CARP/HA Issues
-
Hello everyone,
we have set up a CARP/HA Cluster with 2 PfSense Firewalls for the very first time. It seems to work but its not running smoothly I guess. We faced some issues and I want to make sure that we did everything right as for the settings or the rules.
Here you can see a graphic of our PfSense Cluster Network with sample IP addresses:
The problems that we got might be normal due to our configuration, I would be glad about every advise that you guys can give me:
PfSense1 is on master and PfSense2 is on backup mode.-
When i do VPN with the Pf1 I was able to login to its WebGui but I couldnt login to the WebGui of PfSense2 to check the settings for example? Is that normal?
-
From time to time we were not able to make a VPN connection to Pf2.
-
Not every setting was synchronized between Pf1 and Pf2, for example the Virtual IPs were available on Pf1 but not on Pf2 and we did click on all points in the Sync settings.
-
Is it possible and usual to make a VPN connection to the CARP IP address instead of to Pf1 or Pf2? Because when we try this we get: "error in the policy match".
I will constantly update this topic when facing new issues and I also can put in our rules and settings if needed.
Thanks in advance.
Murat C. -
-
@murat_89 said in CARP/HA Issues:
and we did click on all points in the Sync settings.
-
if you clicked all the points in the synchronization settings. only the vpn server on the pfSense master must be up.
-
The carp virtual ip must be set manually on both pfsense
-
Have you set up manual NAT ?
-
You can use 170.170.170.2 to login to the WebGui of PfSense2 to check the settings or connect vpn from master and use other computer to acces Webgui
-
-
@murat_89 said in CARP/HA Issues:
Hello everyone,
we have set up a CARP/HA Cluster with 2 PfSense Firewalls for the very first time. It seems to work but its not running smoothly I guess. We faced some issues and I want to make sure that we did everything right as for the settings or the rules.
Here you can see a graphic of our PfSense Cluster Network with sample IP addresses:
The problems that we got might be normal due to our configuration, I would be glad about every advise that you guys can give me:
PfSense1 is on master and PfSense2 is on backup mode.- When i do VPN with the Pf1 I was able to login to its WebGui but I couldnt login to the WebGui of PfSense2 to check the settings for example? Is that normal?
Yes it is normal.
https://www.netgate.com/docs/pfsense/highavailability/troubleshooting-vpn-connectivity-to-a-high-availability-secondary-node.html
- Not every setting was synchronized between Pf1 and Pf2, for example the Virtual IPs were available on Pf1 but not on Pf2 and we did click on all points in the Sync settings.
That depends on the type of Virtual IPs:
https://www.netgate.com/docs/pfsense/firewall/virtual-ip-address-feature-comparison.html
For instance, IP Alias VIPs will not be synced because if they were, you'd have an address conflict with the same address on both nodes. You can stack an IP Alias VIP on the CARP VIP though, which is a nice, elegant solution.
I will constantly update this topic when facing new issues and I also can put in our rules and settings if needed.
Thanks in advance.
Murat C. -
-
Of course. That is the desired configuration.
When you select the interface in the VPN configuration, select the CARP VIP instead.
That is error text I have never seen. You'll have to be more specific about where that is happening and what you are doing at the time. Screenshots might help.
-
@derelict Hi, the CARP IP is already selected in the IPSec VPN configuration. Here you can see the error on the screenshot. Any ideas?
-
Not being able to read what looks like German, no idea.
-
@derelict I have to correct myself sorry, the interface selected in the VPN configuration is WAN, but My identifier is the CARP VIP and Peer identifier is Any.
The Message says: Connection with de-ffm-cluster not possible... error in policy match
-
Well if the identifier doesn't match the address used it will fail to match in IPsec.
It needs to be built with everything referencing the CARP VIP (or some other common identifier, like an FQDN that resolves to the CARP VIP.) If this is IKEv2 with a server certificate then the CN and SAN there needs to match whatever the client thinks it is connecting to or server certificate validation will fail.
