CARP Virtual IP failover works, but rules sync does not



  • Hi all,

    I'm trying to use a pair of pfSense boxes to replace an existing m0n0wall to give me some redundancy.

    The setup is a filtering bridge (WAN -> OPT1) with LAN used for VPN termination but not general internet access. I have a cluster of servers sitting behind OPT1. I have told CARP to run on the LAN interface on both boxes, the LAN ports are connected via a simple switch. I'm using PC Engines WRAP boards.

    I have virtual IPs set up on WAN and LAN. As the title explains, the VIP failover works fine (for both addresses) when I pull the power on the master and it also reverts when the master comes back up. All of the VIP functionality seems to be fine.

    However, when I create a firewall rule on the master, it doesn't get pushed over to the backup. On the CARP settings page, I have Synchronize Enabled ticked on both. Both also have the LAN interface selected. There is an allow any -> any rule on the LAN interface on both boxes.

    On the master only, I have all synchronize boxes ticked and the slave IP and password at the bottom. Both boxes are running over HTTP and both have the same username (and password, at present).

    Any ideas what could be the problem here? Unfortunately I don't have enough physical interfaces to give CARP a dedicated sync interface but given that my LAN interfaces will see almost no traffic, I assume this should be OK?

    Any help would be greatly appreciated :)

    Thanks,

    HB

    PS: I have also tested IPSec tunnels and aliases and they fail to sync as well, so it looks like only the core VIP functionality is working for me.



  • Hi,

    Anyone got any suggestions on where to start looking, at least? I have had a look through the forum and haven't spotted anyone else having issues with rules sync etc. Possibly I'm blind but if so, take pity on me and give me a link, please! :)

    HB



  • Are there any relevant errors in the system log? For example, a successful sync would look something like this.

    php: : XMLRPC sync successfully completed with https://192.168.30.2:443.
    php: : Beginning XMLRPC sync to https://192.168.30.2:443.
    


  • Hi,

    There weren't, but it doesn't really matter now.

    I've gone back to m0n0wall because it worked reliably. pfSense gave me nothing but issues: this CARP problem, PPTP failing to work as it should and then a really strange one where the firewall would add 1000+ ms of latency for no apparent reason (no traffic shaper, no config changes, no excessive load). Trying to get help on that via this forum looked like it would be a complete waste of time so I just went back to what I know…

    Thanks for your response Rezin, but pfSense is not for me if it's impossible to get support.

    HB



  • @HarryBo:

    Thanks for your response Rezin, but pfSense is not for me if it's impossible to get support.

    Commercial pfSense Support:
    https://portal.pfsense.org/

    Provided by:
    http://www.bsdperimeter.com/ and
    http://centipedenetworks.com/



  • Yup, I looked at that. $600 for 5 hours of support, of which I'd need perhaps 30 minutes? I would have happily paid $100 to resolve this, but $600 is significantly more than both firewalls cost me ;)

    Either way, I've got no real plans to look at pfSense again for this application. It's going to cost me £20 to produce a redundant PSU unit for the firewall. On the off-chance that the WRAP board should fail, I can handle 10 minutes of downtime. I've only ever had PSUs fail though, so I'm not particularly worried.

    CARP was a "nice feature to have" not a "must have", so I'll stick with m0n0wall.

    HB


Log in to reply