Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    CARP Network Allocation Problem

    HA/CARP/VIPs
    2
    9
    511
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheGeek last edited by

      My setup is like this:

      WAN: Two /24 networks 192.168.1.0 and 192.10.50.0 (On the same cable)
      LAN: A /23 network 10.10.10.0
      DMZ: Bridged with WAN

      In order for the 192.10.50.0 to work and route packets i allocated this network using a ProxyARP on 1 out of 2 pfsenses. (And it works, as it should)
      I have set CARP adresses on both LAN and WAN, and although they sync settings, and CARP is working as it should, i can only access to DMZ and WAN when 1 out of 2 pfsenses are disconnected.
      Each one works individually, but not together.

      So, i need to resolve 2 problems in order to get a full redudant firewall.

      1. How can i solve the issue with the firewalls not working together?

      2. I read this https://forum.pfsense.org/index.php?topic=45209.msg240929#msg240929 but i don't understand how i am supposed to set it up, and which IP i will set as CARP, since i cannot create a CARP network

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Bridging is completely incompatible with pfSense CARP/HA. If you choose to go down that path it is incumbent upon you to make sure all of the necessary spanning-tree pieces are in the right place.

        WAN: Two /24 networks 192.168.1.0 and 192.10.50.0 (On the same cable)

        This is also asking for trouble. Seems it has found you.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          TheGeek last edited by

          Unfortunately, it is necessary for me to use bridge as the IPs of the devices i have on my DMZ need to match the WAN's IP.
          So, bridge and CARP are not gonna work?

          Yes, also the situation with 2 networks on one cable cannot change..  :-[

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            It can work, but it's on you to prevent any loops. I am not going down that rabbit hole. Design your network properly.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              TheGeek last edited by

              Ok, i see.
              Trust me, if i could, i would design it properly.
              And how could i prevent loops?
              Can you give me a link or something to read about it?

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                I find it humorous that you would be concentrating on HA before fixing such a broken design. If it is worth high-availability it is worth a solid design first.

                You prevent layer 2 loops using spanning-tree protocol

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • T
                  TheGeek last edited by

                  It is humorous, indeed.
                  But still, not in my powers to change this.
                  You wouldn't understand.
                  But thank you very much for your time.
                  I will try to see if HA can be achived, otherwise a cloned machine will be standing by, in case of a hardware failure.

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    I understand perfectly.

                    It is those who are making you do this who don't understand.

                    Chattanooga, Tennessee, USA
                    The pfSense Book is free of charge!
                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • T
                      TheGeek last edited by

                      @Derelict:

                      It is those who are making you do this who don't understand.

                      Yep.
                      I guess i am not the only one.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post