Dual pfSense - single WAN IP (DHCP) - MAC spoofing script question
-
Hello pfSensers,
I've been Googling a lot for the past 2 days regarding what I am trying to achieve and I can find some bits of info here and there but nothing that exactly suits my needs.
First : my setup
- 2 pfSense machines connected to a single cable modem that has 4 LAN ports (the modem is in bridge mode)
- Each pfSense machine is able to obtain a different public DHCP IP address from the cable modem (with different MAC addresses)
- LAN CARP is working fine and trafic is routed out through each pfSense machine's WAN interface depending on who is master
What I want to achieve
- I am trying to find a way to trigger a MAC address spoofing on the "CARP master" event and "CARP backup" event,
The goal is that they swap MAC identities facing the cable modem so that the IP follows the master gateway. I've seen some people shutting the WAN interface completely and turn it on when CARP is master because their ISP did not allow more than 1 MAC address. I my case I can connect up to 10 so I don't need to shut the interface. This way they can both have access to the internet all the time.
Simply executing "ifconfig igb0 link xx:xx:xx:xx:xx:xx" in the CLI changes the MAC address for a few seconds, then something else seems to detect the change and overwrite it and remove the spoofed MAC address. The same thing happens on the other box as well.
Any help would be greatly appreciated !
Thanks -
I'll see if I can help here, use plenty of HA setups in prod, but I would first ask what your goal here is. Like is this actually a critical environment where a firewall failure would be a huge deal, or maybe just keeping a cold spare is an easier solution?
Firewall failures aren't super common, so if you kept an up to date (including config) cold spare of the same firewall, replacement should be a super quick thing.
HA and CARP are great and all, but it definitely makes a lot of things in an environment more complex so normally my recommendation is to avoid it if at all possible (but like I said I've done it many times in places where it was definitely needed or in lab environments).
Anyway, your goal here is to have the same IP be used by both firewalls in the event of a failover, is that correct?
Maybe I'm not fully understanding the goal here, but normally no MAC spoofing is necessary in this kind of setup. Really what is needed is 3 public IPs to be used an a WAN switch (sounds like your gateway may have a switch built in).
-
@planedrop I know what is "usually required" to do it "the right way" but I am using DHCP so I can't use 3 IPs. This is for my home setup, a setup on which i regularly play around and face the wrath of my kids of girlfriend when I cut their dear internet by rebooting the server, or playing on the network. I simply want a failover that will allow me to work on the machine freely.
The goal is to spoof the WAN MAC address so that current communcations with servers, games, voice calls, etc will only have have a small hickup of a few seconds while the DORA happens for the DHCP on the secondary server instead of completely dropping because of an IP change when switching over to the secondary pfSense.
The main pfSense is on a server that is on AC power with a UPS only for the sake of a clean shutdown. The seconday pfSense is powered by a 12v battery and will run for up to 48h in case of power failure.
Here is a quick diagram of my network setup
-
Gotcha gotcha, this helps a lot.
So these are configured with CARP though just not on the WAN side? I'm not aware of a way to configure CARP with a DHCP WAN setup. Sorry if I'm still misunderstanding something.
I'll have to give this some thought to see if I can come up with a good way to get it done, nothing is coming to mind instantly though.
-
@planedrop Yes, the VLANS on the LAN side are all using CARP. That's why I want to add scripts to change the MAC address of the WAN interfaces during the carpmaster and carpbackup events, This way they would "exchane" their public IPs
-
@vizi0n Gotcha, so the goal is to spoof the MAC address on a CARP event so that the ISP router, which is handing IPs out via DHCP, gives the new primary the same IP as the previous (or ideally no DHCP even has to happen again).
Not sure if there is a way to do this, nothing is immediately coming to mind, definitely not a "supported" config but I'm sure you knew that haha.
Of course pfSense does support spoofing the MAC on an interface, but I don't know of a good way without doing a LOT of custom work to program it to do so based on a CARP event trigger.
Sorry, since saying IDK isn't really that helpful lol.
P.S. sorry for late reply, was on a work trip so didn't really have time to check forum stuff.
