3. The problem with not working the gateway

The problem with not working the gateway

  • M

    Vip wan 10.10.10.1
    vip lan 192.168.1.254
    sync interface1 192.168.10.25
    lan pf1 ip 172.16.120.1
    lan pf2 172.16.120.3
    192.168.10.26 sync pf2
    172.16.120.2 server behind pf
    server behind pf gw??
    all /24

    The problem with not working the gateway in the cluster
    The firewalls are properly synchronized and the master and backup mode is correct
    But when gateway does not pass the firewall servers as 10.10.10.1 I do not pass traffic

    server behind pf gw ??
    Thanks

    0
  • LAYER 8 Global Moderator

    are you running pfblocker? that 10.10.10.1 vip is what pfbocker uses so that could be causing you some grief.

    1
  • M

    When I change the virtual ip
    For example 172.16.1.100
    And put it as the gateway , way traffic will not go out again
    For Gateway Servers, do I use Virtual IP lan Address or Virtual IP wan Address?

    0
  • LAYER 8 Global Moderator

    you wouldn't use a vip in a gateway.. A vip is just that a vip, Used to run multiple IPs on an interface, say for a port forward when you have more than one public IP, etc.

    Not sure what your trying to do.. Just that 10.10.10.1 is what pfsense blocker uses and could conflict with whatever you think your trying to accomplish. which you have not stated.

    1
  • M

    I have multiple servers behind pfsense
    And pfsense cluster
    What kind of ip should I use for pfsense machine gates to get traffic from one another if one of the firewalls gets out?

    0
  • LAYER 8 Global Moderator

    Read what you wrote - how is someone suppose to understand that?

    I have been doing networking for since before there was networks ;) And its gibberish!

    Are you asking what the clients should use for their gateway when you setup a HA pair in pfsense?
    https://docs.netgate.com/pfsense/en/latest/highavailability/configuring-high-availability.html

    They would use the carp vip... Normally this would be .3 where pf1 would be .1 and pf2 would be .2 in your ha pair. on the network of your lan... Seems you have some other machine trying to use what would normally be the one of the pf IPs..

    1
  • M

    For example, would i have a web server
    ip gateway web server = virtual ip wan
    or
    Ip gateway webserver = virtual ip lan
    Thanks

    0
  • LAYER 8 Global Moderator

    If the webserver is on your lan then its gateway would be the lan carp vip... If you have to ask such a question then you shouldn't be even touching this stuff..

    How would a devices gateway be an IP on a different network???

    Maybe you should ask your question in your native language section?

    Your wording doesn't make a lot of sense. If you have a webserver on your lan.. How would your lan gateway IP be 192.168.1.254 if your lan for pfsense is 172.16.120..

    How about you draw a picture of how you have this setup!! I gave you a link to how you would setup a carp... Are you asking about something on your wan or internet accessing your webserver via a port forward?

    1
  • M

    I will try explain better than before thanks for your answer I have a pfsense firewall that it was cluster and behind firewall there are some of web servers when I want use this cluster I use virtual IP pfsense such as web servers gateway and after those I don't have internet ping and internet firewall if I use gateway that I use before the cluster doesn't work because this is one of the firewalls
    Ip lan pfsense1 172.16.120.1
    Ip lan pfsense2 172.16.120.3
    Virtual ip lan 172.16.120.6(if should have other range plz tell me )
    all rule s are sync and master and back up doesn't work properly big problem is that web servers traffic don't sent out right now thanks
    For this I use dns load balancer
    dns load balancer >> pf1 - pf2 >> webservers

    0
  • LAYER 8 Global Moderator

    Your saying stuff behind pfsense doesn't have internet.. Just at a loss to why your vip would be .6? Whenever you setup a carp or hsrp or anything where there is a vip that is moved between 2 devices.. It is almost always in sequence with the actual physical IPs

    .1
    .2
    .3 would normally be the vip..

    .252
    .253
    .254 would be the vip

    etc..

    Where did you come up with .6????

    and .1 and 3 for your physical???

    So if your traffic comes in from some other path and not through the cluster, and your trying to use the cluster as your gateway for the webserver - then again NO shit its not going to work..

    What I would suggest you do is get 1 pfsense working... Then graduate to a HA setup.. If your going to use some other path to and from internet or other networks, then this path needs to be connected via a transit network off your pfsense box..

    Again I suggest you DRAW!!! your network so we are all clear how you have everything connected..

    You understand for port forwards to work you would need them to point to the wan carp VIP!! this looks like you have your pf1 and 2 in line with each other? Traffic hits your wan carp vip, and would be forwarded to your webserver IP.

    dns load balancer >> pf1 - pf2 >> webservers

    0
pf cluster 1
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy