Interface LAN stay master
-
I'm not 100% sure what you are asking, but if, for example, the master firewall has a WAN interface go down (let's say the cable gets knocked loose), then the virtual IPs on ALL the interfaces- LAN and WAN should go into carp backup so the other firewall can take over.
-
This is exactly the question I asked.
However, I do have a problem, if what you say is true.
Because when a "Wan disconnects" cable the interface becomes BACKUP and that of the other pfsense it becomes MASTER BUT my other interfaces do not change state and remains in MASTER on the first pfsense and BACKUP on the second.
Would you like to have screens to better understand?
I make you a small diagram:
Pfsense 1:
Wan 1 = MASTER
Wan 2 = MASTER
LAN = MASTERPfsense 2:
WAN 1 = BACKUP
WAN 2 = BACKUP
LAN = BACKUPIf I unplug the WAN 1 cable from pfsense 1, this happens:
Pfsense 1:
Wan 1 = BACKUP
Wan 2 = MASTER
LAN = MASTERPfsense 2:
WAN 1 = MASTER
WAN 2 = BACKUP
LAN = BACKUPand if I cut the second WAN:
Pfsense 1:
Wan 1 = BACKUP
Wan 2 = BACKUP
LAN = MASTERPfsense 2:
WAN 1 = MASTER
WAN 2 = MASTER
LAN = BACKUPthen the people on my LAN no longer have access to the internet because they always go through the first pfsense.
-
This usually indicates a problem with the layer 2 connection. Verify each firewall can ping all interfaces of the other firewall.
-
When a CARP interface loses link, all CARP interfaces on that node get demoted by an advskew of 240 for every down interface.
This makes the backup assume MASTER functionality because it starts receiving CARP advertisements from the primary (on the interfaces that still have connectivity) with a higher advskew (240 if only one interface is down on the primary) than the default secondary advskew of 100.
The secondary will assume MASTER on the interface that is down on the primary because it will stop receiving advertisements altogether.
If this is not happening you have misconfigured your cluster. My first suspicion would be that the secondary can receive advertisements from the primary but the primary cannot receive advertisements from the secondary.
-
Thank you for your answers.
I'm taking a closer look at that.Wouldn't the communication be over all interfaces or just the one used for the synchronization mentioned in "high availability synchronization in system"?
I just checked that the interfaces are pinging each other and it is the case with diagnostic and ping proposed by pfsense.
Then I had configured a Vlan on the "CARP" interface and it is good.
I added the following "access list" on all interfaces:
I'll do some tests early next week.
If you have ideas of bad configurations don't hesitate to let me know.
-
Please read the sticky in this category.
-
That rule makes absolutely no sense on a LAN interface. I don't think it makes any sense on any interface. See the above referenced sticky post.
-
Thanks, I've been going over the sticky post again.
So it's the CARP protocol that toggles the state of the interfaces.
My problem comes from this protocol and more particularly the "layer 2" link which is not good.
Would it be interesting to change the protocol of the "Pfsync" rule to "CARP", if the problem comes from a firewall block because of an ACL?
Or doesn't it make sense? -
No.
You do not need to specifically pass CARP. It is passed automatically.
You probably want to read everything here:
https://docs.netgate.com/pfsense/en/latest/book/highavailability/index.html
And here:
https://docs.netgate.com/pfsense/en/latest/solutions/reference/highavailability/index.html
The second one is tailored to Netgate devices but the general principles are the same for all HA clusters.
-
Thank you, I'm going to look at all this documentation and I'll come back to tell you the solution to the problem or more specific questions for more specific help.
