difficulty setting up HA with dual wan
i have set up several examples of HA with single wan, and everything works out right, no problems at all.
but i tried to create one that used a dual wan, and it just goes nuts. couldnt even ping the CARP VIP interfaces from LAN IPs (or ping thru the routing logic to the external gateways either). the pfsense can ping anything on WAN, both gateways and beyond.
it feels like the wheels came off at the time when i set up the manual outbound NAT. is there something different that must be done with manual outbound NAT when dual WAN is involved? or is it the exact same process as setting manual outbound NAT when a single wan is in use, just doing it double?
i had to roll everything back to the non-HA config, so i cant look at anything at the moment and re-check config, but if anyone has set up a dual-wan-HA and has any tips or anecdotes about challenges and resolutions, id be interested in hearing it.
KOM last edited by
@jhorne Have you gone through the Netgate docs?
@kom over and over. it just says "just like single wan" on the NAT section, without being specific about what youre doing, unlike the single-wan document which is specific about exactly what to do with the outbound NAT.
so i set all the primary_wan NATs and then the secondary_wan NATs, but it came down to i coudnt reach the VIPs (but they were all green CARP status, and all orange on the 2nd node). it looked like everythign should have been working, but it was definitely not.
KOM last edited by KOM
@jhorne I had a look at the docs and I believe they mean that you should edit the outbound NATs on the primary node just like you would if only had one NAT. Edit both WAN and WAN2 (or whatever you called it) rules and change the NAT Address from WAN1/2 to the Shared CARP VIP for Outbound NAT1/2. For example, using the Netgate docs recipe, you would edit the WAN outbound NAT rule and change the NAT Address from WAN Address to 198.51.100.200 and edit the WAN2 outbound NAT rule and change the NAT Address from WAN2 Address to 203.0.113.10.
@kom yep, that is exactly the way i did it.
it doesnt make sense that there could be a relationship of setting the outbound NAT and not being able to reach the internal .1 addresses (CARP VIPs) but thats where my breakdown is.
the only other thing i can have a suspicion of is possibly the network infrastructure was holding the arp of the .1 from when it was on a physical mac address, and not the virtual mac of the CARP vip. the next time i re-try this i plan to flush the arp cache.
i just wanted to really to check in with someone who has experience with dual-wan-ha and make sure im not off in left field here.
KOM last edited by
@jhorne Without you posting anything we can check, I can't offer any help. MultiWAN CARP is essentially like in the docs: the same just with an entries for every WAN interface you have. But as I can't guess or use my crytal ball as to what your WANs are set up and why and how - one can't point a finger at the problem.
But yes, like the docs tell you: if you have two WANs, the steps are the same for every WAN interface you bring into the mix. Have both nodes set up with their node IP and create a CARP VIP on it, then configure the outbound NAT portion for the second WAN like the first one (localhost to web with node IP, all others with your CARP VIP) and it's a go.
so today, i reloaded the HA config in the last state i left off in before my last roll back, and it turns out my issues were being caused by some typos in my CARP VIPs. this caused me to be unable to ping the expected VIP, as well as AD login was failing to find the SD since the DC needed that .1 gateway to get back to the firewall.
all good now, everything was suddenly as expected when i fixed the 2 typos in my config.