Multiple VLANs in HA config

nick.loenders

Re: Adding VLANs in HA Config
As in this previous post ( /topic/166871/adding-vlans-in-ha-config )
I also have 1 WAN, 1 LAN cable connected to a switch. But I have a LAN, VLAN2, VLAN3, and VLAN4. On the master Netgate it is all ok, but the VLANs are not synced to the 2nd Netgate.

I read something about adding a VIP for each VLAN, but I tried this and it did not help.
Can anyone help me out here?

I also am working from a remote location now and I can access Netgate-1 (master-firewall) to change things, but I am unable to access Netgate-2 to check if all is synced ok??

SteveITS

@nick-loenders said in Multiple VLANs in HA config:

working from a remote location now and I can access Netgate-1 (master-firewall) to change things, but I am unable to access Netgate-2

I can help with this part. We have set up a NAT forward from our office IP on the -1 router to redirect a port to -2's LAN IP:443.

Note if you use a hostname it may warn of a rebinding attack. See System/Admin/Alternate Hostnames.

dotdash

@nick-loenders
You treat a vlan interface like any other interface. Keep the OPTx and name consistent on both systems. You put an ip on the primary and on the seconday, and then add the vips. Make sure the switch ports are configured to carry the vlan.

nick.loenders

@dotdash Hi, the VLANs work fine, but they don't get synced to the second firewall.
I have this now:

But if I look on FW1 I see this:

But if I look on FW2 I only see this:

So where should I add/change what, so it does sync to the FW2 ?

nick.loenders

@steveits I added a NAT rule:

and a rule:

But it does not help?

nick.loenders

Anyone?

viragomann

@nick-loenders
The suggested outbound NAT rule has to be added to the LAN.
It's meant to access the secondary node via VPN. It is described in the docs here: Troubleshooting VPN Connectivity to a High Availability Secondary Node

Regarding the VLANs:
This behaves as regular interfaces. Means, you have to configure the VLAN on both nodes and assign different IP addresses to each.
Then on the primary go to Firewall > Virtual IPs and add a CARP VIP to each of the VLANs.

nick.loenders

@viragomann That document says nothing.

But I managed to get that to work.

for the VLANs, I created the VLANs manually on the FW2, and that seems to do the trick...
Stupid it does not sync them and all we need to add is a VIP.

But I still do have 1 fault , the VLAN4 is now primary on both devices ?

viragomann

@nick-loenders said in Multiple VLANs in HA config:

That document says nothing.

The document descripes what its title implies and is the solution to your additional question in your first post.

But I still do have 1 fault , the VLAN4 is now primary on both devices ?

This indicates that the involved interfaces of both nodes are not able to communicate. If the secondary does not get advertisements from the master on this VLAN, it switch over to master.
So ensure the VLAN is also properly configured on the switch.

nick.loenders

@viragomann said in Multiple VLANs in HA config:

So ensure the VLAN is also properly configured on the switch.

omg , so stupid :)

Thx it all works now