CARPS/VIPS Failover Issue

mypal · Sep 27, 2006, 2:09 AM

I have a setup that has the same setup as the carp cluster example. Each firewall has 4 interfaces, public, DMZ, sync and private. I have set up the carp cluster as mentioned in the example. When I power down the primary firewall, I am able to browse internet without any issue. The strange thing is the folks using public internet are not able to connect to my web server located at the DMZ subnet when the primary firewall is shutdown. If I bring up the primary firewall, everything start to work as normal again. Has anybody try out the incoming traffic to DMZ using carp failover?

Note: Both my firewall public interfaces and router are connected to the same switch.

sullrich · Sep 27, 2006, 2:36 AM

See http://doc.pfsense.org/index.php/Setting_up_CARP_with_pfSense

mypal · Sep 27, 2006, 3:24 AM

I have followed the example given. I have the proxy-arp enabled for the WAN interface to pass traffic to the DMZ server. However, when the primary firewall is shut down, outsiders can't connect to the web server in DMZ. The user in the LAN can browse internet without any issue. I am wondering whether the primary and secondary firewall can both do proxy-arp for the same set of public address at the same time. When the primary fails, how do the secondary firewall takes over the proxy-arp role?

sullrich · Sep 27, 2006, 3:47 AM

Proxyarp is not used for failover. CARP is.