Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Master on both firewals on all LAN interfaces

    HA/CARP/VIPs
    2
    2
    883
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hsv
      last edited by

      Hi
      I have made a HA test setup where I have (This is running on af ESXi platform)

      I have 2 Pfsense version 2.3.2_1 with the following config.
      4 WAN interfaces over 4 physical interfaces
      2 LAN interfaces over the same physical interfaces as VLAN
      1 sync interface over 1 physical interface

      WAN1: 172.16.0.0/24 DG:172.16.0.1 FW1:172.16.0.251 FW2:172.16.0.252 vIP:172.16.0.11/24
      WAN2: 172.17.0.0/24 DG:172.17.0.1 FW1:172.17.0.251 FW2:172.17.0.252 vIP:172.17.0.11/24
      WAN3: 172.18.0.0/24 DG:172.18.0.1 FW1:172.18.0.251 FW2:172.18.0.252 vIP:172.18.0.11/24
      WAN4: 172.19.0.0/24 DG:172.19.0.1 FW1:172.19.0.251 FW2:172.19.0.252 vIP:172.19.0.11/24

      LAN:
      VLAN 100: 172.20.0.0/24 FW1:172.20.0.251 FW2:172.20.0.252 vIP:172.20.0.1/24
      VLAN 200: 172.30.0.0/24 FW1:172.30.0.251 FW2:172.30.0.252 vIP:172.30.0.1/24

      So I have 4 vIP on the WAN site and 2 vIP on the Lan SIte

      I have some problems with the configuration
      All vIP on the WAN interfaces are as they should in master state on FW1 and in state backup on FW2
      But all on LAN the vIP interfaces are master on both FW1 and FW2

      What have I done wrong with the LAN vIP interfaces?

      I have wrote my configuration here in a CLI "home made" config style, sorry it is long, but here you will could see all the steps I have made in the configuration, an also where I have possible made an error.
      I have also troubles find out the right way to make a NAT rule. Because as I see it now, I can not make a rule, where I send the traffic to the Gateway group, but have to make 4 rules to each WAN interface. And this I cannot understand, because then it will always use the first rule and not round robin over the 4 WAN interfaces. So there must be something i have missed.

      Thanks in advance
      Henning

      FW1

      Gatewayes
      Set WAN_VLAN_L197GW
      Set 172.16.0.1
      end
      Set WAN_VLAN_L1510GW
      set 172.17.0.1
      end
      Set WAN_VLAN_L2510GW
      set 172.18.0.1
      end
      Set WAN_VLAN_LTDCGW
      set 172.19.0.1
      end

      Vlans
      create Vlan
      Set interface vmx2
      Set Tag 100
      Set name VLAN_Prod
      set priority 0
      end
      Add Vlan 200
      Set interface vmx2
      Set Tag 200
      Set name VLAN_DMZ
      set priority 0
      end

      Interfaces
      Create interface
      Set interface vmx3
      Set name WAN_VLAN_L197
      Set ip 172.16.0.251/24
      Set gateway WAN_VLAN_L197GW
      Set Block Private network Disable
      Set Block bogon networks enable
      end
      Create interface
      Set interface vmx5
      Set name WAN_VLAN_L1510
      Set ip 172.17.0.251/24
      Set gateway WAN_VLAN_L1510GW
      Set Block Private network Disable
      Set Block bogon networks enable
      end
      Create interface
      Set interface vmx0
      Set name WAN_VLAN_L2510
      Set ip 172.18.0.251/24
      Set gateway WAN_VLAN_L2510GW
      Set Block Private network Disable
      Set Block bogon networks enable
      end
      create interface
      Set interface vmx1
      Set name WAN_VLAN_LTDC
      Set ip 172.19.0.251/24
      Set gateway WAN_VLAN_LTDCGW
      Set Block Private network Disable
      Set Block bogon networks enable
      end
      create interface
      Set interface vmx4
      Set name FW_HeartBeat
      Set ip 172.31.91.251/24
      Set gateway None
      Set Block Private network Disable
      Set Block bogon networks Disable
      end
      create interface
      Set interface vmx2_VLAN_Prod
      Set name LAN_VLAN100_Prod
      Set ip 172.20.0.251/24
      Set gateway None
      Set Block Private network Disable
      Set Block bogon networks Disable
      end
          create interface
      Set interface vmx2_VLAN_Prod
      Set name LAN_VLAN200_DMZ
      Set ip 172.30.0.251/24
      Set gateway None
      Set Block Private network Disable
      Set Block bogon networks Disable
      end

      System
      Generel
      Set host name FW1
      Set Domain test.dk
      Set DNS
      create dns DNS1 "DNS IP"
      Set interface WAN_VLAN_L197GW
      end
      create dns DNS2 "DNS IP"
      Set interface WAN_VLAN_L1510GW
      end
      create dns DNS1 "DNS IP"
      Set interface WAN_VLAN_L2510GW
      end
      create dns DNS1 "DNS IP"
      Set interface WAN_VLAN_LTDCGW
      end
      set timezone ETC/UTC
      set timeserver dk.pool.ntp.org
      end

      system
      Routing
      Gatewayes
      Set WAN_VLAN_L197GW
      Set Monitor ip "DNS1 IP"
      Set Weight 30
      end
      Set WAN_VLAN_L1510GW
      Set Monitor ip "DNS2 IP"
      Set Weight 30
      end
      Set WAN_VLAN_L2510GW
      Set Monitor ip "DNS3 IP"
      Set Weight 30
      end
      Set WAN_VLAN_LTDCGW
      Set Monitor ip "DNS4 IP"
      Set Weight 3
      end
      Gateway_Groups
      set name WANLB_GW
      Set interface WAN_VLAN_L197GW
      set Tier 1
      Set virtual_IP WAN_VLAN_L197_1
      end
      Set interface WAN_VLAN_L1510GW
      set Tier 1
      Set virtual_IP WAN_VLAN_L1510_1
      end
      Set interface WAN_VLAN_L2510GW
      set Tier 1
      Set virtual_IP WAN_VLAN_L2510_1
      end
      Set interface WAN_VLAN_TDCGW
      set Tier 1
      Set virtual_IP WAN_VLAN_TDC_1
      end
      Set trigget Member_Down
      end

      System
      HighAwailability
      Set Synchronize states enable
      Set interface FW_Heartbeat
      Set Peer_ip 172.31.91.252
      Set Config to IP 172.31.91.252
      Set user admin
      set password "WebConf-Password"
      Set option_to_sync All
      end

      FW2
      Gatewayes
      Set WAN_VLAN_L197GW
      Set 172.16.0.1
      end
      Set WAN_VLAN_L1510GW
      set 172.17.0.1
      end
      Set WAN_VLAN_L2510GW
      set 172.18.0.1
      end
      Set WAN_VLAN_LTDCGW
      set 172.19.0.1
      end

      Vlans
      create Vlan
      Set interface vmx2
      Set Tag 100
      Set name VLAN_Prod
      set priority 0
      end
      Add Vlan 200
      Set interface vmx2
      Set Tag 200
      Set name VLAN_DMZ
      set priority 0
      end

      Interfaces
      Create interface
      Set interface vmx3
      Set name WAN_VLAN_L197
      Set ip 172.16.0.252/24
      Set gateway WAN_VLAN_L197GW
      Set Block Private network Disable
      Set Block bogon networks enable
      end
      Create interface
      Set interface vmx5
      Set name WAN_VLAN_L1510
      Set ip 172.17.0.252/24
      Set gateway WAN_VLAN_L1510GW
      Set Block Private network Disable
      Set Block bogon networks enable
      end
      Create interface
      Set interface vmx0
      Set name WAN_VLAN_L2510
      Set ip 172.18.0.252/24
      Set gateway WAN_VLAN_L2510GW
      Set Block Private network Disable
      Set Block bogon networks enable
      end
      create interface
      Set interface vmx1
      Set name WAN_VLAN_TDC
      Set ip 172.19.0.252/24
      Set gateway WAN_VLAN_LTDCGW
      Set Block Private network Disable
      Set Block bogon networks enable
      end
      create interface
      Set interface vmx4
      Set name FW_HeartBeat
      Set ip 172.31.91.252/24
      Set gateway None
      Set Block Private network Disable
      Set Block bogon networks Disable
      end
      create interface
      Set interface vmx2_VLAN_Prod
      Set name LAN_VLAN100_Prod
      Set ip 172.20.0.252/24
      Set gateway None
      Set Block Private network Disable
      Set Block bogon networks Disable
      end
          create interface
      Set interface vmx2_VLAN_Prod
      Set name LAN_VLAN200_DMZ
      Set ip 172.30.0.252/24
      Set gateway None
      Set Block Private network Disable
      Set Block bogon networks Disable
      end

      System
      Generel
      Set host name FW2
      Set Domain test.dk
      Set DNS
      create dns DNS1 "DNS IP"
      Set interface WAN_VLAN_L197GW
      end
      create dns DNS2 "DNS IP"
      Set interface WAN_VLAN_L1510GW
      end
      create dns DNS1 "DNS IP"
      Set interface WAN_VLAN_L2510GW
      end
      create dns DNS1 "DNS IP"
      Set interface WAN_VLAN_LTDCGW
      end
      set timezone ETC/UTC
      set timeserver dk.pool.ntp.org
      end

      system
      Routing
      Gatewayes
      Set WAN_VLAN_L197GW
      Set Monitor ip "DNS1 IP"
      Set Weight 30
      end
      Set WAN_VLAN_L1510GW
      Set Monitor ip "DNS2 IP"
      Set Weight 30
      end
      Set WAN_VLAN_L2510GW
      Set Monitor ip "DNS3 IP"
      Set Weight 30
      end
      Set WAN_VLAN_LTDCGW
      Set Monitor ip "DNS4 IP"
      Set Weight 3
      end
      Gateway_Groups
      set name WANLB_GW
      Set interface WAN_VLAN_L197GW
      set Tier 1
      Set virtual_IP WAN_VLAN_L197_1
      end
      Set interface WAN_VLAN_L1510GW
      set Tier 1
      Set virtual_IP WAN_VLAN_L1510_1
      end
      Set interface WAN_VLAN_L2510GW
      set Tier 1
      Set virtual_IP WAN_VLAN_L2510_1
      end
      Set interface WAN_VLAN_TDCGW
      set Tier 1
      Set virtual_IP WAN_VLAN_TDC_1
      end
      Set trigget Member_Down
      end

      System
      HighAwailability
      Set Synchronize states enable
      Set interface FW_Heartbeat
      Set Peer_ip 172.31.91.251
      end

      FW1
      firewall
      Create Virtual_IP
      Set Type CARP
      Set interface WAN_VLAN_L197
      Set IP 172.16.0.11/24
      Set Password "VHID_PASSWORD"
      Set VHID 221
      Set Frequency
      Set Skew 1
      Set Name WAN_VLAN_L197_1
      End
      Create Virtual_IP
      Set Type CARP
      Set interface WAN_VLAN_L1510
      Set IP 172.17.0.11/24
      Set Password "VHID_PASSWORD"
      Set VHID 231
      Set Frequency
      Set Skew 1
      Set Name WAN_VLAN_L1510_1
      End
      Create Virtual_IP
      Set Type CARP
      Set interface WAN_VLAN_L2510
      Set IP 172.18.0.11/24
      Set Password "VHID_PASSWORD"
      Set VHID 241
      Set Frequency
      Set Skew 1
      Set Name WAN_VLAN_L2510_1
      End
      Create Virtual_IP
      Set Type CARP
      Set interface WAN_VLAN_TDC
      Set IP 172.19.0.11/24
      Set Password "VHID_PASSWORD"
      Set VHID 251
      Set Frequency
      Set Skew 1
      Set Name WAN_VLAN_TDC
      End
      Create Virtual_IP
      Set Type CARP
      Set interface LAN_VLAN100_Prod
      Set IP 172.20.0.1/24
      Set Password "VHID_PASSWORD"
      Set VHID 11
      Set Frequency
      Set Skew 1
      Set Name LAN_VLAN100_Prod_1
      End
      Create Virtual_IP
      Set Type CARP
      Set interface LAN_VLAN200_DMZ
      Set IP 172.30.0.1/24
      Set Password "VHID_PASSWORD"
      Set VHID 21
      Set Frequency
      Set Skew 1
      Set Name LAN_VLAN200_DMZ_1
      End

      end

      Firewall
      Create rule
      Set FW_HEARTBEAT
      Action Pass
      Interface FW_HEARTBEAT
      Address fam Pv4
      protocol any
      Source any
      Destination any
      Log enable
      Gateway default
      End
      Create rule
      Set LAN_VLAN100_Prod
      Action Pass
      Interface LAN_VLAN100_Prod
      Address fam Pv4
      protocol any
      Source LAN_VLAN100_Prod_net
      Destination any
      Log enable
      Gateway WANLB_GW
      End
      Create rule
      Set LAN_VLAN200_DMZ
      Action Pass
      Interface LAN_VLAN200_DMZ
      Address fam Pv4
      protocol any
      Source LAN_VLAN200_Prod_net
      Destination any
      Log enable
      Gateway WANLB_GW
      End
      Create Nat
      Set Type Outbound Manual
      Set interface WAN_VLAN_L197
      Protocol any
      Source network ip 172.20.0.0/24
      Set translation ip WAN_VLAN_L197_1
      Set description Created rule - LAN_VLAN100_PROD NET to WAN_VLAN_L197_1
      End
      Set Type Outbound Manual
      Set interface WAN_VLAN_L1510
      Protocol any
      Source network ip 172.20.0.0/24
      Set translation ip WAN_VLAN_L1510_1
      Set description Created rule - LAN_VLAN100_PROD NET to WAN_VLAN_L1510_1
      End
      Set Type Outbound Manual
      Set interface WAN_VLAN_L2510
      Protocol any
      Source network ip 172.20.0.0/24
      Set translation ip WAN_VLAN_L2510_1
      Set description Created rule - LAN_VLAN100_PROD NET to WAN_VLAN_L2510_1
      End
      Set Type Outbound Manual
      Set interface WAN_VLAN_TDC
      Protocol any
      Source network ip 172.20.0.0/24
      Set translation ip WAN_VLAN_TDC_1
      Set description Created rule - LAN_VLAN100_PROD NET to WAN_VLAN_TDC_1
      End
      End
      End

      1 Reply Last reply Reply Quote 0
      • J
        jammcla
        last edited by

        Hello,

        Make sure that your LANs can talk to each other.(as in LAN 1 on box 1 can talk to LAN 1 on box 2)

        I know with ESXi, to make pfsense do the VLANing i had to set VLAN ID in the ESXi Switch properties->Virtual machine port group -> General tab -> VLAN ID to All(4095)

        Hopefully this helps,
        jammcla

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.