• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

can't reach virtual ip from LAN side

HA/CARP/VIPs
3
8
2.1k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    Kerzhain
    last edited by Dec 21, 2018, 10:12 AM

    Hello,
    I'm a begginer in pfsense and I have some issues about virtual IP :

    I added the following virtual IPs : LAN/WAN

    virtual ip

    Virtual Ips are of type CARP because I want to implement failover after that.

    My issues is I can't reach the virtual Ip from LAN side.

    alt text

    strangely I can reach my virtual Ip from pfsense
    alt text

    My virtual Ip from LAN is working.

    Anyone know how fix this ?

    Thank you

    1 Reply Last reply Reply Quote 0
    • N
      NogBadTheBad
      last edited by Dec 21, 2018, 10:39 AM

      @kerzhain said in can't reach virtual ip from LAN side:

      CARP

      I wonder if its a NAT issue.

      Have you disabled Block private networks and loopback addresses on the WAN interface ?

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      1 Reply Last reply Reply Quote 0
      • K
        Kerzhain
        last edited by Dec 21, 2018, 10:47 AM

        Thanks for your answer,

        yes it's already disabled in LAN and WAN interface:

        from my lan side I can ping all IP except my virtual Ip lan side,
        don't know what missing

        1 Reply Last reply Reply Quote 0
        • N
          NogBadTheBad
          last edited by NogBadTheBad Dec 21, 2018, 11:27 AM Dec 21, 2018, 10:53 AM

          As I mentioned I think its a NAT issue.

          What does a packet capture on the WAN interface show you when you filter on the 192.168.1.250 address.

          Also you could look at the states and filter on 192.168.1.250.

          🔒 Log in to view

          The red arrow points to my WAN address.

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • N
            NogBadTheBad
            last edited by Dec 21, 2018, 11:27 AM

            https://www.netgate.com/docs/pfsense/book/highavailability/example-redundant-configuration.html

            Check the following section:-

            Configure Outbound NAT for CARP

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            K 1 Reply Last reply Dec 21, 2018, 12:38 PM Reply Quote 0
            • K
              Kerzhain
              last edited by Kerzhain Dec 21, 2018, 11:33 AM Dec 21, 2018, 11:31 AM

              Here is the configuration :
              schema

              my issue is the connection between my VM and my virtual IP on LAN side.

              I have nothing In diagnostics states for my virtual ip ( wan or lan ) :
              WAN VIRTUAL IP

              LAN VIRTUAL IP

              maybe I need to add new NAT rules, do yo saw something wrong here ? :
              NAT

              DO you think I need to add NAT rules for my virtual IP ?
              vip nat

              1 Reply Last reply Reply Quote 0
              • K
                Kerzhain @NogBadTheBad
                last edited by Dec 21, 2018, 12:38 PM

                @nogbadthebad Thanks for the link , I try to reproduce these recommandations.

                1 Reply Last reply Reply Quote 0
                • D
                  Derelict LAYER 8 Netgate
                  last edited by Dec 21, 2018, 7:59 PM

                  You do not need outbound NAT on LAN at all. That is just silly.

                  You should be able to ping both interface addresses and the CARP VIP of the connected subnet if the rules on that interface allow it.

                  If you can ping the interface addresses but not the CARP VIP, check the ARP table of the device you are testing from to be sure it has all three ARP entries. The interface addresses should have the interface MAC address. The CARP VIP should have the CARP MAC.

                  If that is all in place, be sure the switch connecting everything has the CARP MAC in its MAC address table. It should be on the switch port that is currently connected to the CARP MASTER node.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  D 1 Reply Last reply Nov 27, 2020, 11:07 AM Reply Quote 0
                  5 out of 8
                  • First post
                    5/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.