CARP and the WAN



  • Hello All,

    1st post, newbie, but pfSense looks promising, trying to convert slideware into action  8)

    I set up a single box, to try and discover the HA functions from there, LoneWolf cluster so to say.

    I tried to use the 'recently' added possibility to set priv IPs on the WAN interfaces and use a CARP VIP as a single public IP (so I don't have to waste 3 pub IPs). So in the console I set priv IPs on WAN, no gateway, in webUI created the CARP VIP on the WAN interface, went back to interfaces in the webUI, set IPv4 Upstream gateway to my ISPs public gateway. Set Outbound NAT to use AON, adjusted the rules to use the CARP VIP as the NAT address. But no luck. Of course did some reboots and so on.

    Since above didn't work, I replaced the WAN IP to my other public IP, and bingo, I can browse. If I show my IP from the internet however, it does show my CARP VIP.

    I am using version 2.3.4-RELEASE-p1 (latest greatest ATM).

    Anyone can point me to what  am doing wrong?

    Thanks a lot!

    Grtz,
    Ronald


  • Netgate

    (so I don't have to waste 3 pub IPs)

    It's not a waste. They are put to good use. Anything worth HA is worth doing correctly.

    Kind of hard to tell what might have been wrong from that description. I would probably go straight to packet captures and wireshark to see what is really going on in both cases. Pay particular attention to what happens during ARP and the MAC addresses the traffic is actually being sent to.



  • Well, to do HA good and sleep well, it's worth some pennies, that's 100% true

    So this I went to pfsense in the 1st place. I do have 32 public IPs, so I have some spares luckily.

    About what could be wrong, outbound NAT (aon) goes wrong already. I replaced the WAN interface IP to the CARP VIP in the NAT rules. And set the gateway to my ISPs gateway in the adapter config in the GUI, where in the console I put it to none.

    I am not to familiar with BSD, more a centos dude, so if you can give me a hint on what should work, that should be great.

    Grtz



  • If you have a /27, use public addresses on your interfaces. I only use private when there are not enough publics to use one on each firewall. Usually when there is a /30 that cannot be easily bumped up. There are annoying issues- you can't hit the secondary easily, the gateway shows down when the secondary is in backup… If interested, I posted my notes on using a single public IP on a CARP cluster previously, so you should be able to find it with a search.



  • Hi Dotdash,

    Yup, lucky position to have a /27 network on the outside. I indeed read some nasty things about using a single CARP VIP on a different sub net, but I am planning to move all my services behind HA-Proxy and SNI anyway (most of 'em are M$ products and pfsense will replace my TMG).

    Have to split some things up though, and of course a migration, where I need 'em all, well, almost  :P

    Any comments on NetScaler/MS CRM/Exchange ActiveSync/Exchange OWA/etc/etc behind pfSense, esp. when using SNI?

    And I am using VMware 5.x. Can I use HA without vDS (no enterprise licenses here)? Does it work across ESXi boxes, when creating dedicated port groups for the promiscuous mode? If not using vDS, then the switch is 'per hyper visor'. AFAIK RARP advertisements appear only on the switch it is connected to.

    Thanks!

    BR,
    Ronald

    And all notes highly appreciated, I am completely new to this product  ::)



  • @Topski:

    And I am using VMware 5.x. Can I use HA without vDS (no enterprise licenses here)? Does it work across ESXi boxes, when creating dedicated port groups for the promiscuous mode? If not using vDS, then the switch is 'per hyper visor'. AFAIK RARP advertisements appear only on the switch it is connected to.

    Just tested, this works fine  8) :)