Connect from CARP member to LAN device
-
Hello,
I have the following problem:
- CARP HA with 2 members
- Each member has multiple interfaces for different VLANs
- Each interface has a small subnet, in this example 10.0.16.0/28
- With virtual IPs, I extend the interfaces to make more subnets known. In this example, the problem-subnet is 10.0.0.16/28
The reason for smaller subnets are, that I can manage the firewall rules with more details.
My problem now is, that the routes for the virtual IPs are present only in the master CARP member.
So what I have:
pfSense 1 (master): 10.0.16.2
pfSense 2 (slave): 10.0.16.3
Interface CARP-IP: 10.0.16.1Then I have added the IP 10.0.16.17/28 via virtual IP with CARP type as gateway.
On the second member, I can see only the route for 10.0.16.0/28.
The route for the subnet 10.0.16.16/28 is missing on the slave node. This means that the slave-pfSense tries to route the LAN-Device IP 10.0.16.19 via WAN. This is wrong and will not work.So the question:
How can I be sure that the routes are created on both sides, OR how can I tell pfSense to route the traffic maybe over the master appliance?Any idea?
Thanks!
-
@jokabo said in Connect from CARP member to LAN device:
Then I have added the IP 10.0.16.17/28 via virtual IP with CARP type as gateway.
What? What is CARP type gateway here?
-
-
@jokabo
Has the secondary box an IP address on the SGCORE interface in 10.0.16.16/28? -
@viragomann said in Connect from CARP member to LAN device:
10.0.16.16/28
Hi,
no, because 10.0.16.16/28 is not an interface, it's just declared as a virtual IP.
But SGCORE with 10.0.16.0/28 is defined on primary and secondary. And the virtual IP is also known on the secondary. But the route is missing and I think this is because the virtual ip is marked as "backup".
Thanks!
-
@jokabo
So you had just to add it as type IP alias on the master, select the proper CARP address at interface, otherwise it doesn’t failover properly.