Failover&High Aviability
-
Hi,
I have 2 pfSense on my site. I configured on both of them HA mode.
I would like to note that i have only 1 ISP provider public IP's and 1 Gateway address form the ISP and i distribute that public IP's to my both pfSense GW.
Everything working fine exclude only WAN interface on the Secondary pfSense. I don't now why but secondary pfSense can't reach ISP Gateway but in the same time Primary pfSense can reach ISP Gateway.Example:
Master pfSense WAN interface 10.0.0.8/24
Secondary pfSense WAN interface 10.0.0.9/24
Virtual IP: VIP WAN interface 10.0.0.10/24
My public gateway is: 10.0.0.1/24 (i configured only 1 GW) -
That's the normal behavior with a single public IP. Since the only one public IP is occupied by the master, the backup node has no IP in the subnet of the ISP's gateway, hence it cannot access it.
You can do a workaround, where you go out over the masters LAN interface. To do so, you have to add the masters LAN IP as a gateway. Then create a gateway group and add the ISP's gateway as Tier 1 and the masters LAN IP as Tier 2. Set the trigger level to "Member Down" and set this gateway group as your default gateway.
You may do the same on the master by using the backups LAN IP to have internet access on the first node as well, when the second is master. -
I am not clearly understand what are you mean. Second pfSense have different WAN IP 10.0.0.9/24. They are both have same GW from ISP.
The strange point that i can't ping my primary pfSense WAN interface from my secondary pfSense inteface.
They are location on the same network. -
You wrote, you have only one public IP. Hence this one public IP has to be your CARP VIP, while your primary interface IPs on master and backup will be in a private subnet.
However, your Example doesn’t match to that, since you only mentioned private IPs. So maybe you should tell us your real IPs for clarification or use an Example which matches to what you describe. -
I created the schenatic diagram you can see it on attachment
WAN Network: 10.0.0.0/24
LAN Network 192.168.1.0/24
-
@viragomann
Look please -
-
@aslanov
So you got a private IP and gateway from your ISP, not a public one as you stated.Maybe you've messed some up with your outbound NAT.
There's a rule needed on WAN interface for source 127.0.0.0/8 translating packets to WAN address. Have you deleted that or edited it? -
The rule is created on pfsense master. On pfsense backup it appears automatically.
-
@Pavel88 said in Failover&High Aviability:
The rule is created on pfsense master. On pfsense backup it appears automatically.
Exactly.
But I wrote, the translation address has to be "WAN address" not something else. -
@viragomann said in Failover&High Aviability:
Exactly.
But I wrote, the translation address has to be "WAN address" not something else.It did not help
-
Consider that that rule has to be placed on top of the WAN rules, otherwise your other rules allowing any to any will hit the traffic.
-
@viragomann said in Failover&High Aviability:
Consider that that rule has to be placed on top of the WAN rules, otherwise your other rules allowing any to any will hit the traffic.
That's cool! GW is online, but only if I'm making a rule for any. GW online, but CARP does not work. If you disable master pfsense. Internet is disconnected.
-
You need both rules if your Outbound NAT is in manual mode. Is it?
However, in the second rule for the source any, the translation address has to your CARP VIP. -
@viragomann
In the case of the second rule of any addresses on the CARP VIP again gw offline.
