HA with a single public IP
-
Hi,
I have created a HA setup with CARP and wondered what does everyone else do with the gateway on the 2nd instance once you NAT traffic to the VIP that is on the Primary.
My WAN interfaces both have RFC1918 addresses with a public IPv4 VIP which works fine after i setup NAT, however, the secondary box now reports gateway issues naturally. Is there a way around this?
-
Ignore it.
To get internet access on the secondary for updating you can do a workaround. Add a gateway group with the WAN gateway as TIER 1 and the masters LAN IP as TIER 2 on the secondary box and then set this gateway group as default gateway.
To prevent that this setting gets overwritten by XMLRPC sync you may have to uncheck the sync of static routes on the master. Keep this in mind when you make changes in System > Routing in the future.You may also do the same on master with the backup's LAN IP to get internet access while the secondary owns the CARP VIP.
-
Not sure I understand but we have one client with Comcast and for various reasons we ended up using the Comcast router LAN IP as the gateway on both, and have had no issues updating the second router. What gateway issues have you seen?
The router WAN IP is in the Comcast private IP range, with public IPs set up as CARP. Oh, the Comcast is bridged...are you using a DMZ and NAT on the ISP router? That is probably an important difference. Comcast lets the private IPs connect out if the router is bridged.
-
I've created a 2nd gateway to the primary unit and the routing seems all good, however when I try to ping 1.1.1.1 or any other public IP i only seem to be able to transmit 1 packet, the rest fail.
Below are the firewall logs on the primary showing the traffic from the secondary pinging 1.1.1.1 however i only see 1 response come back to the secondary
[2.4.5-RELEASE][admin@pfSense-Core-Sec]/root: ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=56 time=19.699 ms--- 1.1.1.1 ping statistics ---
7 packets transmitted, 1 packets received, 85.7% packet loss
round-trip min/avg/max/stddev = 19.699/19.699/19.699/0.000 ms
-
Obviously you're not using the LAN network as I suggested. Seems you're missing an outbound NAT rule for the "Servers network".
-
@viragomann Hi, 100.64.0.200 is my "wan/carp VIP" address, and yes there is an outbound NAT. I'm using one of my LAN networks.
-
-
-
Does the Outbound NAT screenshot show the primary?
What is hided behind the Nat_Internal_OUT alias?
-
@viragomann The outbound nat is the same on both as it NAT's to the VIP, and alias includes all the subnets of my LAN. Even with only allowing a single ping the secondary box is able to eventually do updates and what not so issue resolved for now. Thank you
