Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Single WAN, Secondary CARP Internet access: How to automate this simple solution?

    HA/CARP/VIPs
    3
    10
    991
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • MrPete
      MrPete last edited by MrPete

      [UPDATE: new info makes this potentially simpler.]

      I just learned how to make my secondary CARP have 100% internet access (for package updates and everything else).

      • I wish this were not so obscure
      • How do I make this fully automated?
      • Could this become part of pfSense?

      In my case, I'm using one ISP IP, with a pair of local IP's on the WAN interface (192.168.222.2-3)

      Solution:
      Configure an alternative gateway, and place as Tier 2 in a gateway group:

      • Simplest for me is referencing the primary LAN interface and its CARP address (192.168.1.1 on my LAN)
      • Ensure DNS Resolver is set to also allow accessing "upstream" DNS etc using the same interface. Unusual, but it works.
      • When necessary, I can manually use "route add default 192.168.1.1" whenever pfSense is CARP backup.

      Two problems with this:

      • For some reason, this is broken by XMLRPC updates (I'll write a separate post on this.)
      • This doesn't work during install... at least not automatically.

      a) Add a firewall rule to that interface, allowing the secondary FW to have full Internet access (ie: ALLOW, source: 192.168.222.3, dest: any)
      b) The hard part I just now found, which does not survive a reboot:

      On secondary, type this into a shell:
      route add default 192.168.222.2
      (ie the primary WAN CARP IP)

      N 1 Reply Last reply Reply Quote 0
      • Cool_Corona
        Cool_Corona last edited by

        Its not real CARP. Its just access to the internet from the 2nd node...

        MrPete 1 Reply Last reply Reply Quote 0
        • N
          netblues @MrPete last edited by

          @mrpete said in Single WAN, Secondary CARP Internet access: How to automate this simple solution?:

          b) The hard part I just now found, which does not survive a reboot:

          System, routing, static routes, add
          :)

          MrPete 2 Replies Last reply Reply Quote 0
          • MrPete
            MrPete @Cool_Corona last edited by

            @cool_corona what is "real carp"? I have real HA running, including xmlrpc settings sync, pfsync for states, and CARP failover.

            Cool_Corona 1 Reply Last reply Reply Quote 0
            • MrPete
              MrPete @netblues last edited by

              @netblues is this safe to add as a normal permanent static route? If the secondary CARP goes Primary, not sure what happens to this 😏

              N 1 Reply Last reply Reply Quote 0
              • N
                netblues @MrPete last edited by

                @mrpete You said, it doesn't survive reboots.

                You need to test all this in any case.
                How about routing to the carp vip?

                (haven't tested this, though)

                MrPete 1 Reply Last reply Reply Quote 0
                • Cool_Corona
                  Cool_Corona @MrPete last edited by

                  @mrpete Its a reak HA cluster with failover that survices a reboot.

                  Running as master/slave.

                  1 Reply Last reply Reply Quote 0
                  • MrPete
                    MrPete @netblues last edited by

                    @netblues have to route to something reachable by the backup CARP.
                    Pretty sure none of the VIP are available sine they are also defined for the backup CARP system (but disabled due to it being secondary.)

                    I suspect I can use any primary IP. Will do some experiments.

                    I am looking at this in terms of upgrades:

                    • during a full reinstall of secondary, CARP is not configured.
                    • so the question is, what could either be auto configured, or what could the user easily do during the initial setup, to enable internet access.
                      • There is a point during pfsense install where the user is given an opportunity to get a shell in single user mode BSD.
                      • now that I know these extra tidbits, I will try an experiment to reinstall my secondary, and see if I can enable a gateway thru primary from that point.

                    If this can be done, secondary CARP reinstall would be much smoother: all packages auto reinstalled, etc.

                    1 Reply Last reply Reply Quote 0
                    • MrPete
                      MrPete @netblues last edited by

                      @netblues I am thinking instead of static route, shouldn't this be doable as a defined gateway, and placed in a gateway group, so it only goes active when secondary?

                      I thought I had tried that already.

                      Time for more experiments. At least I know what I am shooting for now 🤠

                      MrPete 1 Reply Last reply Reply Quote 0
                      • MrPete
                        MrPete @MrPete last edited by

                        @mrpete @netblues @Cool_Corona

                        I've updated the OP with results of my first set of experiments.

                        When I have a chance, I'll redo a full install on secondary CARP and see how that goes.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post