• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Single WAN, Secondary CARP Internet access: How to automate this simple solution?

Scheduled Pinned Locked Moved HA/CARP/VIPs
10 Posts 3 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    MrPete
    last edited by MrPete Mar 8, 2022, 8:53 PM Mar 8, 2022, 12:23 AM

    [UPDATE: new info makes this potentially simpler.]

    I just learned how to make my secondary CARP have 100% internet access (for package updates and everything else).

    • I wish this were not so obscure
    • How do I make this fully automated?
    • Could this become part of pfSense?

    In my case, I'm using one ISP IP, with a pair of local IP's on the WAN interface (192.168.222.2-3)

    Solution:
    Configure an alternative gateway, and place as Tier 2 in a gateway group:

    • Simplest for me is referencing the primary LAN interface and its CARP address (192.168.1.1 on my LAN)
    • Ensure DNS Resolver is set to also allow accessing "upstream" DNS etc using the same interface. Unusual, but it works.
    • When necessary, I can manually use "route add default 192.168.1.1" whenever pfSense is CARP backup.

    Two problems with this:

    • For some reason, this is broken by XMLRPC updates (I'll write a separate post on this.)
    • This doesn't work during install... at least not automatically.

    a) Add a firewall rule to that interface, allowing the secondary FW to have full Internet access (ie: ALLOW, source: 192.168.222.3, dest: any)
    b) The hard part I just now found, which does not survive a reboot:

    On secondary, type this into a shell:
    route add default 192.168.222.2
    (ie the primary WAN CARP IP)

    N 1 Reply Last reply Mar 8, 2022, 5:27 AM Reply Quote 0
    • C
      Cool_Corona
      last edited by Mar 8, 2022, 4:33 AM

      Its not real CARP. Its just access to the internet from the 2nd node...

      M 1 Reply Last reply Mar 8, 2022, 6:47 AM Reply Quote 0
      • N
        netblues @MrPete
        last edited by Mar 8, 2022, 5:27 AM

        @mrpete said in Single WAN, Secondary CARP Internet access: How to automate this simple solution?:

        b) The hard part I just now found, which does not survive a reboot:

        System, routing, static routes, add
        :)

        M 2 Replies Last reply Mar 8, 2022, 6:48 AM Reply Quote 0
        • M
          MrPete @Cool_Corona
          last edited by Mar 8, 2022, 6:47 AM

          @cool_corona what is "real carp"? I have real HA running, including xmlrpc settings sync, pfsync for states, and CARP failover.

          C 1 Reply Last reply Mar 8, 2022, 9:34 AM Reply Quote 0
          • M
            MrPete @netblues
            last edited by Mar 8, 2022, 6:48 AM

            @netblues is this safe to add as a normal permanent static route? If the secondary CARP goes Primary, not sure what happens to this 😏

            N 1 Reply Last reply Mar 8, 2022, 7:08 AM Reply Quote 0
            • N
              netblues @MrPete
              last edited by Mar 8, 2022, 7:08 AM

              @mrpete You said, it doesn't survive reboots.

              You need to test all this in any case.
              How about routing to the carp vip?

              (haven't tested this, though)

              M 1 Reply Last reply Mar 8, 2022, 12:34 PM Reply Quote 0
              • C
                Cool_Corona @MrPete
                last edited by Mar 8, 2022, 9:34 AM

                @mrpete Its a reak HA cluster with failover that survices a reboot.

                Running as master/slave.

                1 Reply Last reply Reply Quote 0
                • M
                  MrPete @netblues
                  last edited by Mar 8, 2022, 12:34 PM

                  @netblues have to route to something reachable by the backup CARP.
                  Pretty sure none of the VIP are available sine they are also defined for the backup CARP system (but disabled due to it being secondary.)

                  I suspect I can use any primary IP. Will do some experiments.

                  I am looking at this in terms of upgrades:

                  • during a full reinstall of secondary, CARP is not configured.
                  • so the question is, what could either be auto configured, or what could the user easily do during the initial setup, to enable internet access.
                    • There is a point during pfsense install where the user is given an opportunity to get a shell in single user mode BSD.
                    • now that I know these extra tidbits, I will try an experiment to reinstall my secondary, and see if I can enable a gateway thru primary from that point.

                  If this can be done, secondary CARP reinstall would be much smoother: all packages auto reinstalled, etc.

                  1 Reply Last reply Reply Quote 0
                  • M
                    MrPete @netblues
                    last edited by Mar 8, 2022, 12:38 PM

                    @netblues I am thinking instead of static route, shouldn't this be doable as a defined gateway, and placed in a gateway group, so it only goes active when secondary?

                    I thought I had tried that already.

                    Time for more experiments. At least I know what I am shooting for now 🤠

                    M 1 Reply Last reply Mar 8, 2022, 8:54 PM Reply Quote 0
                    • M
                      MrPete @MrPete
                      last edited by Mar 8, 2022, 8:54 PM

                      @mrpete @netblues @Cool_Corona

                      I've updated the OP with results of my first set of experiments.

                      When I have a chance, I'll redo a full install on secondary CARP and see how that goes.

                      1 Reply Last reply Reply Quote 0
                      10 out of 10
                      • First post
                        10/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received