VIPs w/ Gateway Groups
-
When setting up a gateway group, there's a virtual IP drop down, but it doesn't allow me to pick one of the VIPs I've setup; only "Interface Address" is available. I setup 2 /32 IP Alias VIPs; one for each WAN.
I have 2 WANs and each WAN has 5 static IPs. I think I have IPSec failover working for the primary gateway IPs with dynamic DNS. I need to get another pair of static IPs to failover. I thought I'd assign the other static IPs to IP Alias VIPs, then setup gateway groups with pairs of VIPs…
I read somewhere that only CARP VIPs could be assigned to gateway groups? I tried changing a VIP from IP Alias to CARP, but it said CARP VIPs couldn't be /32?
I'm using 2.1.5. I should be able to update to 2.2.0 if that would help with this.
Any help would be greatly appreciated.
-Matt
-
You don't do that with a gateway group. You do that with an IP Alias attached to the CARP VIP (on 2.2 at least) or another CARP VIP. It should have the same netmask as the WAN/VIP (/29). The IP Aliases don't use hellos. They follow the CARP VIP when it fails over.
Any outbound traffic you want to assign to a specific VIP would be done in your outbound NAT rules.
What are you looking to do with the VIP?
-
Thanks for the reply.
I think I need the 2 VIPs to be in a gateway group because I need to be able to assign the failover group as a dynamic DNS client interface.
I'm trying to use this so our VoIP phones failover to the other WAN IP if the primary one goes down. Our VoIP trunk provider can use a dynamic dns host name to failover the VoIP trunk, but I need pfsense to update the dns address based on which wans are up.
I think this is basically the same as having an IPSec connection failover except its VoIP instead of IPSec. How do you do IPSec failover for 2nd IPs on WANs?
-
I can look at that in 2.2 later.
-
I also posted this request for help in the Routing and Multi WAN forum since it seems to be related to both groups. Someone there mentioned the netmasks of the VIPs should match those of the WAN interfaces. I updated them to /24 for the fiber connection and /29 for the cable one. Unfortunately, the VIPs still weren't available in the gateway group screen.
Thank you for looking into this.
-
Can I ask why you need dyn for this? When it fails over the IP doesn't change and it's a static from the ISP. Why bother with dynamic DNS?
-
When it fails over the IP does change as the VoIP has to switch from using 1 provider's fiber line to a different provider's cable line. I could see if the VoIP provider could handle switching destination IPs on their end if they detected a failure on the primary (instead of using dyn), but pfsense would still need to know which WAN to route the outgoing VoIP on.
-
I'm sorry. I see CARP and I think CARP. Now I get it.
