HA Dual-WAN Issues with Packet Loss
agterry last edited by
I really need help here...
I'm working with a client that needs/wants dual-WAN and HA. I have configured WAN1 on both pfSense firewalls, and the VIP address seems to be working okay. The second WAN (WAN2) is a cable internet connection. We have 3 static IP addresses just as we do on the WAN1 (Fiber) connection.
I cannot seem to be able to get the WAN2 to work at all. When I config a physical interface with a static IP on each firewall, and then setup the VIP, all I get is packet loss and no usable internet. When I just plug the modem straight into one firewall or into my computer with the same static IP addresses I have a perfect connection. I have swapped modems for a router/combo just in case I could see the ARP table a little more clearly, but that did me no good. I've tried all kinds of ways to connect this to no avail. I now have another pfsense box that is 'routing' traffic for the other interfaces, it worked okay on one interface until it just didn't. Worked for about 10 min (no VIP unfortunatly) on the physical WAN2, but then it just stopped and now I get nothing out of either interface or the VIP. I'm banging my head against the proverbial spike because I just don't know what is going on...ANY...I MEAN ANY help is more than appreciated....
It's possible your cable provider is not compatible with CARP. They may not be properly delivering traffic to the CARP MAC, or they may not like how the systems use multicast, or they may not like how ARP responses are handled. It wouldn't be the first time we have seen a provider fail to work with it.
agterry last edited by
Yeah, that's kind where I was at on the situation. I did though try to setup another pf box as a router. Correct me if i'm wrong, but my setup was this. I had the Modem plugged into a third pfSense box (Identical to the other 2), set to allow all traffic. OPT1 plugged into a switch where the other two FWs were plugged into as well. I setup a 1:1 NAT from the WAN static address to the VIP CARP Address which was acessable through OPT1NET. I thought this would for sure work because the pfSense box plugged into the modem would handle routing and NAT from the OPT1NET(10.5.121.0/24) to the WANNET. Unfortuantly while I did get traffic flowing normally for a few min, it shortly started having major packet loss just as before.
Do you have any thoughts on how to make this work If I used the 3rd pfsense box as a router between the CARP VIP, and the HA cluster of pfSense FWs?
I also need to failover a VPN tunnel as well if possible...I know it would work with a normal HA DUAL-WAN, just not sure if we start using a seperate router for one WAN...
failover a VPN tunnel as well if possible
IPSEC or OpenVPN? And by failover that means from WAN1 to WAN2 or just from master node to slave node?