Failover with vlans and public addresses



  • I have been trying to do the failover config setup on our network with routed public address on vlans and making progress but I have a couple of questions that I have not been able to find an answer going though the forum and google. Here is what I have done so far.

    I have read the tutorial  [[http://files.pfsense.org/mirror/tutorials/carp/carp-cluster-new.htm[/url] and trying to work thought it using public address and vlans.

    I did the sync net on the 3rd nic on each fw
    I have unique public address on the wans of each fw  xxx.xxx.58.148 and xxx.xxx.58.149
    The sync network is 192.168.168.1/24 on primary and 192.168.168.2/24 on secondary
    The LAN(no vlan) on pri is 192.168.2.175 and sec is 192.168.2.176
    Went though the tutorial listed above I added wan xxx.xxx.58.148, lan 192.168.2.175 and vlan xxx.xxx.53.1 to the VIP(carp) on pri fw. Checked all the boxes shown excluding the “preemption” which doesn’t seem to be in ver 1.2R. Everything that should get synced does.

    Now here is where my questions. All of the vlans have there ip address configured on the vlans the same on each fw. Vlan 5 has xxx.xxx.53.1 on pri and sec fw. Not sure if this correct or not, seems to work but getting errors in the system logs about the secondry mac using the same address.

    Should have a ip conflict and it should not work, correct?

    Am I going to have to have a unique address in the same subnet on the secondary fw vlan? (ex: xxx.xxx.53.2)? These are only /30 so we don’t have an other address to use. Any whay around this?

    I think the biggest thing that is throwing the lack of info that i am finding on the flow of what happenes during the carp failover links to some basic info on this would be good.

    Thanks

    Rick](http://files.pfsense.org/mirror/tutorials/carp/carp-cluster-new.htm)



  • Went though the tutorial listed above I added wan xxx.xxx.58.148

    Typo? as you already used it.

    I think the biggest thing that is throwing the lack of info that i am finding on the flow of what happenes during the carp failover links to some basic info on this would be good.

    Will this help?
    http://www.freebsd.org/cgi/man.cgi?query=carp&manpath=FreeBSD+7.0-RELEASE
    http://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol



  • I read the links and I think that I have it now but just want to make sure. Since the ISP has the route for the xxx.xxx.53.0 network pointing to xxx.xxx.58.148 I assume that this would be the correct way to set this up? Which we don't have enough ip's on each vlan to do this.  :'(

    FW1
    WAN IP xxx.xxx.58.149
    WAN Carp xxx.xxx.58.148
    WAN Gateway xxx.xxx.58.145
    LAN IP192.168.168.254
    LAN Carp 192.168.168.1(gateway for network)
    VLAN1 IP xxx.xxx.53.2
    VLAN1 Carp xxx.xxx.53.1(gateway for network)

    FW2
    WAN IP xxx.xxx.58.150
    LAN IP 192.168.168.253
    VLAN1 IP xxx.xxx.53.3



  • I'm not sure why you call them vlans they are wan ip's right?
    Using other in vip might help http://forum.pfsense.org/index.php/topic,7039.0.html



  • No the vlans are vlans. Each of our customers are on their own vlan behind the firewall with public address on their machines. We route through the firewall to the public addresses, no nat or port forwading. Everything in the forum seems to be with nating and port forwarding from the public ip's on the WAN to private ip's.

    This is the current setup that we are trying to cluster.

    WAN Gateway              FW1 WAN              Vlan1 interface          Customers machine
    xxx.xxx.58.145<–-->xxx.xxx.58.148<------->xxx.xxx.53.1<--------->xxx.xxx.53.2

    Thanks

    Rick


Log in to reply