Carp with PPPOE/A (Long)



  • I've search the forums and professor google and can't seem to find anything to help, so here goes;

    I have ADSL2+ being served by a billion 7300 modem/router. I'm running it in bridged mode which means that the PPPOE negotiation takes place on my pfsense firewall (1.2.3 pre). I recently 'upgraded' the pfsense box to be a VM running under vmware esx (I have a two node cluster). I changed the NICs to be e1000 and it works beautifully. I'm very happy with the performance and flexibility and don't think I'll go back to a physical firewall anytime soon. So I got to thinking…. maybe I should clone the VM and create another firewall and so that I can have firewall redundancy.

    Here is a little bit of background....

    Way back it 2004 I had a similar setup with a couple of soekris boxes running openbsd. I had CARP working beautifully on WAN, LAN and DMZ legs of the firewalls. Back then I had what was known as a 'bridged ethernet' ADSL service. This was effectively, ethernet coming out of the wall socket. No PPPOE/A. This allowed me to setup the WAN VIP to be my public static WAN IP assigned from my ISP. These type of connections must have been rare because I remember the ISPs all trying to entice people to move away from their 'bridged-ethernet' connections to PPPOE/A. I eventually gave in a reverted to a regular PPPOE/A connection. I then sold the soekris boxes and went with a single, dedicated pfsense firewall.

    So here I am today, wondering if I can still setup something similar in terms of CARP with a PPPOE/A connection ?

    I've now cloned the original pfsense VM (pf1) and changed the clone (pf2) to have different IP addresses and I'd like to give this whole thing a go. Interestingly, I neglected to to disable the PPPOE settings for my WAN interface on the pf2, yet it still successfully negotiates the PPPOE connection and it shows me that the link is up even although pf1 still has the WAN link active and my internet connection is working as usual. I can ping the ISP gateway from either pf1 or pf2, yet only pf1 can successfully send any other traffic over the link. I'm thinking that the ISP would have limited my sessions to 1 or something similar and that might explain what is happening here. I need to test what happens with the link when the primary fails, e.g. can I then send traffic over the 'secondary' link.

    So my questions are;

    1. Does anyone run CARP with a PPPOE/A connection ?
    2. Is there any way that I can selectively bring up the PPPOE/A link when a firewall becomes master ? (ifstated ?)
    3. Is there a smarter way to do this ?

    I don't really want to run by modem as a router because then I'll loose visibility of my /29 address range from the pfsense boxes.

    Any ideas, thoughts.

    Cheers,

    Bards.



  • Anyone ?

    I've since confirmed that powering off the primary firewall allows traffic to flow from the secondary to the 'net….......... I suppose I could 'CARP' the LAN and DMZ legs and  leave both WAN interfaces with the PPPOE session running. Then in the event of the active firewall disappearing, the second should take over the VIPs for LAN and DMZ and it should work. It probably depends a lot on exactly how the primary firewall disappears !



  • Afaik you cannot run CARP on PPPoE/A.

    The nature of PPPoE/A WAN is that you have /32 IP.
    Since the CARP IP has to be in the same subnet as the main WAN this obviously does not work.



  • Cool.

    So I may have to run my ADSL modem/router as a router and pass all traffic through. I wonder if I can do this without NAT to preserve destination addresses and ports to enable me to NAT on the pfsense boxes ? I think I may have done it before so I'll give it a go.

    Cheers.



  • OK. I got it working.

    Basically, turned the modem into a router running PPPOE rather than running bridged mode. Disabled NAT, added a static route for my public subnet and pointed the route at my CARP VIP for the WAN interface. Works well.

    Forgot to mention that, as others have already noted, I had to enable promiscuous mode on the ESX virtual switches before CARP would work.



  • bards1888,

    May I know more about your successful configuration?

    Say the WAN IP address of the fw1 & fw2? Is the PPPoE using dynamic / static ip?

    Many Thanks
    Alpha


Log in to reply