CARP Backup UI not available



  • Hi,

    I have two XG-7100 with CARP configured. The CARP interface is a dedicated copper cable, LAN and WAN is over IX Interfaces. Both firewalls are connected two a different switches. Please check the graphic for details.

    The LAN Interface has 10.0.1.0/24
    CARP: 10.0.1.1
    Primary Firewall: 10.0.1.2
    Backup Firewall: 10.0.1.3

    Also I have two IPSEC site2site connections: one to my office, one to my other datacenter. OpenVPN is also configured for my mobile clients.

    Now I have the problem that the Backup-Firewall's Web UI is not accessable from the IPSEC VPN Tunnels AND from local clients. With OpenVPN I can access the second one.

    This is what a tracert looks like from a windows server inside the LAN Network:

    Tracing route to 10.0.1.2 over a maximum of 30 hops
    1 <1 ms <1 ms <1 ms 10.0.1.2
    Trace complete.

    Tracing route to 10.0.1.3 over a maximum of 30 hops
    1 <1 ms <1 ms <1 ms 10.0.1.2
    2 * * * Request timed out.
    3 * * * Request timed out.
    4 * * * Request timed out.
    5 * * * Request timed out.
    6 * * * Request timed out.
    7 *

    6ed34a16-ac82-425b-a3ec-d78a5f660d35-image.png

    Any idea what is missing?



  • @jokabo said in CARP Backup UI not available:

    so I have two IPSEC site2site connections: one to my office, one to my other datacenter. OpenVPN is also configured for my mobile clients.
    Now I have the problem that the Backup-Firewall's Web UI is not accessable from the IPSEC VPN Tunnels AND from local clients. With OpenVPN I can access the second one.
    This is what a tracert looks like from a windows server inside the LAN Network:
    Tracing route to 10.0.1.2 over a maximum of 30 hops
    1 <1 ms <1 ms <1 ms 10.0.1.2
    Trace complete.
    Tracing route to 10.0.1.3 over a maximum of 30 hops
    1 <1 ms <1 ms <1 ms 10.0.1.2
    2 * * * Request timed out.
    3 * * * Request timed out.
    4 * * * Request timed out.
    5 * * * Request timed out.
    6 * * * Request timed out.
    7 *

    @jokabo, Just to be sure, what do you mean by CARP interface? Is this used for the synchronization of HA? In that case, it is the PFSYNC interface, which should not be set up as CARP.

    I would recommend to set up HA first, check that settings are replicated before setting up CARP shared interfaces.

    From your network drawing; I would recommend connecting the router to switch 2 as well (using the correct load balancing/failover protocols).

    Volbaard has an excellent walkthrough setting up HA with CARP.

    regards
    Niels


  • LAYER 8 Netgate



  • @Derelict thanks - that's what I was looking for.

    But I still have some trouble.

    One more information:
    In the Datacenter I have two pfSense Firewalls with CARP. In my office I just have one firewall wich is connected.

    As I unserstand right, I have to setup the manual NAT Outbound rule on the Office Firewall, where the traffic is beeing generated, right?

    Here is the status of the Site2Site VPN (from Office):
    8ce5f50e-f73b-4e11-a512-21cfdc05fd92-image.png

    Here is the status of the Site2Site VPN (From Datacenter):
    0d817f2f-34d6-43c5-a82f-4ba0534e68aa-image.png

    And here my NAT Outbound Rule (From Office):
    be19b97d-b128-4fca-b624-9ca1609e76f4-image.png

    Any idea why it's still not working? What is the problem?


  • LAYER 8 Netgate

    No. You set up outbound NAT on the inside interface of the HA pair. You need connections to the backup node to appear as they are coming from the master node's inside interface. That way reply traffic is same-subnet so it will be routed correctly.

    This should be configured in both directions since you might want to access the primary while the secondary is master.


Log in to reply