Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VIPs not responding to clients

    HA/CARP/VIPs
    3
    4
    111
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Goneill last edited by

      I'm new to PfSense, and am going crazy trying to get VIPs working.

      I have two firewalls, in a lab environment. The primary one has WAN IP of 200.1.2.1/24 and LAN IP of 192.168.100.1/24. The secondary one has WAN IP of 200.1.2.2/24 and LAN IP of 192.168.100.2/24. They also have SYNC interfaces of 10.1.1.1/30 and 10.1.1.2/30 respectively.

      I have CARP set up and working for Master/Backup HA, and all that is syncing perfectly on the SYNC interfaces.

      I have created CARP VIPs for the WAN (of 200.1.2.254/24, vhid2) and LAN (of 192.168.100.254/24, vhid1). They are also syncing from Master to Backup.

      Whichever firewall is the master at any given time can ping the VIPs (192.168.100.254 and 200.1.2.254), but the backup firewall cannot (I'm not sure whether that is normal behaviour)

      All client devices on either the WAN or LAN networks can ping the primary interfaces of each firewall (192.168.100.1, 192.168.100.2, 200.1.2.1, 200.1.2.2) but cannot ping either of the VIPs. If I check the ARP table on the clients however I can see that they have successfully resolved the MAC address of their respective local VIP.

      To rule out any firewall rules being the issue I currently have the LAN and WAN rules set to permit any protocol, from any source, to any destination (it's a lab environment to there's no danger there).

      Is anyone able to assist me in identifying why the clients can communicate the with firewalls on their primary addresses, but not on the VIP addresses?

      1 Reply Last reply Reply Quote 0
      • Rico
        Rico LAYER 8 Rebel Alliance last edited by

        I'd recheck all settings gradually with the documentation: https://docs.netgate.com/pfsense/en/latest/book/highavailability/index.html
        Did you watch the great HA hangout from Jim? https://www.netgate.com/resources/videos/high-availability-on-pfsense-24.html

        -Rico

        2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100

        1 Reply Last reply Reply Quote 0
        • Derelict
          Derelict LAYER 8 Netgate last edited by

          Almost always a problem with the switches.

          Apply typical troubleshooting techniques. ARP, packet captures, etc.

          Chattanooga, Tennessee, USA
          The pfSense Book is free of charge!
          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • G
            Goneill last edited by

            OK, so I didn’t manage to work out what was specifically causing the problem. I was using a relatively old version of pfsense (2.3.3). I downloaded the latest version and redid the setup from scratch, and it just worked!

            1 Reply Last reply Reply Quote 1
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy