The problem with not working the gateway
-
Vip wan 10.10.10.1
vip lan 192.168.1.254
sync interface1 192.168.10.25
lan pf1 ip 172.16.120.1
lan pf2 172.16.120.3
192.168.10.26 sync pf2
172.16.120.2 server behind pf
server behind pf gw??
all /24The problem with not working the gateway in the cluster
The firewalls are properly synchronized and the master and backup mode is correct
But when gateway does not pass the firewall servers as 10.10.10.1 I do not pass trafficserver behind pf gw ??
Thanks -
are you running pfblocker? that 10.10.10.1 vip is what pfbocker uses so that could be causing you some grief.
-
When I change the virtual ip
For example 172.16.1.100
And put it as the gateway , way traffic will not go out again
For Gateway Servers, do I use Virtual IP lan Address or Virtual IP wan Address? -
you wouldn't use a vip in a gateway.. A vip is just that a vip, Used to run multiple IPs on an interface, say for a port forward when you have more than one public IP, etc.
Not sure what your trying to do.. Just that 10.10.10.1 is what pfsense blocker uses and could conflict with whatever you think your trying to accomplish. which you have not stated.
-
I have multiple servers behind pfsense
And pfsense cluster
What kind of ip should I use for pfsense machine gates to get traffic from one another if one of the firewalls gets out? -
Read what you wrote - how is someone suppose to understand that?
I have been doing networking for since before there was networks ;) And its gibberish!
Are you asking what the clients should use for their gateway when you setup a HA pair in pfsense?
https://docs.netgate.com/pfsense/en/latest/highavailability/configuring-high-availability.htmlThey would use the carp vip... Normally this would be .3 where pf1 would be .1 and pf2 would be .2 in your ha pair. on the network of your lan... Seems you have some other machine trying to use what would normally be the one of the pf IPs..
-
For example, would i have a web server
ip gateway web server = virtual ip wan
or
Ip gateway webserver = virtual ip lan
Thanks -
If the webserver is on your lan then its gateway would be the lan carp vip... If you have to ask such a question then you shouldn't be even touching this stuff..
How would a devices gateway be an IP on a different network???
Maybe you should ask your question in your native language section?
Your wording doesn't make a lot of sense. If you have a webserver on your lan.. How would your lan gateway IP be 192.168.1.254 if your lan for pfsense is 172.16.120..
How about you draw a picture of how you have this setup!! I gave you a link to how you would setup a carp... Are you asking about something on your wan or internet accessing your webserver via a port forward?
-
I will try explain better than before thanks for your answer I have a pfsense firewall that it was cluster and behind firewall there are some of web servers when I want use this cluster I use virtual IP pfsense such as web servers gateway and after those I don't have internet ping and internet firewall if I use gateway that I use before the cluster doesn't work because this is one of the firewalls
Ip lan pfsense1 172.16.120.1
Ip lan pfsense2 172.16.120.3
Virtual ip lan 172.16.120.6(if should have other range plz tell me )
all rule s are sync and master and back up doesn't work properly big problem is that web servers traffic don't sent out right now thanks
For this I use dns load balancer
dns load balancer >> pf1 - pf2 >> webservers -
Your saying stuff behind pfsense doesn't have internet.. Just at a loss to why your vip would be .6? Whenever you setup a carp or hsrp or anything where there is a vip that is moved between 2 devices.. It is almost always in sequence with the actual physical IPs
.1
.2
.3 would normally be the vip...252
.253
.254 would be the vipetc..
Where did you come up with .6????
and .1 and 3 for your physical???
So if your traffic comes in from some other path and not through the cluster, and your trying to use the cluster as your gateway for the webserver - then again NO shit its not going to work..
What I would suggest you do is get 1 pfsense working... Then graduate to a HA setup.. If your going to use some other path to and from internet or other networks, then this path needs to be connected via a transit network off your pfsense box..
Again I suggest you DRAW!!! your network so we are all clear how you have everything connected..
You understand for port forwards to work you would need them to point to the wan carp VIP!! this looks like you have your pf1 and 2 in line with each other? Traffic hits your wan carp vip, and would be forwarded to your webserver IP.
dns load balancer >> pf1 - pf2 >> webservers
