High Availability port forward to VIP -am i doing this right?
-
I have a server running behind my firewall and when the master FW fails and the slave FW takes over, my server is no longer accessible from the outside world.
If i setup my ISP modem to port forward to my shared VIP, the server is no longer accessible from outside.
It will only work if i port forward to the master FW IP but obviously when the slave FW takes over it has a different IP so this doesnt workIs this a NAT / Rule issue or am i doing something wrong?
Modem:
This works
This is what i've tried to do which doesnt work
-
@digger30 What's the type of VIP you have for 192.168.1.1? It has to be a CARP VIP.
-
@rcoleman-netgate said in High Availability port forward to VIP -am i doing this right?:
e a CARP VIP.
yes it is a CARP VIP
The outgoing internet still works on when the slave FW takes over so i'm just wondering have i made a config error or am i trying the impossible?
-
@digger30 When you do the traffic push, what do you get on a packet capture? I would run it on both systems.
Are they reporting properly as BACKUP and PRIMARY when you load CARP Status?
-
@rcoleman-netgate Yes master FW is showing master status and the slave is showing BACKUP status.
The slave updates correctly to MASTER status when it takes over
-
@rcoleman-netgate said in High Availability port forward to VIP -am i doing this right?:
When you do the traffic push, what do you get on a packet capture? I would run it on both systems.
i'll try this
Just checking am i right in thinking that diagram 2 with the port forward to the shared VIP is the correct way to do this?
-
@digger30 Not shared, really. Only Primary will get it.
-
@rcoleman-netgate Sorry unsure what you mean
Should i put my router port forward to my VIP 192.168.1.1 in order for this to work as below?
-
HA isn't Clustering.
HA means if FW1 goes down FW2 will take over.
https://docs.netgate.com/pfsense/en/latest/highavailability/index.html
-
@rcoleman-netgate yes i dont expect it to cluster, just the Slave FW has a different IP so unsure how to make the modem port foward to it once it takes over? I thought by forward to a VIP which is used by the master, the slave would then take over the VIP when it becomes the master FW?
In the diagram below would you be able to port forward to 198.51.100.200 or would you only be able to port forward to 198.51.100.201 or .202 at one time only meaning HA fails when the master .201 FW goes down?
-
@digger30 Your destination on HA should always be the CARP address, not the destination firewall. If you do the firewall you will never achieve failover.
-
@rcoleman-netgate
All sorted :)thanks for your help
The PFsense internal NAT port forward destination address had to be changed from WAN address to the VIP IP which is now working
-
@digger30 Perfect! Glad I could be of assistance.