Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP/HA Issue with connection

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    6 Posts 3 Posters 677 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      briansnyder00
      last edited by

      Hello All,

      I have two pfSense servers connected with CARP/HA with a simple crossover cable. My LAN and WAN are both VIPs. This setup works well with one exception. The backup box cant seem to connect to the internet. This is problematic for installing packages. It DOES work correctly when it is failed over and primary.

      Is this expected behavior, or a setting I do not have configured properly.

      Thanks,
      Brian

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        If both boxes have a public IP, then both should be able to connect to the Internet. If you have a single public IP that the firewalls are sharing, and private IPs on the WAN, then that is the expected behavior.

        S 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @dotdash
          last edited by

          @dotdash said in CARP/HA Issue with connection:

          private IPs on the WAN

          One exception to this is if the pfSense is behind another router providing NAT...then both routers should be able to get out. It's a long story but we do actually have one configured that way.

          @briansnyder00 , are the WAN gateways correct on both? It should work, since for example one normally upgrades the backup router first.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          1 Reply Last reply Reply Quote 0
          • B
            briansnyder00
            last edited by

            Thank you for the replies. Our situation is somewhat unique. We are behind the router of our ITC. Our users NAT to a single IP (The WAN VIP) on our box which is a private IP. That IP is natted upstream to a public IP. As I said everything seems to work properly with the exception of the backup box it's self. Upgrading is exactly how I noticed the issues. The backup box can't find any updates. The primary has no problem.

            The WAN gateways are the same on both boxes as are all other settings with the exception of the actual LAN and WAN IP addresses.

            1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire
              last edited by

              Is the netmask right? DNS? Have you tried pinging or traceroute from the web GUI (Diagnostics)?

              Our client with this setup has the router WAN IP at 10.1.10.4/24, gateway 10.1.10.1. Backup is the same but with 10.1.10.5.

              (they have 3 WAN VIPs and one LAN VIP at 192.168.1.1)

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote ๐Ÿ‘ helpful posts!

              1 Reply Last reply Reply Quote 0
              • B
                briansnyder00
                last edited by

                I think I may have found the issue. Both device their selves were in the NAT range tied to the single VIP. I believe the secondary box was communicating out, but any reply went back to the primary box. I found a NAT setting to map "This Firewall" to it's WAN interface address and not the VIP. That seems to have worked on both devices.

                I did have our upstream provider NAT all to the same public IP:
                VIP x.x.x.1
                Device 1 x.x.x.2
                Device 2 x.x.x.3

                Thank you all for the help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.