Master on both firewals on all LAN interfaces

hsv

Hi
I have made a HA test setup where I have (This is running on af ESXi platform)

I have 2 Pfsense version 2.3.2_1 with the following config.
4 WAN interfaces over 4 physical interfaces
2 LAN interfaces over the same physical interfaces as VLAN
1 sync interface over 1 physical interface

WAN1: 172.16.0.0/24 DG:172.16.0.1 FW1:172.16.0.251 FW2:172.16.0.252 vIP:172.16.0.11/24
WAN2: 172.17.0.0/24 DG:172.17.0.1 FW1:172.17.0.251 FW2:172.17.0.252 vIP:172.17.0.11/24
WAN3: 172.18.0.0/24 DG:172.18.0.1 FW1:172.18.0.251 FW2:172.18.0.252 vIP:172.18.0.11/24
WAN4: 172.19.0.0/24 DG:172.19.0.1 FW1:172.19.0.251 FW2:172.19.0.252 vIP:172.19.0.11/24

LAN:
VLAN 100: 172.20.0.0/24 FW1:172.20.0.251 FW2:172.20.0.252 vIP:172.20.0.1/24
VLAN 200: 172.30.0.0/24 FW1:172.30.0.251 FW2:172.30.0.252 vIP:172.30.0.1/24

So I have 4 vIP on the WAN site and 2 vIP on the Lan SIte

I have some problems with the configuration
All vIP on the WAN interfaces are as they should in master state on FW1 and in state backup on FW2
But all on LAN the vIP interfaces are master on both FW1 and FW2

What have I done wrong with the LAN vIP interfaces?

I have wrote my configuration here in a CLI "home made" config style, sorry it is long, but here you will could see all the steps I have made in the configuration, an also where I have possible made an error.
I have also troubles find out the right way to make a NAT rule. Because as I see it now, I can not make a rule, where I send the traffic to the Gateway group, but have to make 4 rules to each WAN interface. And this I cannot understand, because then it will always use the first rule and not round robin over the 4 WAN interfaces. So there must be something i have missed.

Thanks in advance
Henning

FW1

Gatewayes
Set WAN_VLAN_L197GW
Set 172.16.0.1
end
Set WAN_VLAN_L1510GW
set 172.17.0.1
end
Set WAN_VLAN_L2510GW
set 172.18.0.1
end
Set WAN_VLAN_LTDCGW
set 172.19.0.1
end

Vlans
create Vlan
Set interface vmx2
Set Tag 100
Set name VLAN_Prod
set priority 0
end
Add Vlan 200
Set interface vmx2
Set Tag 200
Set name VLAN_DMZ
set priority 0
end

Interfaces
Create interface
Set interface vmx3
Set name WAN_VLAN_L197
Set ip 172.16.0.251/24
Set gateway WAN_VLAN_L197GW
Set Block Private network Disable
Set Block bogon networks enable
end
Create interface
Set interface vmx5
Set name WAN_VLAN_L1510
Set ip 172.17.0.251/24
Set gateway WAN_VLAN_L1510GW
Set Block Private network Disable
Set Block bogon networks enable
end
Create interface
Set interface vmx0
Set name WAN_VLAN_L2510
Set ip 172.18.0.251/24
Set gateway WAN_VLAN_L2510GW
Set Block Private network Disable
Set Block bogon networks enable
end
create interface
Set interface vmx1
Set name WAN_VLAN_LTDC
Set ip 172.19.0.251/24
Set gateway WAN_VLAN_LTDCGW
Set Block Private network Disable
Set Block bogon networks enable
end
create interface
Set interface vmx4
Set name FW_HeartBeat
Set ip 172.31.91.251/24
Set gateway None
Set Block Private network Disable
Set Block bogon networks Disable
end
create interface
Set interface vmx2_VLAN_Prod
Set name LAN_VLAN100_Prod
Set ip 172.20.0.251/24
Set gateway None
Set Block Private network Disable
Set Block bogon networks Disable
end
    create interface
Set interface vmx2_VLAN_Prod
Set name LAN_VLAN200_DMZ
Set ip 172.30.0.251/24
Set gateway None
Set Block Private network Disable
Set Block bogon networks Disable
end

