4. HA with a single public IP

HA with a single public IP


  • Hi,

    I have created a HA setup with CARP and wondered what does everyone else do with the gateway on the 2nd instance once you NAT traffic to the VIP that is on the Primary.

    My WAN interfaces both have RFC1918 addresses with a public IPv4 VIP which works fine after i setup NAT, however, the secondary box now reports gateway issues naturally. Is there a way around this?

    0
  • V

    Ignore it.

    To get internet access on the secondary for updating you can do a workaround. Add a gateway group with the WAN gateway as TIER 1 and the masters LAN IP as TIER 2 on the secondary box and then set this gateway group as default gateway.
    To prevent that this setting gets overwritten by XMLRPC sync you may have to uncheck the sync of static routes on the master. Keep this in mind when you make changes in System > Routing in the future.

    You may also do the same on master with the backup's LAN IP to get internet access while the secondary owns the CARP VIP.

    0
  • T

    Not sure I understand but we have one client with Comcast and for various reasons we ended up using the Comcast router LAN IP as the gateway on both, and have had no issues updating the second router. What gateway issues have you seen?

    The router WAN IP is in the Comcast private IP range, with public IPs set up as CARP. Oh, the Comcast is bridged...are you using a DMZ and NAT on the ISP router? That is probably an important difference. Comcast lets the private IPs connect out if the router is bridged.

    0

  • I've created a 2nd gateway to the primary unit and the routing seems all good, however when I try to ping 1.1.1.1 or any other public IP i only seem to be able to transmit 1 packet, the rest fail.

    Below are the firewall logs on the primary showing the traffic from the secondary pinging 1.1.1.1 however i only see 1 response come back to the secondary

    [2.4.5-RELEASE][admin@pfSense-Core-Sec]/root: ping 1.1.1.1
    PING 1.1.1.1 (1.1.1.1): 56 data bytes
    64 bytes from 1.1.1.1: icmp_seq=0 ttl=56 time=19.699 ms

    --- 1.1.1.1 ping statistics ---
    7 packets transmitted, 1 packets received, 85.7% packet loss
    round-trip min/avg/max/stddev = 19.699/19.699/19.699/0.000 ms

    Capture.PNG

    0
  • V

    Obviously you're not using the LAN network as I suggested. Seems you're missing an outbound NAT rule for the "Servers network".

    0 3 Replies

  • @viragomann Hi, 100.64.0.200 is my "wan/carp VIP" address, and yes there is an outbound NAT. I'm using one of my LAN networks.

    0

  • @viragomann Untitled.png

    0

  • @viragomann Untitled.png

    0
  • V

    Does the Outbound NAT screenshot show the primary?

    What is hided behind the Nat_Internal_OUT alias?

    0 1 Reply

  • @viragomann The outbound nat is the same on both as it NAT's to the VIP, and alias includes all the subnets of my LAN. Even with only allowing a single ping the secondary box is able to eventually do updates and what not so issue resolved for now. Thank you

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy