Backup HA/CARP Firewall Access to Resources in Remote Subnet via OpenVPN
-
Hi all,
We have two networks connected via a Site-to-Site OpenVPN setup. We have a pair of pfSense firewalls on each side, with both sides configured in HA clusters. All is well there. I'm working on a new project that includes internally-maintained IP lists (and possibly DNS lists in the future) for use by all four firewalls. We already use pfBlockerNG for similar purposes, so I'd like to stick with it for simplicity. We'd like to have only one server maintaining the lists, and have all four firewalls contact it for the lists.
Our current setup allows three of the four firewalls to successfully retrieve the lists at the intervals configured in pfB. Given the lists server is in subnet A, both firewalls in A can get the lists just fine. However, only the firewall that is Master in subnet B can get the lists. From previous experience, I understand this is because the Backup firewall thinks it has access to subnet A via the OpenVPN instance on itself. But because it's CARP status is Backup, its instance is disabled, and so it can't reach subnet A until it becomes Master for whatever reason. See this help page in the pfSense docs.
I haven't yet been able to get a reliable method of allowing the Backup firewall in subnet B to access the lists server. The closest I got was with an Outbound NATing rule, a custom gateway pointing to the internal CARP LAN VIP in subnet B, and a static route utilizing that custom gateway. While using that setup, I tried pinging for testing. The first ping would receive a response from the lists server, but all subsequent pings wouldn't receive a response.
If someone could provide some pointers to help us complete this project, that would be greatly appreciated. Thanks for your time!
-
Use the NAT rule described here: https://doc.pfsense.org/index.php/CARP_Secondary_Unreachable_Over_VPN
-
I already have.
Sorry for the confusion, I should I specified that when I linked to that page in my original post.
The rule on that page applies when a host in subnet A is trying access the Backup firewall in subnet B. I'm looking for something that applies to the Backup firewall in subnet B trying access a host in subnet A.
-
Ah, I misread it a bit then, sorry.
In that case it isn't going to happen. The backup firewall shouldn't be making outbound connections when it's not master (in most cases). It has no viable and sustainable way to reach the other end.
About the best you could hope for would be to maybe not bind OpenVPN to the CARP VIP(s) and keep the tunnels up all the time, and use a routing protocol like OSPF to handle the changeover rather than relying on CARP.
-
Thanks for the pointer on the routing option.
As I continued to experiment, I think I've found a good choice. I created a NAT rule for the LAN interface in subnet B, where the destination is the LAN CARP VIP using an unused port on the firewalls (one could add an additional CARP VIP on the LAN if needed, but using the existing one works for us), the source is the alias suggested in the link jimp and I referenced (the alias includes the individual IPs of the firewalls), and the redirect target is the host in subnet A with the appropriate port.
Unfortunately there isn't the option to NAT all protocols with a single rule. jimp's suggestion should be able to do something like that. In our case, we needed only TCP, so a single NAT rule got the job done!
The backup firewall shouldn't be making outbound connections when it's not master (in most cases).
For the reader's information, pfBlockerNG runs the same cron job on both firewalls on the same schedule (when the package is configured to sync), so it doesn't follow that pattern. I think that's probably for the better, because having the applicable lists on both firewalls doesn't cause any networking issues (like the issues caused by having two OpenVPN instances between the same two subnets), and the initial download process can take several minutes to complete, so it's good to have the lists ready to go whenever a failover happens.
-
A quick update, just in case it can help anyone else trying to accomplish a similar task…
a single NAT rule got the job done!
It almost did! My attention was redirected to another project before I could completely test the theory. Adding the NAT rule did, in fact, allow the Backup firewall to access the resources on the host in subnet A, however, the Master firewall could not access the same resources via the virtual IP. So it appears that a firewall in an HA cluster can not fully route packets to the VIP while it is the Master? If someone knows how to address that issue, please do share! To address the issue, in pfBlockerNG on the firewalls for subnet B, I've added both the real IP of the host in subnet A (this will be used by the Master), as well as the VIP used by the firewalls for subnet B (this will be used by the Backup). Which ever list entry isn't the one intended for the respective firewall will timeout on that firewall, but it will get the same content via the entry intended for it.
