2 of 3 CARP VIP's work
-
Hi, folks,
I have pfSense setup with 3 VIP's, one for WAN (public IP), one for LAN (10.0.), and one for DMZ (OPT1) (172.16.). OPT2 (192.168.) handles the CARP traffic. Synchronization to the failover device works fabulously.
The VIP's for LAN and WAN work exactly as they should, advanced outbound NAT works fine. However, the DMZ machines aren't reachable, and I can't ping the DMZ interface. The only thing in the log that I see is:
Feb 23 11:28:01 kernel: arplookup 172.16.0.1 failed: could not allocate llinfo
Feb 23 11:28:01 kernel: arpresolve: can't allocate route for 172.16.0.1Searching the board for these errors, folks point to a "don't worry about it" FAQ entry, so I'm not sure if it's meaningful or a red herring.
Both devices work fine with the non-VIP config on them.
Any suggestions as to where to look next?
-
What dies status>carp report for the 3rd non working VIP?
-
Ah! Thanks, I'll schedule a new window to try again and look there.
-
OK, I just tried this again. I have two systems, named pfsense and pfsense2.
If I look under CARP Status, on pfsense (the one I intend to be master), I see all three VIP's listed as MASTER.
On pfsense2, I see the LAN VIP as BACKUP and the WAN and DMZ VIP as MASTER. The pfSync nodes list (13 entries) matches on both.
I've checked the VHID on both in the GUI and in an XML backup file. Also compared the passwords for each VIP in the XML backup file, they match. The advskew on pfsense2 was automatically set to 100 on the backup VIP's.
The synchronization of rules and such is still working fine.
Now, here's something that that makes me go 'hmmm': the XML backup for pfsense2 has the proxy arp entries for my DMZ machines listed simply as <vip>(one for each of 10 entries). The XML backup for pfsense (the master) has the proxy arp entries fully detailed. I notice I have 10 proxy arp's and 3 VIP's and 13 pfSync nodes - not a coincidence?
What's odd is some traffic works OK - I can ssh in to a DMZ machine from the Internet, for instance. But any DNS queries, pings, telnets, I'm guessing all outgoing traffic (initiated from the DMZ), from a DMZ machine to the Internet fail. Also pinging the DMZ VIP from within the DMZ still fails.
pfsense 1.0.1 on both machines.
Thanks for any insight.</vip>
-
You have proxyArp entries as well? This is a problem. ProxyARP IPs can't be shared between two systems so both systems will try to actively use them. Either disable VIP syncing and manually create the needed items or move everything to CARP. I would move everything to CARP.
-
OK, so the theory of operation would be to create CARP VIP's on the WAN interface - and then leave the 1:1 NAT as is for linking the WAN and DMZ addresses?
-
Correc t, you need first a virtual IP to add 1:1 mappings (at least if we are not talking abou the real wan interface IP). On top of that you need firewallrules to let the desired traffic pass of course.
