Public CARP IP in LAN



  • Hi,

    I'm have trouble to get a public CARP IP working in the LAN (on a lab PFSense HA setup).

    Some details about the setup:

    • The LAN has a public network range. Let's say 1.2.3.0/26
    • I have disabled outbound NAT.
    • I have created firewall rules to allow WAN traffic to the LAN (for example a ping and SSH).
    • The PFSense have both an IP-address in another network range and a shared CARP address. Let's say 5.6.7.0/28 .

    Note: 1.2.3.0/26 and 5.6.7.0/28 are both example ranges; let's think of them as public IPs assigned by an ISP.

    IP details:
    PFSense box 1 - WAN: 5.6.7.1
    PFSense box 1 - LAN: 1.2.3.1

    PFSense box 2 - WAN: 5.6.7.2
    PFSense box 2 - LAN: 1.2.3.2

    PFSense shared - WAN (CARP): 5.6.7.3
    PFSense shared - LAN (CARP): 1.2.3.3

    Test server - LAN: 1.2.3.10

    1.2.3.10 is also added to the WAN interface of PFSense as a CARP address.

    Current results:

    • I can always ping the WAN CARP IP (5.6.7.3).
    • I can ping the test server from time to time (1.2.3.10). It works around 5 minutes and then it stops responding to ping for around 5 minutes. This process repeats itself.
    • When I try to SSH to the test server (1.2.3.10), I get 2 possible resuls: the SSH service of the PFSense master (not the test server!) or a timeout.

    Did I forget something to configure correctly?

    Please let me know when you need more details.

    Regards,
    Sander



  • I just looked a bit deeper into the logs and found some blocks by this rule:
    antispoof log for $WAN tracker 1000001570

    What's this? Is it some kind of default rule to prevent IP spoofing?


  • LAYER 8 Moderator

    Test server - LAN: 1.2.3.10
    1.2.3.10 is also added to the WAN interface of PFSense as a CARP address.

    Huh? Why would you add a LAN IP on the WAN interface!? That makes no sense? If you have 2 public IP ranges, the range you use in LAN should be forwarded/routed by your ISP to the CARP IP you used in the other public IP range. Is that the case? Otherwise how is traffic to 1.2.3.x supposed to know to hit your firewall in the first place!

    If you map that IP on your WAN side, then you can't use IPs from it on your LAN side. That would be totally confusing for the routing as IPs from the same subnet show up on both sides. Either get that second IP range routed to an IP in your first one (preferred for routing) or use a private subnet on LAN and do 1:1 NAT on your WAN with those other addresses.

    Greets



  • We have always used Proxy ARP for a single PFSense host setup, but now we are experimenting with a HA setup. So that's why I expected I could just change the type of the IP (1.2.3.10) from Proxy ARP to a CARP type of IP.

    Getting the LAN public IP range routered to the WAN CARP IP will be difficult (I guess my ISP won't do this). So are there any other solutions to get this working (in HA, without NAT and without routering requirements by our ISP)?


  • LAYER 8 Moderator

    in HA, without NAT and without routering requirements by our ISP)?

    If you wanna make it really easy, use a private IP subnet in your LAN with the same mask as your 1.2.3.4/26 network. Then you'd have to add every CARP IPs on WAN from 1.2.3.x/26 you want to have in your LAN. Then create a 1:1 NAT entry, use the first IP from 1.2.3.4/26 as external, use the first IP from your new private network /26 as internal and add the mask /26 (!).
    As the entry tells you, that will map a whole range 1:1, so 1.2.3.1 will map to e.g. 10.2.3.1, .2 to .2 etc.

    All you have to maintain is

    a) the CARP VIPs (add as needed, as you map the whole /26 1:1 you don't have to add further mappings)
    b) the filter rules (on your WAN interface add allow rules as needed but keep in mind you'll have to write your rules for the private network on LAN as 1:1 NAT happens just before the filter rules will try and match)

    Thats the easiest I can think of. It's dirty (as NAT always is), but if you can't get your /26 routed via the 5.6.7.8/28 network, that's all you can do. I'd try to push and ask them to route it as every networking guy will tell you, that it's not that nice to have different IP ranges on the same L2 network, so the networking/firewall guys from the ISP will sure be on your side ;)



  • Thanks for the reply. I will once more to ask my ISP to get the routering setup correctly. I don't want to use dirty solutions like NAT  ;)



  • I have got the routing setup by my ISP now. Works nicely.  :) . Thanks again for your quick reply.


Log in to reply