CARP WAN VIP public

Yazur

Hello,

I would like to know the configuration required to be able to use a public VIP address as VIP CARP address for my WAN.

I have two pfsense, which are located at OVH in an esx, they both have two WAN interfaces, a LAN and an interface allowing "PFSYNC" synchronization.

Knowing that WAN 1 is in one/28 subnet and WAN 2 is in another/28 subnet.

The synchronization between the two pfsenses works as well as the MASTER/SLAVE role.

But I feel like I’m not using the VIP WAN address from my LAN.
When I go on my-ip.io I see my WAN 1 address of pfsense 1 and not the virtual WAN address of my two pfsense.

So I tried to do NAT 1:1 and NAT exiting without success.
Should IP aliases be used? Or some

JeGr

If your WAN1 addr of pfs1 is used instead of WAN1-VIP (e.g. the CARP address on WAN1) check your outbound NAT. You have to set it to manual in a CARP setup and change the outbound address according to your setup e.g. let localhost, 127.0.0.1, ::1 etc. to wan1-addr and change your LAN_network to WAN to your WAN1-VIP so it can failover in case of downtime of node 1.

johnpoz

Well what do you have your outbound nat set to? This needs to be set to the vip.

edit: hehehe @JeGr beat me to it on this one ;)

JeGr

@johnpoz lucky accident ;)

Yazur

Right now, that’s all I have:

(DELETED) NAT OUTBOUND "PFSENSE 1"
(DELETED) WAN_1 "PFSENSE 1"
(DELETED) WAN_1 "PFSENSE 2"
(DELETED) VIP "PFSENSE 1"
(DELETED) CARP MASTER "PFSENSE 1"
(DELETED) CARP SLAVE "PFSENSE 2"

DELETED is my WAN VIP.

I need use DELETED "gateway" to have internet connection.

JeGr

Gateway has nothing to do with outbound NAT. Outbound NAT setting only specifies to what IP the internal IP gets "rewritten" so it can access the internet. So if you use a client within 172.16.26.0/24 you should have the VIP you want, right? Why not using that for those other subnets, too? As long as you rewrite to WAN1_address that isn't safe to failover.

Yazur

When I change the rules of NAT OUTBOUND, I lose internet on the machines of the network 172.16.26.0/24.

And when I default back the NAT OUTBOUND, I get internet but does go through VIP WAN.

JeGr

change it to what? And does your VIP work at all beforehand? Did you check to ping with it (e.g. do a diagnostic/ping and explicitly select the WAN1 VIP there). Also what's the CARP status?

Yazur

From my LAN "DELETED" when NAT OUTBOUND rules are by default, I can ping DELETEDas well as the two WAN_1 addresses of my two pfsense.
When I change the rules of NAT OUTBOUND as in the screenshot I can ping DELETED and DELETED but not DELETED.

I edited one of my messages above to add information in screenshots.

JeGr

That isn't what I asked. Ping anything external, e.g. 1.1.1.1 or 8.8.8.8. Not your Firewall IPs from your LAN.
Or do a https://checkip.dyndns.org and see if you are online with your .10 CARP IP instead of your node 1 wan 1 IP .7

If that doesn't work, CHECK if your .7 IP works by pinging FROM pfsense WITH that IP to anything OUT there in the internet. Not from your LAN to your firewall.

Yazur

When the NAT configuration is by default i ping 8.8.8.8 but I pass DELETED. When the NAT is configured I no longer have internet and I cannot ping DELETED access it to the website allowing to know by which ip we arrive on the internet.

I can’t ping 8.8.8.8 since DELETED thanks to pfsense’s ping interface.

(DELETED)

If you need others screenshots, tell me pls

JeGr

right. so your .7 isn't working. Did you allow ICMP on WAN1 and check if your CARP VIP is reachable from WAN at all? Your node IP .10 seems to work but maybe your CARP VIP doesn't or is blocked beforehand?

What's the output of Status / Carp on both nodes? Is that running master/backup correctly or is there some split brain? can node1 wan1 ping node2 wan1?

