Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    CARP Backup UI not available

    HA/CARP/VIPs
    3
    5
    108
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jokabo last edited by

      Hi,

      I have two XG-7100 with CARP configured. The CARP interface is a dedicated copper cable, LAN and WAN is over IX Interfaces. Both firewalls are connected two a different switches. Please check the graphic for details.

      The LAN Interface has 10.0.1.0/24
      CARP: 10.0.1.1
      Primary Firewall: 10.0.1.2
      Backup Firewall: 10.0.1.3

      Also I have two IPSEC site2site connections: one to my office, one to my other datacenter. OpenVPN is also configured for my mobile clients.

      Now I have the problem that the Backup-Firewall's Web UI is not accessable from the IPSEC VPN Tunnels AND from local clients. With OpenVPN I can access the second one.

      This is what a tracert looks like from a windows server inside the LAN Network:

      Tracing route to 10.0.1.2 over a maximum of 30 hops
      1 <1 ms <1 ms <1 ms 10.0.1.2
      Trace complete.

      Tracing route to 10.0.1.3 over a maximum of 30 hops
      1 <1 ms <1 ms <1 ms 10.0.1.2
      2 * * * Request timed out.
      3 * * * Request timed out.
      4 * * * Request timed out.
      5 * * * Request timed out.
      6 * * * Request timed out.
      7 *

      6ed34a16-ac82-425b-a3ec-d78a5f660d35-image.png

      Any idea what is missing?

      1 Reply Last reply Reply Quote 0
      • N
        npiersma last edited by

        @jokabo said in CARP Backup UI not available:

        so I have two IPSEC site2site connections: one to my office, one to my other datacenter. OpenVPN is also configured for my mobile clients.
        Now I have the problem that the Backup-Firewall's Web UI is not accessable from the IPSEC VPN Tunnels AND from local clients. With OpenVPN I can access the second one.
        This is what a tracert looks like from a windows server inside the LAN Network:
        Tracing route to 10.0.1.2 over a maximum of 30 hops
        1 <1 ms <1 ms <1 ms 10.0.1.2
        Trace complete.
        Tracing route to 10.0.1.3 over a maximum of 30 hops
        1 <1 ms <1 ms <1 ms 10.0.1.2
        2 * * * Request timed out.
        3 * * * Request timed out.
        4 * * * Request timed out.
        5 * * * Request timed out.
        6 * * * Request timed out.
        7 *

        @jokabo, Just to be sure, what do you mean by CARP interface? Is this used for the synchronization of HA? In that case, it is the PFSYNC interface, which should not be set up as CARP.

        I would recommend to set up HA first, check that settings are replicated before setting up CARP shared interfaces.

        From your network drawing; I would recommend connecting the router to switch 2 as well (using the correct load balancing/failover protocols).

        Volbaard has an excellent walkthrough setting up HA with CARP.

        regards
        Niels

        1 Reply Last reply Reply Quote 1
        • Derelict
          Derelict LAYER 8 Netgate last edited by

          https://docs.netgate.com/pfsense/en/latest/highavailability/troubleshooting-vpn-connectivity-to-a-high-availability-secondary-node.html

          Chattanooga, Tennessee, USA
          The pfSense Book is free of charge!
          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          J 1 Reply Last reply Reply Quote 1
          • J
            jokabo @Derelict last edited by

            @Derelict thanks - that's what I was looking for.

            But I still have some trouble.

            One more information:
            In the Datacenter I have two pfSense Firewalls with CARP. In my office I just have one firewall wich is connected.

            As I unserstand right, I have to setup the manual NAT Outbound rule on the Office Firewall, where the traffic is beeing generated, right?

            Here is the status of the Site2Site VPN (from Office):
            8ce5f50e-f73b-4e11-a512-21cfdc05fd92-image.png

            Here is the status of the Site2Site VPN (From Datacenter):
            0d817f2f-34d6-43c5-a82f-4ba0534e68aa-image.png

            And here my NAT Outbound Rule (From Office):
            be19b97d-b128-4fca-b624-9ca1609e76f4-image.png

            Any idea why it's still not working? What is the problem?

            1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate last edited by

              No. You set up outbound NAT on the inside interface of the HA pair. You need connections to the backup node to appear as they are coming from the master node's inside interface. That way reply traffic is same-subnet so it will be routed correctly.

              This should be configured in both directions since you might want to access the primary while the secondary is master.

              Chattanooga, Tennessee, USA
              The pfSense Book is free of charge!
              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post