System
Generel
Set host name FW1
Set Domain test.dk
Set DNS
create dns DNS1 "DNS IP"
Set interface WAN_VLAN_L197GW
end
create dns DNS2 "DNS IP"
Set interface WAN_VLAN_L1510GW
end
create dns DNS1 "DNS IP"
Set interface WAN_VLAN_L2510GW
end
create dns DNS1 "DNS IP"
Set interface WAN_VLAN_LTDCGW
end
set timezone ETC/UTC
set timeserver dk.pool.ntp.org
end

system
Routing
Gatewayes
Set WAN_VLAN_L197GW
Set Monitor ip "DNS1 IP"
Set Weight 30
end
Set WAN_VLAN_L1510GW
Set Monitor ip "DNS2 IP"
Set Weight 30
end
Set WAN_VLAN_L2510GW
Set Monitor ip "DNS3 IP"
Set Weight 30
end
Set WAN_VLAN_LTDCGW
Set Monitor ip "DNS4 IP"
Set Weight 3
end
Gateway_Groups
set name WANLB_GW
Set interface WAN_VLAN_L197GW
set Tier 1
Set virtual_IP WAN_VLAN_L197_1
end
Set interface WAN_VLAN_L1510GW
set Tier 1
Set virtual_IP WAN_VLAN_L1510_1
end
Set interface WAN_VLAN_L2510GW
set Tier 1
Set virtual_IP WAN_VLAN_L2510_1
end
Set interface WAN_VLAN_TDCGW
set Tier 1
Set virtual_IP WAN_VLAN_TDC_1
end
Set trigget Member_Down
end

System
HighAwailability
Set Synchronize states enable
Set interface FW_Heartbeat
Set Peer_ip 172.31.91.252
Set Config to IP 172.31.91.252
Set user admin
set password "WebConf-Password"
Set option_to_sync All
end

FW2
Gatewayes
Set WAN_VLAN_L197GW
Set 172.16.0.1
end
Set WAN_VLAN_L1510GW
set 172.17.0.1
end
Set WAN_VLAN_L2510GW
set 172.18.0.1
end
Set WAN_VLAN_LTDCGW
set 172.19.0.1
end

Vlans
create Vlan
Set interface vmx2
Set Tag 100
Set name VLAN_Prod
set priority 0
end
Add Vlan 200
Set interface vmx2
Set Tag 200
Set name VLAN_DMZ
set priority 0
end

Interfaces
Create interface
Set interface vmx3
Set name WAN_VLAN_L197
Set ip 172.16.0.252/24
Set gateway WAN_VLAN_L197GW
Set Block Private network Disable
Set Block bogon networks enable
end
Create interface
Set interface vmx5
Set name WAN_VLAN_L1510
Set ip 172.17.0.252/24
Set gateway WAN_VLAN_L1510GW
Set Block Private network Disable
Set Block bogon networks enable
end
Create interface
Set interface vmx0
Set name WAN_VLAN_L2510
Set ip 172.18.0.252/24
Set gateway WAN_VLAN_L2510GW
Set Block Private network Disable
Set Block bogon networks enable
end
create interface
Set interface vmx1
Set name WAN_VLAN_TDC
Set ip 172.19.0.252/24
Set gateway WAN_VLAN_LTDCGW
Set Block Private network Disable
Set Block bogon networks enable
end
create interface
Set interface vmx4
Set name FW_HeartBeat
Set ip 172.31.91.252/24
Set gateway None
Set Block Private network Disable
Set Block bogon networks Disable
end
create interface
Set interface vmx2_VLAN_Prod
Set name LAN_VLAN100_Prod
Set ip 172.20.0.252/24
Set gateway None
Set Block Private network Disable
Set Block bogon networks Disable
end
    create interface
Set interface vmx2_VLAN_Prod
Set name LAN_VLAN200_DMZ
Set ip 172.30.0.252/24
Set gateway None
Set Block Private network Disable
Set Block bogon networks Disable
end

System
Generel
Set host name FW2
Set Domain test.dk
Set DNS
create dns DNS1 "DNS IP"
Set interface WAN_VLAN_L197GW
end
create dns DNS2 "DNS IP"
Set interface WAN_VLAN_L1510GW
end
create dns DNS1 "DNS IP"
Set interface WAN_VLAN_L2510GW
end
create dns DNS1 "DNS IP"
Set interface WAN_VLAN_LTDCGW
end
set timezone ETC/UTC
set timeserver dk.pool.ntp.org
end

system
Routing
Gatewayes
Set WAN_VLAN_L197GW
Set Monitor ip "DNS1 IP"
Set Weight 30
end
Set WAN_VLAN_L1510GW
Set Monitor ip "DNS2 IP"
Set Weight 30
end
Set WAN_VLAN_L2510GW
Set Monitor ip "DNS3 IP"
Set Weight 30
end
Set WAN_VLAN_LTDCGW
Set Monitor ip "DNS4 IP"
Set Weight 3
end
Gateway_Groups
set name WANLB_GW
Set interface WAN_VLAN_L197GW
set Tier 1
Set virtual_IP WAN_VLAN_L197_1
end
Set interface WAN_VLAN_L1510GW
set Tier 1
Set virtual_IP WAN_VLAN_L1510_1
end
Set interface WAN_VLAN_L2510GW
set Tier 1
Set virtual_IP WAN_VLAN_L2510_1
end
Set interface WAN_VLAN_TDCGW
set Tier 1
Set virtual_IP WAN_VLAN_TDC_1
end
Set trigget Member_Down
end

