setting up my first CARP example
-
ive been using pfsense since 2008, and its so many years past due that i finally get to understand this configuration.
for my first example, i have 2 dell servers with identical nic configuration. what i have so far on both is:
em0 wan1
em1 wan2
bge0 lagg0
bge1 lagg0
lagg0.2557 (is my lan)
lagg0.1616 (is my carp)so far, everything is working properly with synchronization. ive configured separate static IPs for each on wan1, wan2, 2557lan, and a VIP for each, and the VIPs move to the other node successfully during a fail over test.
i have also created a NAT to a web server. so far i can only create a NAT that goes to the first VIP i created, but i created a 2nd VIP, and i am unable to setup a NAT for that one to the same web server.
i am pretty sure this has to do with the manual outbound settings, but i cannot find anything to read concerning anything about multiple WAN VIPs and NATs for different servers.
can anyone point me in the right direction, or know of any links i can read on a more advanced setup?
-
@jhorne said in setting up my first CARP example:
lagg0.1616 (is my carp)
I guess, you mean sync.
A CARP should be configured on each network segment.so far i can only create a NAT that goes to the first VIP i created, but i created a 2nd VIP, and i am unable to setup a NAT for that one to the same web server.
1st VIP = wan1 VIP, 2nd VIP = wan2 VIP?
Which pfSense version?
-
@viragomann ah no, i didnt specify which vip to which interface.
i had created a 2nd VIP on wan1, so that wan1 could have multiple IPs, and the 2nd wan1-VIP was not working.
but, you did help me figure it out. when i removed the 2nd wan1-VIP and replaced it with an IP alias, in the drop down to specify which interface, lo and behold, the wan1-VIP ip was a choice. i picked that and re-used the same IP as first attempt (when i had 2 wan1-VIPS), and the NAT to the alternate IP worked, and failed over the 2nd node when i rebooted the primary.
thanks!
-
@jhorne
As mentioned, on each WAN you have to set up a CARP VIP. This can then be used for any services like forwarding to an internal server later.Additional virtual IPs on an interface have to be added as type IP alias by selecting the CARP VIP from the interface drop-down.
So if the primary firewall is going down, the VIP moves over to the secondary, cause it's hooking up on the CARP address.