pfSense HA LAN Interfaces Only
- 
 @iptvcld said in pfSense HA LAN Interfaces Only: I ran a packet capture on the LAN (backup pf) and i see a few of these lines. IP: 76.64.x.x is my wan 
 10:54:16.598225 IP 76.64.x.x > 8.8.8.8: ICMP echo request, id 13920, seq 321, length 9Even if the WAN cable is disconnected?? 
 I was assuming that the WAN is offline, so not clear, why it use the WAN IP.
- 
 @viragomann That is correct Sir; i do not have my WAN connected to my backup pf right now  
- 
 @iptvcld 
 Not clear, what's wrong here.
 As first step for troubleshooting you can remove the monitoring IP from the LAN gateway on the backup. Hence it should monitor the masters LAN and the gateway state should get online.
 But not sure if the failover will work after.
- 
 @viragomann I ran a packet cap again and i am seeing those monitoring requests come in as well: 11:14:31.073869 IP 8.8.8.8.853 > 192.168.2.81.17018: tcp 0 
 11:14:31.073887 IP 76.64.x.x.11762 > 8.8.8.8.853: tcp 0
- 
 @viragomann When i remove the monitoring ip from the GW; yes it puts the master LAN IP in there and yes it shows Green and Online but no internet. Ah i really hoped this would have worked out; was such a nice idea to have. 
- 
 @iptvcld said in pfSense HA LAN Interfaces Only: I ran a packet cap again and i am seeing those monitoring requests come in as well: 
 11:14:31.073869 IP 8.8.8.8.853 > 192.168.2.81.17018: tcp 0
 11:14:31.073887 IP 76.64.x.x.11762 > 8.8.8.8.853: tcp 0So you're using 8.8.8.8 for DNS resolution as well. 
 Possibly that's an issue when you've stated the WAN gateway in System > General Setup.
 However, when using this IP for gateway monitoring, pfSense will automatically add a static route and point it to the respective gateway. So there might be a conflict.As mentioned above, you can use any other public IP for gateway monitoring which is responding to pings. It might be a good idea, to use another IP. Also you should have a check at System > Advanced > Miscellaneous > State Killing on Gateway Failure. For further testing you can set the WAN gateway as down manually on the backup. 
- 
 @viragomann Correct; i am using 8.8.8.8 and 8.8.4.4 as DNS Res via system > gateway. I have now changed my GW monitoring IP to 1.1.1.1 on the secondary pf. Also on the secondary pf i have placed a CHECK under System > Advanced > Miscellaneous > State Killing on Gateway Failure. When i try to ping 8.8.8.8 from the secondary; i get this timeout PING 8.8.8.8 (8.8.8.8): 56 data bytes 92 bytes from 127.0.0.1: Time to live exceeded Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 263f 0 0000 01 01 0000 127.0.0.1 8.8.8.8 92 bytes from 127.0.0.1: Time to live exceeded Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 b74f 0 0000 01 01 0000 127.0.0.1 8.8.8.8 92 bytes from 127.0.0.1: Time to live exceeded Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 66ba 0 0000 01 01 0000 127.0.0.1 8.8.8.8 --- 8.8.8.8 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet lossI have marked my PPPOE WAN as down on the 2nd pf as well. 
 This is so bizarre..
 I also have just an open rule for LAN
  
