High TCP Retransmits to HA Slave

MeCJay12

Hello! I have an HA pfSense setup; each node with it's own loopback IP (static route to slave over sync interface). I've noticed that the only ways for me to access the slave webUI is one of the following:

• Connect to OpenVPN first
• Add a NAT rule on the sync interface for the slave loopback IP
• Connect directly to the slave's local interface IP

What's the way to get slave node always accessible? Using interface IPs won't work with multiple interfaces since the "correct" IP will vary by source interface. The NAT rule has been what I've been using but it's very hacky. It seems to be that whenever I connect to the non-local interface IP there's an asymetric routing issue. For example, connecting from the LAN: Source -> (lan int) Master -> (sync int) Slave -> (lan int) Source.

viragomann

@mecjay12 said in High TCP Retransmits to HA Slave:

I have an HA pfSense setup; each node with it's own loopback IP (static route to slave over sync interface).

What? You should connect to the LAN IP or any other management interface.

To get this work from VPN, create an IP alias on the master and add the masters and the backups LAN IP to it.
Then add an outbound NAT rule to LAN interface, at source enter the VPN tunnel network, at destination the alias.

So this access subjects to the LAN firewall rules and it also works when the secondary takes over the master.

MeCJay12

@viragomann said in High TCP Retransmits to HA Slave:

You should connect to the LAN IP or any other management interface.

I am.

To get this work from VPN, create an IP alias on the master and add the masters and the backups LAN IP to it.
Then add an outbound NAT rule to LAN interface, at source enter the VPN tunnel network, at destination the alias.

This wouldn't this work. The IP alias would only ever point to the current master so I'd have to fail CARP to access the slave. This also isn't very scalable since you'd have to create the NAT rule for every interface I might connect from. It would be better just to leave my NAT rule now on the sync interface as that at least catches everything.

viragomann

@mecjay12 said in High TCP Retransmits to HA Slave:

The IP alias would only ever point to the current master so I'd have to fail CARP to access the slave.

The alias is only used in the outbound NAT rule. It is not for accessing the nodes.

This also isn't very scalable since you'd have to create the NAT rule for every interface I might connect from

??
Basically you should only connect to the WebConfigurator from LAN or another management interface as I stated above. Where do you want to connect from else?

You can access the masters by its LAN IP and the slave by its LAN IP. That's all I need at all.

MeCJay12

The alias is only used in the outbound NAT rule. It is not for accessing the nodes.

I understand. You mean Firewall Alias not Virtual IP Alias. This makes more sense now. The NAT hack I was talking about in the first comment is basically this. It works but it's hacky so I'm here looking for a better solution.

Anyways, I found a solution: I removed the loopback IPs and started using the LAN IPs. I then setup a gateway pointing to the LAN IP of the the master with gateway monitoring. I then setup a static route for 192.168.0.0/16 to the master's LAN IP. Since requests coming from OpenVPN are going out the LAN, the responses need to come back in the LAN.

viragomann

@mecjay12
This solution only works for the secondary, but you still not able to access the primary, when the secondary is the master and runs the OpenVPN server.

What I suggested works for both.