Howto : CARP + VIP and outbound rules with Pfsense 2.0 release …

podilarius

There must be a rule that you are not setting correctly. If you are trying with ping and other service on the pfsense, then you must set outbound NAT for the interface IP as well.
All traffic from behind the FW get NATed correctly on my test system.

Like:
WAN  XXX.XXX.XXX.7/32 * * * XXX.XXX.XXX.4 * NO

Same for the LAN side.

zeratoun

Hi podilarius,

in Whatismyip it shows me WAN ip and not VIP ip ….. that's my trouble :(

podilarius

can you screen shot your outbound nat screen. you can pm me that if you don't want to post it in here.

podilarius

I can also say that having the /32 for the interface addresses is a bad thing. the secondary system does really like that.

arcel

Hi podilarius,
Given the settings below without the OUTBOUND NAT rule. can you config how it should be? also if there's a need on the WAN and LAN firewall rules to be added?

Im working on:
Version    2.0-RELEASE (i386)
built on Tue Sep 13 17:28:43 EDT 2011

MASTER WAN ip : XXX.XXX.XXX.121
SLAVE WAN ip : XXX.XXX.XXX.122
VIP WAN ip : XXX.XXX.XXX.123/24
GW WAN (Default) : XXX.XXX.XXX.254
Subnet : 24

MASTER SYNC : YYY.YYY.YYY.10
SLAVE SYNC : YYY.YYY.YYY.20
Subnet : 24

MASTER LAN : ZZZ.ZZZ.ZZZ.251
SLAVE LAN : ZZZ.ZZZ.ZZZ.252
(Ive noticed zeratoun has a value of GW LAN : ZZZ.ZZZ.ZZZ.254 from here. should it be the GW VIP LAN only here(in my case  ZZZ.ZZZ.ZZZ.250) that will be used by LAN network?( which work fine with me)
GW VIP LAN : ZZZ.ZZZ.ZZZ.250
Subnet : 24

Pfsync sync interface : SYNC
Pfsync sync test : ok
Failover test : Ok

again, problem is when i check whatsmyip.com, it shows the master, or the slave WAN ip when master fail.

Many thanks in advance!

podilarius

arcel,
You must use Advanced outbound NAT with failover CARP.
You need only 3 rules.

Interface Source           Source Port Destination Destination Port NAT Address NAT Port Static Port Description

WAN  127.0.0.0/8         *         *                  *                         *         1024:65535   NO  Auto created rule for localhost to WAN
WAN  ZZZ.ZZZ.ZZZ.0/24 *         *             500         XXX.XXX.XXX.254 *   YES Auto created rule for ISAKMP - LAN to WAN
WAN  ZZZ.ZZZ.ZZZ.0/24 *         *             *                 XXX.XXX.XXX.254 *   NO  Auto created rule for LAN to WAN

I hope the columns line up correctly. Traffic originating FROM the pfSense firewall should not be NATed. I would not use reflection at all, instead I would use split brain DNS utilizing the DNS services within pfSense. It works VERY well as the traffic stays within the LAN. All your servers and DHCP needs to have the default gateway of ZZZ.ZZZ.ZZZ.250.

arcel

THANKS!!!! THANKS!!!! THANKS!!!! THANKS!!!! THANKS!!!! to you PODILARIUS

i followed your config with slight changes:

You must use Advanced outbound NAT with failover CARP.  apply this settings
You need only 3 rules.

Interface  Source              Source Port  Destination  Destination Port  NAT Address  NAT Port  Static Port  Description

WAN      127.0.0.0/8            *            *                  *                          *          1024:65535    NO  Auto created rule for localhost to WAN 
WAN      ZZZ.ZZZ.ZZZ.0/24    *            *                500          XXX.XXX.XXX.123    *    YES Auto created rule for ISAKMP - LAN to WAN 
WAN      ZZZ.ZZZ.ZZZ.0/24    *            *                *                  XXX.XXX.XXX.123    *    NO  Auto created rule for LAN to WAN

now it work like a charm!!!!!

to zeratoun:
try this one if this would work on you.

zeratoun

Hi,

~~I have made exactly as you (only that your .123 is .51 in my case) but whatismyip.com still shows me .52 or .53 instead of .51

is there a command line way to know if the outbound rules are even applied ?~~

Edit, it work too ….... however if I telnet from pfsense console (just for test) it still uses .52 or .53 ...

Best regards

:(

podilarius

@zeratoun:

Edit, it work too ….... however if I telnet from pfsense console (just for test) it still uses .52 or .53 ...

You want that to happen and that is normal, FROM pfSense firewall itself. States from pfsync for traffic originating from the LAN will be duplicated to the backup and there will be minimal packet loss (perhaps none). You want to make sure that from within the LAN the correct IP is shown by whatismyip.com.

zeratoun

Exactly,

i want that, from the localhost of the pfsense firewall itself it uses the VIP LAN or WAN …. it's possible ?

Best regards,

podilarius

@zeratoun:

Exactly,

i want that, from the localhost of the pfsense firewall itself it uses the VIP LAN or WAN …. it's possible ?

Best regards,

It is possible but highly NOT recommended. I got that running in my test environment and CARP was not happy as ping stopped to the gateway on the secondary firewall. I think this will have an adverse effect on the clusters ability to fail over correctly. I didn't have a chance to test fail over, but i did notice that I could not download packages or ping the gateway. There is not reason I can think of to do this. Would you mind telling us why you would like to do that?