System
HighAwailability
Set Synchronize states enable
Set interface FW_Heartbeat
Set Peer_ip 172.31.91.251
end

FW1
firewall
Create Virtual_IP
Set Type CARP
Set interface WAN_VLAN_L197
Set IP 172.16.0.11/24
Set Password "VHID_PASSWORD"
Set VHID 221
Set Frequency
Set Skew 1
Set Name WAN_VLAN_L197_1
End
Create Virtual_IP
Set Type CARP
Set interface WAN_VLAN_L1510
Set IP 172.17.0.11/24
Set Password "VHID_PASSWORD"
Set VHID 231
Set Frequency
Set Skew 1
Set Name WAN_VLAN_L1510_1
End
Create Virtual_IP
Set Type CARP
Set interface WAN_VLAN_L2510
Set IP 172.18.0.11/24
Set Password "VHID_PASSWORD"
Set VHID 241
Set Frequency
Set Skew 1
Set Name WAN_VLAN_L2510_1
End
Create Virtual_IP
Set Type CARP
Set interface WAN_VLAN_TDC
Set IP 172.19.0.11/24
Set Password "VHID_PASSWORD"
Set VHID 251
Set Frequency
Set Skew 1
Set Name WAN_VLAN_TDC
End
Create Virtual_IP
Set Type CARP
Set interface LAN_VLAN100_Prod
Set IP 172.20.0.1/24
Set Password "VHID_PASSWORD"
Set VHID 11
Set Frequency
Set Skew 1
Set Name LAN_VLAN100_Prod_1
End
Create Virtual_IP
Set Type CARP
Set interface LAN_VLAN200_DMZ
Set IP 172.30.0.1/24
Set Password "VHID_PASSWORD"
Set VHID 21
Set Frequency
Set Skew 1
Set Name LAN_VLAN200_DMZ_1
End

end

Firewall
Create rule
Set FW_HEARTBEAT
Action Pass
Interface FW_HEARTBEAT
Address fam Pv4
protocol any
Source any
Destination any
Log enable
Gateway default
End
Create rule
Set LAN_VLAN100_Prod
Action Pass
Interface LAN_VLAN100_Prod
Address fam Pv4
protocol any
Source LAN_VLAN100_Prod_net
Destination any
Log enable
Gateway WANLB_GW
End
Create rule
Set LAN_VLAN200_DMZ
Action Pass
Interface LAN_VLAN200_DMZ
Address fam Pv4
protocol any
Source LAN_VLAN200_Prod_net
Destination any
Log enable
Gateway WANLB_GW
End
Create Nat
Set Type Outbound Manual
Set interface WAN_VLAN_L197
Protocol any
Source network ip 172.20.0.0/24
Set translation ip WAN_VLAN_L197_1
Set description Created rule - LAN_VLAN100_PROD NET to WAN_VLAN_L197_1
End
Set Type Outbound Manual
Set interface WAN_VLAN_L1510
Protocol any
Source network ip 172.20.0.0/24
Set translation ip WAN_VLAN_L1510_1
Set description Created rule - LAN_VLAN100_PROD NET to WAN_VLAN_L1510_1
End
Set Type Outbound Manual
Set interface WAN_VLAN_L2510
Protocol any
Source network ip 172.20.0.0/24
Set translation ip WAN_VLAN_L2510_1
Set description Created rule - LAN_VLAN100_PROD NET to WAN_VLAN_L2510_1
End
Set Type Outbound Manual
Set interface WAN_VLAN_TDC
Protocol any
Source network ip 172.20.0.0/24
Set translation ip WAN_VLAN_TDC_1
Set description Created rule - LAN_VLAN100_PROD NET to WAN_VLAN_TDC_1
End
End
End

jammcla

Hello,

Make sure that your LANs can talk to each other.(as in LAN 1 on box 1 can talk to LAN 1 on box 2)

I know with ESXi, to make pfsense do the VLANing i had to set VLAN ID in the ESXi Switch properties->Virtual machine port group -> General tab -> VLAN ID to All(4095)

Hopefully this helps,
jammcla