposed to the internet via the VIP

    Setup:

    WAN VIP: 11.12.13.90/24
    LAN VIP: 192.168.1.70/24

    FW1:
          WAN: 11.12.13.80
          LAN: 192.168.1.50

    FW2:
          WAN: 11.12.13.81
          LAN: 192.168.1.51

    WEB SERVER:
        LAN:  192.168.1.12

    LAN Firewall rule:  I haven't touched this.
    Default LAN -> any

    I've added a WAN firewall rule to allow all to destination 192.168.1.12 port 80

    Advanced Outbound NAT Rule:

    Interface: WAN
    Source: 192.168.1.0/24
    Destination: *
    Destination Port: *
    NAT Address: 11.12.13.90
    NAT Port: *

    Port Forward Rule:

    Interface: WAN
    Proto: TCP
    Ext. Port Range: 80
    NAT IP: 192.168.1.12 (ext.: 11.12.13.90)
    Int. Port Range: 80

    CARP sync's ok.  Ping to each WAN IP works but ping to WAN VIP loses some (not all) packets.

    Do I need a LAN firewall rule?
    Pointers to get this working would be much appreciated.

    Many Thanks,

    1 Reply Last reply Reply Quote 0
    • H
      hoba
      last edited by Jan 28, 2006, 1:24 PM

      What version are you running?
      What CARP Settings did you choose (preemption, loadbalancing…)?
      What advertising frequency does your VIP's have at each box?
      Did you create the VIPs at the mastersystem with syncing in place so they were generated automatically at the backup or did you create them manually at the backup?
      What does status>carp tell you? Is one machine master, the other backup or is something mixed there?

      I have setup pfSense with CARP at several productive environments with portforwardings as well as 1:1 NATs and no problem with these. I as well did some VoIP tests with CARP and even wraps. You'll only notice about 1 second silence and the call continues without being dropped.

      1 Reply Last reply Reply Quote 0
      • D
        dbuckle
        last edited by Jan 28, 2006, 2:00 PM

        Running 1.0 BETA 1

        I followed the tutorial "building a fully redundant Cluster with 2 pfSense-systems".

        So:

        Fiirewall 1:

        Sync Enabled: yes
        Sync Interface: OPT1
        Load Balancing: no
        Preemption: yes
        Sync Rules: yes
        Sync Aliases: no
        Synce NAT: yes
        Sync IPSEC: no
        Sync WOL : no
        Sync Static Routes : no
        Sync Load Balancer : no
        Sync Virtual IP's : YES
        Sync Traffic shaper : no
        Sync to IP: 192.168.200.2

        VIP Advertising Freq: 0

        Firewall 2:

        Sync Enabled: yes
        Sync Interface: OPT1
        Load Balancing: no
        Preemption: YES
        Sync Rules: NO
        Sync Aliases: no
        Synce NAT: yes
        Sync IPSEC: no
        Sync WOL : no
        Sync Static Routes : no
        Sync Load Balancer : no
        Sync Virtual IP's : NO
        Sync Traffic shaper : no
        Sync to IP:

        VIP Advertising Freq: 100

        The sync seems to be working afaik.  Rules I create are copied to the backup. 
        I created the VIPs on the MASTER and they were created on both nodes.
        Firewall1 is MASTER  for both WAN and LAN VIP's so it looks ok.

        Firewall logs and I can see RULE PASS on port 80 to the 192.168.1.12 server but nothing happens after that (no web site appears).  Does this mean I have a problem with NAT (outbound?) perhaps?

        1 Reply Last reply Reply Quote 0
        • H
          hoba
          last edited by Jan 28, 2006, 4:41 PM

          Is it possible that the server behind doesn't use the CARP LAN IP as gateway but a real IP of one of the systems?

          Also is you WAN IP in a /24 subnet or something smaller? The IP sounds like a testsetup. The VIP and subnet has to be in the same subnet like the real IP of the Interface.

          From what you wrote the pfSense config looks ok. Check your Client and server settings, maybe something is using a wrong gateway.

          You also might want to rebuild that config with tha latest testing-snapshot: http://pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-1-25-06/pfSense.img
          It has several improvements and bugfixes. As you are running an embedded system that means you need to reflash the cf-media. I also would suggest creating the config afterwards by hand and not reimport the old one, just to make sure.

          1 Reply Last reply Reply Quote 0
          • D
            dbuckle
            last edited by Jan 28, 2006, 5:59 PM

            Great!  It works!

            I hadn't set the gateway IP address of the web server to the LAN VIP - just as you suggested.

            Thanks very much for your help with this, hoba

            ;D

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by Jan 28, 2006, 8:50 PM Jan 28, 2006, 8:46 PM

              Great  :D. Btw, if you use the pfSense as DHCP as well, there is a field where you can enter the LAN VIP to be handed out as gateway to the clients at the dhcp-server settings page.

              1 Reply Last reply Reply Quote 0
              • D
                dbuckle
                last edited by Jan 29, 2006, 9:48 AM

                I'm not using DHCP in this situation but thanks for the tip.

                One thing that threw me too was that I tried using 192.168.0.70  (note the zero)  as my LAN gateway VIP as I originally had my LAN on the 192.168.0.x network.  Doing this caused lots of BAD GATEWAY error messages.    Changing to 192.168.1.70 as the LAN GATEWAY VIP solved this.

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by Jan 29, 2006, 11:47 AM

                  The Bad Gateway messages are cosmetic and they should be there no matter which IP you are using. They appear always when a CARP IP is brought up.

                  1 Reply Last reply Reply Quote 0
                  2 out of 8
                  • First post
                    2/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.