Yazur

ICMP is enabled on WAN_1:

(DELETED)

Ping WAN_1 to DELETED:

(DELETED)

The synchronization works well as it is for the data changed on the master as the relief when an interface falls.

( DELETED ) CARP MASTER "PFSENSE 1"
( DELETED ) CARP SLAVE "PFSENSE 2"

When i shut the WAN_1 interface on my first pfsense the second become MASTER:

(DELETED)

PING WAN pfsense 1 to WAN pfsense 2:

(DELETED)

PING WAN pfsense 2 to WAN pfsense 1:

(DELETED)

"My provider is OVH"

JeGr

@Yazur said in CARP WAN VIP public:

Ping WAN_1 to [removed]:

That's FROM THE BOX you are on, of course a box that has 2 IPs can ping both of them. I tried telling you to check it from somewhere on the internet. Check it from another site, a vserver, anywhere but NOT the device or your LAN itself! How else can you see if pings even arrives at your firewall if you don't check from the outside web?

@Yazur said in CARP WAN VIP public:

The synchronization works well as it is for the data changed on the master as the relief when an interface falls.

That's not the sync but the CARP VIP. Sync is done via pfctl (states) and XMLRPC (config) on the sync interface. CARP/VRRP is spoken on all interfaces with a CARP style VIP address.

But CARP status seems good so the VIP is on node 1 and not in split-brain. But that doesn't tell us if it is working from the outside of your boxes/provider.

Use something like
https://www.ipaddressguide.com/ping
and check if your CARP VIP is responding at all. (hint: it is not!)

I checked your IPs from one of my servers and the only IP responding to Ping from the web is [removed]. Neither do .10 or .7 so there's something wrong with the setup or your OVH environment I'm afraid.

[@crimson:~] $ ping [removed]
PING [removed] ([removed]) 56(84) bytes of data.
^C
--- [removed] ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2015ms


[@crimson:~] 2s 1 $ ping [removed]
PING [removed] ([removed]) 56(84) bytes of data.
64 bytes from [removed]: icmp_seq=1 ttl=52 time=7.87 ms
64 bytes from [removed]: icmp_seq=2 ttl=52 time=7.88 ms
64 bytes from [removed]: icmp_seq=3 ttl=52 time=7.82 ms
^C
--- [removed] ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 7.828/7.862/7.888/0.076 ms


[@crimson:~] 2s $ ping [removed]
PING [removed] ([removed]) 56(84) bytes of data.
^C
--- [removed] ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3023ms

Yazur

Can you test again ping DELETED?

Because i shut "DELETED" to test CARP "DELETED become MASTER".

(DELETED)

JeGr

@Yazur said in CARP WAN VIP public:

Because i shut "[removed]" to test CARP "[removed] become MASTER".

You did what? Now there's a split brain!? What did you do?

Yazur

I shut my wan_1 interface on my first pfsense to test if CARP is ready.

But now it's ok!

Yazur

Could ipsec tunnels cause the problems I encounter?

Because my ultimate goal is to have redundant ipsec tunnels through CARP. Currently I have this network diagram:

(DELETED)

I don’t think that’s the problem, but...
I think it comes from the fact that DELETED is not internet access. For me there should be a bridge in history that would be DELETED.

I tried to change VIP WAN DELETED to VIP WAN DELETED.
And it doesn’t work any better.
Unable to ping DELETED and this address does not have internet access.

Should it be mentioned somewhere that this address must communicate by DELETED. Because I didn’t use anywhere except DELETED in the nat and vip carp.

Yazur

I have just seen that on both pfsense I can ping DELETED from DELETED but I cannot ping DELETED since DELETED.

(DELETED) PING : DELETED --> DELETED
(DELETED) PING : DELETED --> DELETED

EDIT: this is normal, when the second pfsense is slave impossible to establish a communication with the virtual ip while when it passes master it is good.
So everything is normal.

Yazur

I add, that the promiscuity mode is not enabled for our wan pfsense interfaces.
But it's ok for our LAN and our interface "pfsync" (after asking OVH because the role of slave master was not done).