Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP Backup UI not available

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    5 Posts 3 Posters 661 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jokabo
      last edited by

      Hi,

      I have two XG-7100 with CARP configured. The CARP interface is a dedicated copper cable, LAN and WAN is over IX Interfaces. Both firewalls are connected two a different switches. Please check the graphic for details.

      The LAN Interface has 10.0.1.0/24
      CARP: 10.0.1.1
      Primary Firewall: 10.0.1.2
      Backup Firewall: 10.0.1.3

      Also I have two IPSEC site2site connections: one to my office, one to my other datacenter. OpenVPN is also configured for my mobile clients.

      Now I have the problem that the Backup-Firewall's Web UI is not accessable from the IPSEC VPN Tunnels AND from local clients. With OpenVPN I can access the second one.

      This is what a tracert looks like from a windows server inside the LAN Network:

      Tracing route to 10.0.1.2 over a maximum of 30 hops
      1 <1 ms <1 ms <1 ms 10.0.1.2
      Trace complete.

      Tracing route to 10.0.1.3 over a maximum of 30 hops
      1 <1 ms <1 ms <1 ms 10.0.1.2
      2 * * * Request timed out.
      3 * * * Request timed out.
      4 * * * Request timed out.
      5 * * * Request timed out.
      6 * * * Request timed out.
      7 *

      6ed34a16-ac82-425b-a3ec-d78a5f660d35-image.png

      Any idea what is missing?

      1 Reply Last reply Reply Quote 0
      • N
        npiersma
        last edited by

        @jokabo said in CARP Backup UI not available:

        so I have two IPSEC site2site connections: one to my office, one to my other datacenter. OpenVPN is also configured for my mobile clients.
        Now I have the problem that the Backup-Firewall's Web UI is not accessable from the IPSEC VPN Tunnels AND from local clients. With OpenVPN I can access the second one.
        This is what a tracert looks like from a windows server inside the LAN Network:
        Tracing route to 10.0.1.2 over a maximum of 30 hops
        1 <1 ms <1 ms <1 ms 10.0.1.2
        Trace complete.
        Tracing route to 10.0.1.3 over a maximum of 30 hops
        1 <1 ms <1 ms <1 ms 10.0.1.2
        2 * * * Request timed out.
        3 * * * Request timed out.
        4 * * * Request timed out.
        5 * * * Request timed out.
        6 * * * Request timed out.
        7 *

        @jokabo, Just to be sure, what do you mean by CARP interface? Is this used for the synchronization of HA? In that case, it is the PFSYNC interface, which should not be set up as CARP.

        I would recommend to set up HA first, check that settings are replicated before setting up CARP shared interfaces.

        From your network drawing; I would recommend connecting the router to switch 2 as well (using the correct load balancing/failover protocols).

        Volbaard has an excellent walkthrough setting up HA with CARP.

        regards
        Niels

        1 Reply Last reply Reply Quote 1
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          https://docs.netgate.com/pfsense/en/latest/highavailability/troubleshooting-vpn-connectivity-to-a-high-availability-secondary-node.html

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          J 1 Reply Last reply Reply Quote 1
          • J
            jokabo @Derelict
            last edited by

            @Derelict thanks - that's what I was looking for.

            But I still have some trouble.

            One more information:
            In the Datacenter I have two pfSense Firewalls with CARP. In my office I just have one firewall wich is connected.

            As I unserstand right, I have to setup the manual NAT Outbound rule on the Office Firewall, where the traffic is beeing generated, right?

            Here is the status of the Site2Site VPN (from Office):
            8ce5f50e-f73b-4e11-a512-21cfdc05fd92-image.png

            Here is the status of the Site2Site VPN (From Datacenter):
            0d817f2f-34d6-43c5-a82f-4ba0534e68aa-image.png

            And here my NAT Outbound Rule (From Office):
            be19b97d-b128-4fca-b624-9ca1609e76f4-image.png

            Any idea why it's still not working? What is the problem?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              No. You set up outbound NAT on the inside interface of the HA pair. You need connections to the backup node to appear as they are coming from the master node's inside interface. That way reply traffic is same-subnet so it will be routed correctly.

              This should be configured in both directions since you might want to access the primary while the secondary is master.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.