No internet when failing over to second firewall [SOLVED]



  • I have resolved all my prior issues with setting up CARP. I am finally able to NAT out with the CARP IP on the primary firewall. However when I flop over to the secondary, internet stops working. When I pull the plug on the primary firewall, CARP switches to master on the secondary. I am actually able to resolve DNS via command prompt, but unable to ping anything. I also can get to ftp sites sites with their domain name. Firewall logs dont show any type of blocking going on. Anybody have any ideas what the problem is?



  • Confirm that your LAN devices are using the shared CARP IP on your LAN IP as their gateway and not the physical IP of the primary firewall.  Beyond that, you'll need to post many more details and perform the basic network troubleshooting tasks necessary to run down a connectivity problem.



  • Did all VIPs switch to the backup Pfsense?

    In my test setup this isn't the case.

    If i unplug the WAN cable from the master following happens:

    WAN VIP switches active on backup pfsense.
    But on LAN Site the VIP gateway ip stays on the master pfsense.

    Isn't there any kind of carp group configurable?

    As shown in:
    http://www.openbsd.org/faq/pf/carp.html#forcefail



  • All LAN devices are using the LAN CARP IP which is 10.1.1.250/24. LAN of Primary is 10.1.1.251/24 and LAN of secondary is 10.1.1.252/24.



  • Some further diagnostics. I am able to ping google.com on the WAN interface of both firewalls. I am able to ping google.com on the LAN interface of firewall1, but not firewall2. Could this be the cause of my problems?



  • If you have outbound NAT enabled for all traffic from LAN this is normal.

    Ping source is the CARP Wan ip which is only active on your master firewall.

    But again under Status -> Carp    LAN and WAN must be master on the same machine.

    pfsense 1 both master LAN and WAN or pfsense 2 both master.

    Are thy if you unplug the pfsense1 WAN caple?



  • After unplugging the WAN from firewall1, firewall2's CARP status changed to master on all VIP's. Firewall1's status on the WAN changed to INIT and LAN to BACKUP.

    Also while firewall2 is in master mode, I still cannot ping out the LAN.



  • The problem seems to be a NAT issue. When I fail over to the second firewall, if I go into my NAT rules and adjust it to go out of the interface instead of the CARP IP, internet works just fine. However as soon as I set it to my CARP IP it will stop working. This only does this on the secondary firewall. On the primary it NAT's out just fine. Could this also mean that CARP is not failing over properly?



  • After further diagnosis, it appears that my ISP may be the trouble. I am using Comcast with a range of static addresses. As soon as i plugged in my T1 and changed all the addresses, failover worked completely fine. Anyone ever heard of this before? Do you think I need to powercycle my modem during non-business hours?



  • I have resolved this issue. It appears the comcast modem just needed to be rebooted.


Locked