No reply from BACKUP CARP host
-
I have two pfSense 2.0.2 in CARP in which under normal conditions are …
PF1 = CARP MASTER
PF2 = CARP BACKUPThis is the network configuration:
WAN: 192.168.10.0 / 24
CARP1: .26
CARP2: .27
CARP3: .28
PF1: .29
PF2: .30
GW: .254
DMZ: 192.168.0.0 / 24
CARP1: .1
PF1: .251
PF2: .252
LAN: 192.0.0.0 / 24 (oops, I inherited, it is not my fault;-)
CARP1: .254
PF1: .251
PF2: .252
SYNC: 192.168.200.0 / 24
PF1: .1
PF2: .2All interfaces have Gateway = None, and in System->Gateway I put 192.168.10.254 checked as Default Gateway on the WAN.
The configuration of the OpenVPN server:
Protocol: UDP
Device: tun
Interface: WAN_CARP1
Port: 1194
Tunnel: 10.102.128.0 / 24
Local Network: 192.0.0.0 / 24Everything works fine except the ping to the IPs of the host in BACKUP state.
The Windows client opens the VPN to WAN_CARP1 and is able to ping hosts on the LAN, and the IPs of the MASTER host, including all VIPs, but I do not get any response from IPs of BACKUP host.
Disconnecting PF1 only from the WAN, after a few seconds, I can re-establish the VPN but no longer meet the PF1 IPs, which has become BACKUP host.Any idea?
-
Everything works fine except the ping to the IPs of the host in BACKUP state.
The Windows client opens the VPN to WAN_CARP1 and is able to ping hosts on the LAN, and the IPs of the MASTER host, including all VIPs, but I do not get any response from IPs of BACKUP host.
Disconnecting PF1 only from the WAN, after a few seconds, I can re-establish the VPN but no longer meet the PF1 IPs, which has become BACKUP host.yes… I think / have checked it out when I try to configure a site2site VPN that the backup host has the same OpenVPN routes as the master host... so it can't be reached from other side...
You can check it by requesting the route:
on master/backup you can try:
route -n get <ip of="" lan="" client="">=> on both machines you would get the anser "ovpns1" for instance.
=> perhaps there is a solution with Quagga OSPF which handels the routes dynamically.
But also here it can be that the static route of the shutdown OpenVPN Server is already set and therefore Quagga can't help out.</ip> -
Solved!
As mentioned by jimp (http://forum.pfsense.org/index.php/topic,54537.msg291748.html#msg291748) just add a NAT rule on the MASTER for each IP address of the BACKUP host unreachable from the VPN client .
Following the above data here is an example, which also includes a rule for the BACKUP IP host in the DMZ.Interface Source Source Destination Destination NAT Address NAT Static Description
Port Port Port Port
–------------ ---------------------- ------ ---------------------- -------------- -------------- ------ ------ -------------------------------
LAN 10.102.128.0/24 * 192.0.0.252/32 * 192.0.0.254 * NO Enable PF2 reply to VPN clients
DMZ 10.102.128.0/24 * 192.168.0.252/32 * 192.168.0.1 * NO Enable PF2 reply to VPN clients
-------------- ---------------------- ------ ---------------------- -------------- -------------- ------ ------ -------------------------------During the creation of this NAT rules you must check "No XMLRPC Sync".
Similar rules can also be added to the BACKUP host, useful if the MASTER WAN connection goes down.
Simply replace the destination IP address and put the IP of the MASTER, eg. 192.0.0.252/32 becomes 192.0.0.251/32.
Do the same to any other networks.If you add rules also on the BACKUP host, I recommend to disable the option CARP -> "Synchronize NAT" because they would be deleted by the first synchronization.
In 2.0.2 and 2.1 we shut down OpenVPN if it's bound to a CARP VIP in backup mode.
On my 2.0.2 OpenVPN still running in BACKUP host and routing tables is identical between the two box.
Bye.