Failover with vlans and public addresses
-
I have been trying to do the failover config setup on our network with routed public address on vlans and making progress but I have a couple of questions that I have not been able to find an answer going though the forum and google. Here is what I have done so far.
I have read the tutorial [[http://files.pfsense.org/mirror/tutorials/carp/carp-cluster-new.htm[/url] and trying to work thought it using public address and vlans.
I did the sync net on the 3rd nic on each fw
I have unique public address on the wans of each fw xxx.xxx.58.148 and xxx.xxx.58.149
The sync network is 192.168.168.1/24 on primary and 192.168.168.2/24 on secondary
The LAN(no vlan) on pri is 192.168.2.175 and sec is 192.168.2.176
Went though the tutorial listed above I added wan xxx.xxx.58.148, lan 192.168.2.175 and vlan xxx.xxx.53.1 to the VIP(carp) on pri fw. Checked all the boxes shown excluding the “preemption” which doesn’t seem to be in ver 1.2R. Everything that should get synced does.Now here is where my questions. All of the vlans have there ip address configured on the vlans the same on each fw. Vlan 5 has xxx.xxx.53.1 on pri and sec fw. Not sure if this correct or not, seems to work but getting errors in the system logs about the secondry mac using the same address.
Should have a ip conflict and it should not work, correct?
Am I going to have to have a unique address in the same subnet on the secondary fw vlan? (ex: xxx.xxx.53.2)? These are only /30 so we don’t have an other address to use. Any whay around this?
I think the biggest thing that is throwing the lack of info that i am finding on the flow of what happenes during the carp failover links to some basic info on this would be good.
Thanks
Rick](http://files.pfsense.org/mirror/tutorials/carp/carp-cluster-new.htm)
-
Went though the tutorial listed above I added wan xxx.xxx.58.148
Typo? as you already used it.
I think the biggest thing that is throwing the lack of info that i am finding on the flow of what happenes during the carp failover links to some basic info on this would be good.
Will this help?
http://www.freebsd.org/cgi/man.cgi?query=carp&manpath=FreeBSD+7.0-RELEASE
http://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol -
I read the links and I think that I have it now but just want to make sure. Since the ISP has the route for the xxx.xxx.53.0 network pointing to xxx.xxx.58.148 I assume that this would be the correct way to set this up? Which we don't have enough ip's on each vlan to do this. :'(
FW1
WAN IP xxx.xxx.58.149
WAN Carp xxx.xxx.58.148
WAN Gateway xxx.xxx.58.145
LAN IP192.168.168.254
LAN Carp 192.168.168.1(gateway for network)
VLAN1 IP xxx.xxx.53.2
VLAN1 Carp xxx.xxx.53.1(gateway for network)FW2
WAN IP xxx.xxx.58.150
LAN IP 192.168.168.253
VLAN1 IP xxx.xxx.53.3 -
I'm not sure why you call them vlans they are wan ip's right?
Using other in vip might help http://forum.pfsense.org/index.php/topic,7039.0.html -
No the vlans are vlans. Each of our customers are on their own vlan behind the firewall with public address on their machines. We route through the firewall to the public addresses, no nat or port forwading. Everything in the forum seems to be with nating and port forwarding from the public ip's on the WAN to private ip's.
This is the current setup that we are trying to cluster.
WAN Gateway FW1 WAN Vlan1 interface Customers machine
xxx.xxx.58.145<–-->xxx.xxx.58.148<------->xxx.xxx.53.1<--------->xxx.xxx.53.2Thanks
Rick