Carp w static ip

cruzmiester

thanks for the input, I really don't care if I don't have access to the 2nd fw from a public IP.

I may be doing something wrong but I tried giving the WAN adapter a private IP, I kept getting error messages concerning my the wan IP was different from the gateway. The gateway that I'm using is the assigned gateway by the ISP, which I think is part of my subnet mask addresses. the subnet mask I tried for the private IP's was 16 / 24 / 32.

Derelict

That could be an issue.

I don't know what would happen if you:

Create a gateway manually with the IP address given by your ISP. Mark it as a default gateway.

Set no gateway on your WAN interfaces.

Create the CARP VIP ~~as an IP Alias~~ on the correct subnet as provided by your ISP. This should encompass the Gateway IP.

Make sure all your outbound NAT uses the CARP VIP.

I just tried this (without a failover pair) and it seems to work. This "breaks" a lot of pfSense automation. Like there are no longer any Automatic Outbound NAT rules generated. But that's OK because you'd have to modify all of them to use the CARP VIP anyway.

This is very interesting. ETA: Screenshots. pfSense C on my signature diagram.

carp-gateway.png_thumb
carp-wan.png_thumb
carp-vip.png_thumb
carp-nat.png_thumb

dotdash

I was playing around with a test box and was able to do the following:

Put a private IP on the WAN interface, left gateway empty.
Create a CARP VIP on the WAN with a public IP.
Go back to WAN interface, add gateway, put in public gateway IP.
Turned on AON, set CARP IP as outbound NAT.
I've yet to put this on a live segment and test failover, but it looks promising.

viragomann

We have here 3 public subnets, 2 /29 + 1 /28, so we waste 6 IPs just for CARP and that truly bitter.
However, we use just 1 WAN gateway.

After upgrading to 2.2 I tried to assign all IF Aliases to the CARP VIP which belongs to the subnet of the only WAN gateway and delete the two WAN VIPs, I just assigned for CARP before, but pfSense didn't let me do that. It tells me, the VIPs would be still in use.

Any suggestion, what I can do, to release at least the 4 IPs of the additional subnets?

Derelict

You might have to be more specific. I had no trouble creating this…

carp-ipalias.png_thumb

MikeLiu

@dotdash:

I was playing around with a test box and was able to do the following:

Put a private IP on the WAN interface, left gateway empty.

Create a CARP VIP on the WAN with a public IP.

Go back to WAN interface, add gateway, put in public gateway IP.

Turned on AON, set CARP IP as outbound NAT.
I've yet to put this on a live segment and test failover, but it looks promising.

I have tried steps list above and successed.
But I can not let outside client browse my internal web server.
Please tell me how to set up nat (port forwarding),thanks!

dotdash

Just like on any CARP setup, you need to select the CARP VIP as 'Destination' in the port-forward.

MikeLiu

@dotdash:

Just like on any CARP setup, you need to select the CARP VIP as 'Destination' in the port-forward.

Thanks for your reply.

I have test it use the CARP VIP as 'Destination' in the port-forward and it works.
But there is a strange thing with Dest. port setting,brief description as below:

1.When I use port 80 (HTTP) as Dest. port and NAT port 80,client still cannot browse my web server.
2.If I use other port (like 9999) as Dest. port and NAT port 80, client will get the current page content.

Is there anything I need to setup more ?

dotdash

Make sure the webconfigurator is not listening on http. (system, advanced, admin access)

MikeLiu

I found it's IP problem.

It works well when I use a real public ip rather than a private ip (I used for test).
When I use a private ip as wan ip,it's not work,even though I unchecked "Block private networks" option.

Thanks again!

xanaro

This post is deleted!