Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Carp Slave, no internet access

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    2
    2
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      T1mmy
      last edited by

      We have 2 pfsense 1.2.3 nodes running CARP and everything else is working fine except the slave node has no internet access at all. I found  a question(with no answer) sent to pfsensesupport in 2007 which addresses practically an indentical situation, so for my convenience I'll paste the question here.

      http://www.mail-archive.com/support@pfsense.com/msg11406.html

      I have two pfSense boxes running a recent version of 1.2 RC3. Fail-over seems to work correctly when the master unit dies, and the master unit takes back over when it comes back online, so I figure most of my settings must be mostly correct (I followed the visual tutorial listed on the pfsense.com site).

      I do, however, seem to have one problem with the slave carp unit. When it is not the master unit, it does not have internet access. From the diagnostic ping page on the web configurator of the carp slave, I cannot ping a remote site and the list of addon packages for the unit do not show up. Also, Snort rules will not update. From the WAN side, I am able to ping the real IP of the carp slave, but cannot connect to it remotely (unless it is working as the master carp unit).

      I believe that my problem may be a NAT issue. I have advanced outbound NAT enabled and have the master unit configured to sync NAT with the slave. I have found, however, that if I create a manual rule on the slave unit that tells it to perform NAT for all traffic and to use the real WAN IP address that all Internet access for the carp slave is restored. As soon as I remove this rule and rely on the synced advanced outbound NAT rule that is replicated from the master unit, however, internet access to the slave unit dies.

      I am able to access the master unit from both the Carp Wan IP and from its real Wan IP, and everything seems to work correctly with it. Both machines have identical hardware.

      The advanced outbound NAT rule that is synced between the two units is as follows:

      Interface – WAN
      Source -- any
      Source Port -- *
      Destination  -- *
      Destination Port -- *
      NAT Address -- The Carp IP Address
      NAT Port -- *
      Static Port -- No

      I have searched the mailing list and the forum and the updated carp documentation on the pfsense documentation site, but I have not yet found an explanation for this problem.

      I appreciate any help that may be available.

      Thanks,

      Vaughn Reid III
      Indiana, USA

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Traffic leaving the pfSense box itself does not have NAT applied, so that cannot be the issue. It would have to be your WAN settings, or ISP routing to your slave system's WAN IP. It may work for clients behind the system when failed over because routing for the CARP VIP (and WAN IP on the master unit of course) may be correct.

        Double check your WAN configuration (subnet mask, etc) and confirm with your ISP that the IP address you are using is properly routed to you.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post