CARP WAN VIP public

JeGr

That isn't what I asked. Ping anything external, e.g. 1.1.1.1 or 8.8.8.8. Not your Firewall IPs from your LAN.
Or do a https://checkip.dyndns.org and see if you are online with your .10 CARP IP instead of your node 1 wan 1 IP .7

If that doesn't work, CHECK if your .7 IP works by pinging FROM pfsense WITH that IP to anything OUT there in the internet. Not from your LAN to your firewall.

Yazur

When the NAT configuration is by default i ping 8.8.8.8 but I pass DELETED. When the NAT is configured I no longer have internet and I cannot ping DELETED access it to the website allowing to know by which ip we arrive on the internet.

I can’t ping 8.8.8.8 since DELETED thanks to pfsense’s ping interface.

(DELETED)

If you need others screenshots, tell me pls

JeGr

right. so your .7 isn't working. Did you allow ICMP on WAN1 and check if your CARP VIP is reachable from WAN at all? Your node IP .10 seems to work but maybe your CARP VIP doesn't or is blocked beforehand?

What's the output of Status / Carp on both nodes? Is that running master/backup correctly or is there some split brain? can node1 wan1 ping node2 wan1?

Yazur

ICMP is enabled on WAN_1:

(DELETED)

Ping WAN_1 to DELETED:

(DELETED)

The synchronization works well as it is for the data changed on the master as the relief when an interface falls.

( DELETED ) CARP MASTER "PFSENSE 1"
( DELETED ) CARP SLAVE "PFSENSE 2"

When i shut the WAN_1 interface on my first pfsense the second become MASTER:

(DELETED)

PING WAN pfsense 1 to WAN pfsense 2:

(DELETED)

PING WAN pfsense 2 to WAN pfsense 1:

(DELETED)

"My provider is OVH"

JeGr

@Yazur said in CARP WAN VIP public:

Ping WAN_1 to [removed]:

That's FROM THE BOX you are on, of course a box that has 2 IPs can ping both of them. I tried telling you to check it from somewhere on the internet. Check it from another site, a vserver, anywhere but NOT the device or your LAN itself! How else can you see if pings even arrives at your firewall if you don't check from the outside web?

@Yazur said in CARP WAN VIP public:

The synchronization works well as it is for the data changed on the master as the relief when an interface falls.

That's not the sync but the CARP VIP. Sync is done via pfctl (states) and XMLRPC (config) on the sync interface. CARP/VRRP is spoken on all interfaces with a CARP style VIP address.

But CARP status seems good so the VIP is on node 1 and not in split-brain. But that doesn't tell us if it is working from the outside of your boxes/provider.

Use something like
https://www.ipaddressguide.com/ping
and check if your CARP VIP is responding at all. (hint: it is not!)

I checked your IPs from one of my servers and the only IP responding to Ping from the web is [removed]. Neither do .10 or .7 so there's something wrong with the setup or your OVH environment I'm afraid.

[@crimson:~] $ ping [removed]
PING [removed] ([removed]) 56(84) bytes of data.
^C
--- [removed] ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2015ms


[@crimson:~] 2s 1 $ ping [removed]
PING [removed] ([removed]) 56(84) bytes of data.
64 bytes from [removed]: icmp_seq=1 ttl=52 time=7.87 ms
64 bytes from [removed]: icmp_seq=2 ttl=52 time=7.88 ms
64 bytes from [removed]: icmp_seq=3 ttl=52 time=7.82 ms
^C
--- [removed] ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 7.828/7.862/7.888/0.076 ms


[@crimson:~] 2s $ ping [removed]
PING [removed] ([removed]) 56(84) bytes of data.
^C
--- [removed] ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3023ms

Yazur

Can you test again ping DELETED?

Because i shut "DELETED" to test CARP "DELETED become MASTER".

(DELETED)

JeGr

@Yazur said in CARP WAN VIP public:

Because i shut "[removed]" to test CARP "[removed] become MASTER".

You did what? Now there's a split brain!? What did you do?

Yazur

I shut my wan_1 interface on my first pfsense to test if CARP is ready.

But now it's ok!

Yazur

Could ipsec tunnels cause the problems I encounter?

Because my ultimate goal is to have redundant ipsec tunnels through CARP. Currently I have this network diagram:

(DELETED)

I don’t think that’s the problem, but...
I think it comes from the fact that DELETED is not internet access. For me there should be a bridge in history that would be DELETED.

I tried to change VIP WAN DELETED to VIP WAN DELETED.
And it doesn’t work any better.
Unable to ping DELETED and this address does not have internet access.

Should it be mentioned somewhere that this address must communicate by DELETED. Because I didn’t use anywhere except DELETED in the nat and vip carp.

Yazur

I have just seen that on both pfsense I can ping DELETED from DELETED but I cannot ping DELETED since DELETED.

(DELETED) PING : DELETED --> DELETED
(DELETED) PING : DELETED --> DELETED

EDIT: this is normal, when the second pfsense is slave impossible to establish a communication with the virtual ip while when it passes master it is good.
So everything is normal.

Yazur

I add, that the promiscuity mode is not enabled for our wan pfsense interfaces.
But it's ok for our LAN and our interface "pfsync" (after asking OVH because the role of slave master was not done).

Yazur

PROBLEM SOLVED:

Call on OVH to activate the promiscuity mode on our WAN interfaces.

From now on everything is working, thank you for your help.