- 
 @iptvcld said in pfSense HA LAN Interfaces Only: When i try to ping 8.8.8.8 from the secondary; i get this timeout You cannot use 8.8.8.8 for troubleshooting, since you direct it to WAN gateway. 
 However, for getting the DNS resolution work on the secondary when the WAN cable is connected to the primary, you should set the gateway to "none" for all DNS servers in System > General Setup.I have now changed my GW monitoring IP to 1.1.1.1 on the secondary pf. So try to ping 1.1.1.1 while taking a capture on the LAN interface. 
- 
 @viragomann My master pf DNS settings like like this 
  and secondary pf is the same 
  When i ping 1.1.1.1 in seconday the packet capture just gave this 12:57:15.477198 IP 192.168.2.81 > 1.1.1.1: ICMP echo request, id 18433, seq 797, length 9
- 
 @iptvcld said in pfSense HA LAN Interfaces Only: When i ping 1.1.1.1 in seconday the packet capture just gave this 
 12:57:15.477198 IP 192.168.2.81 > 1.1.1.1: ICMP echo request, id 18433, seq 797, length 9You should see the same on the masters LAN. Check that out, please. 
- 
 @viragomann thats correct; i just ran a packet cap on master LAN and then sent a 1.1.1.1 ping from the secondary pf 13:05:44.735976 IP 192.168.2.81 > 1.1.1.1: ICMP echo request, id 18433, seq 1785, length 9
- 
 @iptvcld 
 Well, so 1.1.1.1 is routed to the masters LAN address.
 Now, if you take a capture on the masters WAN you should also see the ICMP packets to 1.1.1.1, but coming from the WAN IP.If that's not the case, either the firewall rule or the outbound NAT on the master might failing anyhow. 
- 
 @viragomann Ran a packet cap on master and i see this request 3 times 13:10:40.370864 IP 192.168.2.81 > 1.1.1.1: ICMP echo request, id 18433, seq 2360, length 9seems to be coming from the secondary pf LAN IP still and not the WAN IP Outbound NAT on master is this: 
  And LAN Rules 
  
- 
 @viragomann Ran it again and i see this 13:17:05.527815 IP 76.64.x.x > 1.1.1.1: ICMP echo request, id 55322, seq 0, length 64 13:17:05.542715 IP 1.1.1.1 > 76.64.x.x: ICMP echo reply, id 55322, seq 0, length 64then 13:17:05.562166 IP 192.168.2.81 > 1.1.1.1: ICMP echo request, id 34782, seq 78, length 9PING 1.1.1.1 (1.1.1.1): 56 data bytes 
 64 bytes from 1.1.1.1: icmp_seq=0 ttl=55 time=15.187 ms--- 1.1.1.1 ping statistics --- 
 3 packets transmitted, 1 packets received, 66.7% packet loss
 round-trip min/avg/max/stddev = 15.187/15.187/15.187/0.000 ms
- 
 @viragomann Does this need to be unchecked under my WAN interface? 
 Block private networks and loopback addresses 
- 
 @iptvcld said in pfSense HA LAN Interfaces Only: Ran it again and i see this 
 13:17:05.527815 IP 76.64.x.x > 1.1.1.1: ICMP echo request, id 55322, seq 0, length 64
 13:17:05.542715 IP 1.1.1.1 > 76.64.x.x: ICMP echo reply, id 55322, seq 0, length 64then 
 13:17:05.562166 IP 192.168.2.81 > 1.1.1.1: ICMP echo request, id 34782, seq 78, length 9PING 1.1.1.1 (1.1.1.1): 56 data bytes Strange! Check the masters state table and filter for 1.1.1.1 after pinging from backup. 
- 
 @iptvcld said in pfSense HA LAN Interfaces Only: @viragomann Does this need to be unchecked under my WAN interface? 
 Block private networks and loopback addresses No, this is only for incoming packets. There is no need to allow private addresses on WAN. 
- 
 This post is deleted!
- 
 @viragomann This is the state table after pinging from 2nd 
  
- 
 @viragomann When try to ping 1.0.0.1 from 2nd; i get all fails PING 1.0.0.1 (1.0.0.1): 56 data bytes 92 bytes from 127.0.0.1: Time to live exceeded Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 ee77 0 0000 01 01 0000 127.0.0.1 1.0.0.1 92 bytes from 127.0.0.1: Time to live exceeded Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 4453 0 0000 01 01 0000 127.0.0.1 1.0.0.1 92 bytes from 127.0.0.1: Time to live exceeded Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 071e 0 0000 01 01 0000 127.0.0.1 1.0.0.1 --- 1.0.0.1 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet lossAnd when i run this ping while doing packet cap on master LAN; i dont see the entries come over