Carp Backup pfsense - No internet access on hosts

brian.stivala

Hi

In a nutshell, I have 2x Pfsense VM's in Esxi 4.1 machine which are configured as carp Fail over. When the master is switched off for testing, the backup becomes Master and I can Ping the Lan-Carp gateway however  I cannot ping the Wan-carp so I could not reach the internet with the backup PFsense. From the Backup PFsense itself I can ping the internet ( very strange ) but from the host I cannot reach the internet. Once the Master is on again I can reach the internet from the hosts that are obviously within the Lan subnet. I've also accept Promiscuous mode settings since I am running pfsense on VM.

This link provided as per here under is where I've configured the firewalls step by step. A very good tutorial.
http://www.fleximus.org/mirror/pfsense/tutorials/carp/carp-cluster-new.swf

Again, I can ping everything WAN,LAN and Sync. My only problem is that when I switch off PFS1, I cannot reach the internet but if I ping from PFS2 itself with the ping command I can reach the internet for example www.google.com. Only from the PFS2 itself not from the hosts.

Please can someone help me sort it out.

Configuration.

PFS1
WAN=10.0.0.200
LAN=192.168.175.1
SYNC=172.16.1.200

PFS2
WAN=10.0.0.201
LAN=192.168.175.2
SYNC-172.16.1.201

Virtual
WAN=10.0.0.210
LAN=192.168.175.10

Regards,
Brian Stivala

podilarius

What type or router or modem is the next hop?  With fw2 active reset that router and see if it works.

brian.stivala

Hi Podilarius,

What do you mean reset FW2? If I switch OFF FW2 everything is still working normally. The problem is that when FW1 goes down I have no internet access even if is the master FW. I can ping the internet from the firewall itself but I cannot reach the Internet from the hosts on the internal LAN.

Another thing, what do you mean by type of router or modem next hop?

Regards,
Brian Stivala

podilarius

What I mean is to fail or power off FW1, then with FW2 active, reset the router/modem that is in front of pfSense. Something must be there since you are using a private IP for your WAN. I am thinking that the reason you can ping is that ping is using the WAN interface on FW2 and not the CARP IP. I am thinking that there is an issue with the router/modem using the CARP IP when it has switched over to the secondary FW.

brian.stivala

Finally I was able to solve it.

The only problem that I have left is that on my host I'm pinging google.com if I switch off FW1 the ping stop but in reality it keeps working on FW2 because if I start the ping again google.com it works with the FW1 switched off. I think the ping must continue when a FW have been switched OFF.

Any Idea what might that be.

Thanks

Regards,
Brian Stivala

cmb

Sounds like you aren't NATing to a CARP IP out of WAN, hence the session dies because the secondary can't send out traffic on the primary's IP.

Tripp

Brian.Stivala

what did you find the issue was with your PFS2 not allowing clients access to the net? I have the same issue with my current setup and have setup outgoing NAT rules to translate to the VIP instead of WAN ip. I can ping the LAN, WAN, and WAN VIP from an internal host and can ping google from my router but can't ping google from an internal host, doesn't seem to want to route.

podilarius

Is your carp setup with a /32 or are you using the CIDR of your wan address. You should also check your NAT rule and your default gateway. If you give specifics we could help more. :)

Tripp

I have a NAT rule to translate LAN and LAB to EXT.VIP/28 and I have the correct default gateway. I just did a factory default on the backup router and set it up again to confirm it works before CARP and it does. I've just sync'd the primary to the backup again and wont be able to test failover untill after work hours. Attached is my current setup and my FW's are configured to the diagram exactly.


iceflatline

@Tripp:

Brian.Stivala

what did you find the issue was with your PFS2 not allowing clients access to the net? I have the same issue with my current setup and have setup outgoing NAT rules to translate to the VIP instead of WAN ip. I can ping the LAN, WAN, and WAN VIP from an internal host and can ping google from my router but can't ping google from an internal host, doesn't seem to want to route.

I was having the same issue with CARP on a couple of 2.02 boxes. The setup went fine and everything was syncing. Pulling the WAN connection on primary firewall resulted in the secondary becoming master. However, clients could no longer reach the Internet. What was happening was that when the primary firewall was active, clients were being given its LAN IP address as the DNS address instead of the LAN CARP IP address. Then, when the primary firewall was taken offline, clients could no longer use the DNS forwarder because that IP address was no longer available. Performing another DHCP request from client addressed the problem - sort of - because the client was then given the backup firewall's IP address as the DNS address (you can observe this behavior by checking IP configuration of your client - by using  ipconfig /all on a Windows client for example - when the primary firewall is active and when it is not) and DNS requests would again be forwarded. But this is hardly a solution to the problem - not much of a failover if you have to visit each client and renew its IP address when the primary firewall goes offline.

I just loathe when forum posts like this are left hanging so here's what fixed this problem for me:

Navigate to Services-> DHCP server-> LAN on your primary firewall. Enter the LAN CARP IP in the DNS servers field and ensure that the Gateway has the same address, then select Save. In a moment that setting will be propagated to the backup firewall.  Now renew the IP lease on one of your clients and you should see that the DNS and Default Gateway IP addresses are indeed the LAN CARP IP. Test by shutting down the primary firewall. You should be able to access the Internet.

By the way, the crucial "enter the LAN CARP IP in the DNS servers field" step does not appear in the book "pfSense: The Definitive Guide," nor in any of the online CARP-related documentation that I've encountered. So, if any of the authors happen to read this post I hope they will consider correcting this oversight.

podilarius

That is something that I missing, but it does say to change dhcp settings. Probably will be in the next version.