VIPs not responding to clients
-
I'm new to PfSense, and am going crazy trying to get VIPs working.
I have two firewalls, in a lab environment. The primary one has WAN IP of 200.1.2.1/24 and LAN IP of 192.168.100.1/24. The secondary one has WAN IP of 200.1.2.2/24 and LAN IP of 192.168.100.2/24. They also have SYNC interfaces of 10.1.1.1/30 and 10.1.1.2/30 respectively.
I have CARP set up and working for Master/Backup HA, and all that is syncing perfectly on the SYNC interfaces.
I have created CARP VIPs for the WAN (of 200.1.2.254/24, vhid2) and LAN (of 192.168.100.254/24, vhid1). They are also syncing from Master to Backup.
Whichever firewall is the master at any given time can ping the VIPs (192.168.100.254 and 200.1.2.254), but the backup firewall cannot (I'm not sure whether that is normal behaviour)
All client devices on either the WAN or LAN networks can ping the primary interfaces of each firewall (192.168.100.1, 192.168.100.2, 200.1.2.1, 200.1.2.2) but cannot ping either of the VIPs. If I check the ARP table on the clients however I can see that they have successfully resolved the MAC address of their respective local VIP.
To rule out any firewall rules being the issue I currently have the LAN and WAN rules set to permit any protocol, from any source, to any destination (it's a lab environment to there's no danger there).
Is anyone able to assist me in identifying why the clients can communicate the with firewalls on their primary addresses, but not on the VIP addresses?
-
I'd recheck all settings gradually with the documentation: https://docs.netgate.com/pfsense/en/latest/book/highavailability/index.html
Did you watch the great HA hangout from Jim? https://www.netgate.com/resources/videos/high-availability-on-pfsense-24.html-Rico
-
Almost always a problem with the switches.
Apply typical troubleshooting techniques. ARP, packet captures, etc.
-
OK, so I didn’t manage to work out what was specifically causing the problem. I was using a relatively old version of pfsense (2.3.3). I downloaded the latest version and redid the setup from scratch, and it just worked!