Using HAproxy on a CARP/HA firewall cluster
-
Hi,
Configured HAproxy with Firewall cluster with backend as Nextcloud, when i bring either primary or Secondory Firewall down everything works. As soon as i enable both Firewalls Download and Upload to Nextcloud fails immidiatly, Where exactly would be the issue?
-
@Pavan-1
The CARP status is well, one is master, the other one backup?Does it work if you bypass HAproxy by forwarding the traffic directly to the backend server?
-
Hi, i can confirm when i bypass pfSense everything works also CARP functions well. Tested this with bringing down Master and slave comes up, also configuration syncs.
Issue comes when both Firewalls are UP and on PCAP i see TCP out of order packets.
-
@Pavan-1
So I suspect, that you miss the CARP setting in HAproxy. -
I have used CARP IP for HAproxy. Additionally we have used single interface for LAN and SYNC cloud it cause any issues?
Regards,
Pavan. -
@Pavan-1
What means a single interface? Non-CARP?I requested this setting: Services > HAproxy > Settings >Carp monitor
If this is set properly the HAproxy service should be stopped, when the node is in backup state. -
@viragomann said in Using HAproxy on a CARP/HA firewall cluster:
What means a single interface? Non-CARP
Like we don't have dedicated Interface for SYNC we have used single interface for all traffic and SYNC.
@viragomann said in Using HAproxy on a CARP/HA firewall cluster:
I requested this setting: Services > HAproxy > Settings >Carp monitor
Yes, when primary is active secondary pfSense will have HAproxy service disabled.
-
@Pavan-1 said in Using HAproxy on a CARP/HA firewall cluster:
Like we don't have dedicated Interface for SYNC we have used single interface for all traffic and SYNC.
This shouldn't matter.
Is HAproxy running in transparent mode?
If it isn't, to get closer enable the logging of the involved firewall rules and as well of the default deny rule (Status > System Logs > Settings > Log firewall default blocks).
Then run your firewall in HA mode and reproduce the error. Check the logs for relevant entries and post it here if possible. -
What exactly does transparent mode do and how to enable it?
Thanks i will log the default block and reproduce the issue and update.
Regards,
-
@Pavan-1
Transparent mode is a bad hack. You shouldn't enable it, if there isn't a very good reason to do that. -
So all the connections are made directly to backend servers instead of pfSense?
TCP Out Of Order is what I'm seeing in PCAP, does it suggest any misconfiguration?
-
@Pavan-1 said in Using HAproxy on a CARP/HA firewall cluster:
So all the connections are made directly to backend servers instead of pfSense?
In transparent mode, pfSense uses the origin source IP, when accessing the backend.
There are some odd (hidden) firewall rule necessary to make this work.TCP Out Of Order is what I'm seeing in PCAP, does it suggest any misconfiguration?
This indicates a probable asymmetric traffic. Some packets might go to the backup node for whatever reason.
-
@viragomann said in Using HAproxy on a CARP/HA firewall cluster:
This indicates a probable asymmetric traffic. Some packets might go to the backup node for whatever reason
I thought so, since it's all in VM i'm lost in the woods to figure out the root cause. But as per CARP, Primary and secondary works.
What i will do is check if the traffic is hitting the second pfSense when primary is UP, i hope it helps Else please suggest.
-
Observed something weird where if i turn off state synchronisation in System>> High availability. Application is working. Any suggestions for this weird behaviour??