Failover not working - need help
I have 2 network ports coming into my cabinet from my datacenter and I am trying to set up Failover. I have 2 NIC's for WAN connections on my pfSense. WAN and WAN2. If I unplug WAN2 my load balancer status show BOTH as down but I can still get on the internet. If I just unplug WAN 1 the load balancer statud shows BOTH as up but I cant get out to the internet. Something must be misconfigured wrong on my end. I have attached some screenshots that should help and to how I have everything set up. Please let me know if you need any other info…this is driving me bonkers :)
Your WAN interfaces are both in the same subnet. Even though you're using separate gateways, the route out of your LAN is still the same. Taking one of the interfaces down will cause the route to be obliterated from your routing table and drama will ensue for the other network interface because, even though its up, there will be no route referring to it. I think this might work in 2.0 because of the changes to the load balancer, but don't quote me on it and I have no idea what other drama you might run into with this kind of setup. Of the top of my head ARP replies on this kind of setup can't be controlled and that might lead to all kinds of drama as well.
would static routes get around this?
Is my only other option to get a 2nd subnet of IPs from my datacenter?
look at my carp.png picture above, specifically the /32…is that wrong? I was just reading section 126.96.36.199 in the book and it seems that they shouldnt be /32...could that be causing the problem?
also looking at 20.5.3 (referenced by rules.png above). Im a little confused here, should it point to WAN Pool or Default Gateway?
Another question after doing some thinking is that since I have redundant lines coming from my datacenter is shoudl I just have 1 WAN on each firewall and just use carp and not multi wan failover on each (2WANs on each). I guess i need some clarification on how carp works.
So if I have single WAN on each PFsense, with a shared Carp public IP, pf1 and pf2, pf 1 is master and pf2 is backup. I would have line1 coming from the datacenter going to pf1 and line 2 going to pf2. if the link goes down on pf1 would it failover to pf2? How does pf1 and pf2 communicate to know when to failover? I dont seem to see in the book exactly how CARP works, just that its redundant.
GruensFroeschli last edited by
You're mixing two kinds of redundancy.
Loadbalancer/Failover: This is for redundancy of the logical links.
CARP: This is the redundancy for the hardware. If one pfSense dies the other takes over. But the two pfSense need to have the same connections to the rest of the network.
Since you have both your gateways in the same subnet, you could do that with a single interface.
See this theard (ignore point 1): http://forum.pfsense.org/index.php/topic,26692.msg138956.html#msg138956
I was at the datacenter this morning and setup the firewalls with 1 WAN connection each and CARP. Everything works great. If I unplug the WAN from the primary firewall (PF1) it fails over to PF2, same thing is I unplug the LAN. It also falls back to PF1 when the connection comes back up. Sweet!