Using a CARP IP adress for a dedicated Gateway

sallain

Hi All,

I have an issue for which one I didn't found a solution.

Here is the setup (two pfSense boxes) :

2.1-RELEASE (i386)
built on Wed Sep 11 18:16:22 EDT 2013
FreeBSD 8.3-RELEASE-p11

Cluster HA/CARP/pfSync
LAN1 is the LAN I/F for the fisrt pfsense Box
LAN2 is the LAN I/F for the second pfsense Box
WAN1 is the WAN I/F for the fisrt pfsense Box
WAN2 is the WAN I/F for the second pfsense Box

LAN1 = 192.168.10.254/24 - em1
LAN2 = 192.168.10.253/24 - em1
LAN_CARP = 192.168.10.10/24 (vhid 1)

PFSYNC1 = 10.0.0.254/24 - em2
PFSYNC2 = 10.0.0.253/24 - em2

This vhid_1 id the LAN Default Gateway for network 192.168.10.0/24

WAN1 = z.x.y.210/29 - em0
WAN2 = z.x.y.211/29 - em0
WAN_CARP = z.x.y.213/26 (vhid_2)
WAN Gateway = z.x.y.214/29

A second gateway is also defined to reach a different subnet :

GW250 = 192.168.10.250/24
Remote network to reach : 192.168.33.0/24
I/F : LAN

Here is where the trouble begins (if it is a trouble, I would like to be sure)…

If I perform a TRACEROUTE from a Windows Box or Unix Box inside the 192.168.10.0/24, Packets are leaving by the default Gateway… A Windows tracert gave me extra details, ie packets are using the LAN1 IP address 192.168.10.254.

So, my question is to know if it possible to bind the gateway (GW250) to the CARP group (192.168.10.10/24) instead of the LAN1 or LAN2 (192.168.10.254 or 192.168.10.253 during a Failover) ?

Coud it be a routing trouble ? Do I need a dedicated I/F setup to forward traffic from LAN to Remote_LAN 192.168.33.0/24 ?

Tanks a lot for help and your opinions :-)

doktornotor

https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F#CARP

Must be in the same subnet as an IP address on the interface (real interface IP or IP alias.)

sallain

Hi,

I would like extra explanations, may be I missed something.

Below, details about the config.

Now, some traceroute details :

A - Traceroute from pfSense to remote LAN2

[2.1-RELEASE][root@pfsensemaster]/root(1): traceroute 192.168.3.33
traceroute to 192.168.3.33 (192.168.3.33), 64 hops max, 52 byte packets
1  192.168.10.250 (192.168.10.250)  0.505 ms  0.777 ms  0.429 ms
2  10.255.240.1 (10.255.240.1)  7.494 ms  8.246 ms  7.968 ms
3  10.34.158.2 (10.34.158.2)  19.967 ms  20.303 ms  19.952 ms
4  192.168.3.33 (192.168.3.33)  19.975 ms  19.805 ms  19.948 ms

Everything is OK

Now, traceroutre from a Linux bos inside LAN1 to LAN2, the default Gateway is 192.168.10.10 of LAN1 :

root@S-Linux: pts/0: 6 files 164Kb # traceroute 192.168.3.33
traceroute to 192.168.3.33 (192.168.3.33), 30 hops max, 60 byte packets
1  192.168.10.254 (192.168.10.254)  0.357 ms  0.364 ms  0.335 ms
2  192.168.10.250 (192.168.10.250)  0.854 ms  0.890 ms  0.873 ms
3  10.255.240.1 (10.255.240.1)  8.133 ms  8.139 ms  8.112 ms
4  10.34.158.2 (10.34.158.2)  19.944 ms  21.940 ms  21.913 ms
5  192.168.3.33 (192.168.3.33)  21.887 ms  21.897 ms  21.868 ms

Is this normal that the first hop using 192.168.10.254 instead of 192.168.10.10 ??? Why packets first are leaving to IP = 192.168.10.254 and then back to 192.168.10.10 ?

This the routing table of the Linux box :

root@S-Linux: pts/0: 6 files 164Kb # netstat -rn
Table de routage IP du noyau
Destination    Passerelle      Genmask        Indic  MSS Fenêtre irtt Iface
192.168.10.0    0.0.0.0        255.255.255.0  U        0 0          0 eth0
169.254.0.0    0.0.0.0        255.255.0.0    U        0 0          0 eth0
0.0.0.0        192.168.10.10  0.0.0.0        UG        0 0          0 eth0

Could it be a reason why I have some routing troubles from LAN2 to LAN1 ???

I will really appreciate your help about this issue :-)