Use carp but don't need failover

nsansari · Mar 18, 2009, 10:44 AM

Hi

I've been using pfsense for about 1 1/2 year now, and its been perfect. I configured it using parp virtual ips initially. However recently I've been having problems with ftp and mucking around so much that in the end i converted on of the parp to a carp. I had to install a new nic in the box. Its working great.

Question is I have 4 public IPs do I need to add nic for each one. ?? I don't require failover as I've got only one box.

also trying to view the tutorials at http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm I'm not getting any of the links to work??

Thanks in advance

dotdash · Mar 18, 2009, 3:26 PM

I'm not following why you added another NIC. If you are just adding a VIP, the process is similar with Proxy-ARP or CARP. There is no need to add another NIC. Forget the cluster howto and just add the Virtual IPs.

nsansari · Mar 19, 2009, 8:51 AM

Thanks for the reply,

reason for adding the extra nic was this message that I was getting

Sorry, we could not locate an interface with a matching subnet for XXX.70.XXX.XXX/29. Please add an ip in this subnet on a real interface.

So understanding it incorrectly I thought I need a extra nic. But problem now is I want all my external IP to be CARP. but keep getting the above message. my setup is as follows:

Internet <–> netgear <--> pfsense <--> LAN

pfsense is using ppoe so the WAN interface gets the gateway IP from the ISP. (netgear is there only for the ADSL modem and Wireless)

I hope this makes sense.

Any more Ideas ??

dotdash · Mar 18, 2009, 10:56 PM

Oh, CARP VIPs have to be within your WAN subnet. Is your WAN a private IP from the modem, or in a different block? Read this for some options for CARP with a secondary subnet- http://forum.pfsense.org/index.php/topic,7039.0.html

nsansari · Mar 19, 2009, 8:39 AM

I've seen that post and a few others as well. I've been going over these over and over again but it just confuses me more and more. My addressing from the ISP is as follows:

Number of IP addresses: 8
IP addresses: XXX.70.XXX.120 - XXX.70.XXX.127
Subnet mask: 255.255.255.248
Subnet in slash notation: XXX.70.XXX.120 /29
Network address: XXX.70.XXX.120
Broadcast address: XXX.70.XXX.127
Router address: XXX.70.XXX.126
Number of IP addresses usable by your hosts: 5

So the WAN (ppoe) gets the 126 ip automatically. But when I try to add say 125 in carp I get the above message. ??

Internally on the LAN I just use 192.168.1.0 and 172.16.16.0

Surely my setup must be one of the simplest ones to configure, but I'm just struggling.

nsansari · Mar 19, 2009, 9:13 AM

Just noticed this on the Status–>Interfaces

WAN interface (le1)
Status up
PPPoE up
MAC address xx:0c:xx:0d:xx:xx
IP address XXX.70.XXX.126
Subnet mask 255.255.255.255

Could this be the problem ??

dotdash · Mar 19, 2009, 1:49 PM

Yeah, thats how PPPoE works. I usually have the DSL router do the PPPoE. Bridge the WAN to LAN on the DSL router if you can. Then put a public IP on the WAN of your firewall, use the DSL router as your default gateway. Then you can add the CARP VIPs.

nsansari · Mar 20, 2009, 2:24 AM

Unfortunately don't think my DSL router (Netgear DG834g) has the Bridge option.

Even if I find a router that does that won't this setup mean that the DSL router get the public IP and then you also use a public IP on the WAN of pfsense. That means one less IP for use ?

Thanks

dotdash · Mar 20, 2009, 2:06 PM

Yeah, that means you have to use one IP on the router and one on the firewall WAN. Say you use 125 on WAN, you still have 121, 122, 123, and 124. And you can use the WAN for port-forwards.

nsansari · Mar 23, 2009, 3:04 PM

Hey Thanks for all your help dotdash.

Finally I've got all my parp IPs converted to carp IPs. And FTP is finally working.

Basically I've just added an extra nic as I explained above, assigned it an external IP and disconnected it from the network. So when I go in to add carp I don't get that message that I was getting anymore. I know this is not the best solutions but hey it works.

Also found out to get ftp to work, I had to remove port 21 from my aliases (I've got aliases for port groups defined) and create a separate NAT/firewall rule for it for each server.

Thanks again for the help

dotdash · Mar 23, 2009, 3:11 PM

Hmm, that's an interesting workaround. You just added an OPT interface with the public, and then it let you add the CARP IPs on the WAN? I never tried that. I'm glad you got everything working.