Is this possible?
-
I have two T1’s with Public IP addresses; each T1 has its own gateway/IP etc…
E.g. T1 (1) has IP 192.168.9.1/29
T1 (2) has IP 192.178.10.1/29Note: these are not the real IP
I have two Pfsense Box setup and I’m trying to get CARP failover working. How would I set this up when both Boxes will have its own Public IP?
E.g. Pfsense box 1 WAN IP will be 192.168.9.1/29
Pfsense box 2 WAN IP will be 192.178.10.1/29CARP Interface IP:
E.g. Pfsense box 1 CARP IP will be 192.168.100.1/24
Pfsense box 2 CARP IP will be 192.168.100.2/24LAN Interface IP:
E.g. Pfsense box 1 LAN IP will be 192.168.15.2
Pfsense box 2 LAN IP will be 192.168.15.3Virtual IP addresses:
WAN-CARP (I want it to use a public addresses from each T1)
LAN-CARP is set to 192.168.15.1I can the failover to work perfectly if I have both boxes in the same address space on one T1, the only problem is that I have two t1’s and I want to have it failover just incase a T fail.
I guess my question is, is this possible and if so please help! ???
-
have you had a look at http://www.pfsense.com/mirror.php?section=tutorials/carp/carp-cluster-new.htm ?
-
AFAIK, failover on the WAN (not load balanced) is not possible without some manual hacking.
Creating a dual-wan failover setup should be somewhat straightforward, though.
EG- box 1 wan 192.168.9.2 wan2 192.178.10.2
box 2 wan 192.168.9.3 wan2 192.168.10.3carp wan1 192.168.9.4 wan2 192.168.10.4
then point the balancer to the carp ips.I think. Haven't done multi-wan and failover on the same box yet.
Was that was you were asking? -
Dotdash,
corrent I have two t1 routers and I wanted to do a dual wan failover to Outbound NATTED to it's respective Interface Address
Or can I set the VHID Group to 2 on the second pf box?
I know how to do failover with 1 T1 to both pf box, but I have two t1's and wanted to failover that way.
-
Ok, just to clarify- dual wan setup as pure failover, where the first T1 would be used exclusively unless it failed, then the system would switch to the second T1 is not currently implemented. I think here was someone who had hacked up a script or something to do this a while back, but don't remember the details.
Dual-WAN doing outbound load balancing should work on a CARP cluster, but here I am not so useful, having done successful single wan CARP cluster and non-carp dual-wan only. Looking at a test box, it's not immediately obvious how you would setup the load-balance gateway with carp. Perhaps someone who is running a dual-wan carp cluster can shed some light on this one? -
sample drawing of what i'm trying to do –
T1A--------------- (WAN) PFSENSE BOX 1 -------- |----------------------- Clients
| | |
WAN CARP |--------------------|
| LAN CARP |
T1B---------------- (WAN) PFSENSE BOX 2 ------ |--------------------- Clients
|
WAN CARPEXPLAIN---
T1A WAN goes to PFSENSE BOX 1 (WAN IP: 12.44.33.7)
T1B WAN goes to PFSENSE BOX 2 (WAN IP: 69.33.44.87)CARP SYNC IP on PFSENSE BOX 1: 192.168.200.1/24
CARP SYNC IP on PFSENSE BOX 2: 192.168.200.2/24LAN IP ON PFSENSE BOX 1: 192.168.5.2/24
LAN IP ON PFSENSE BOX 2: 192.168.5.3/24CARP LAN IP: 192.168.5.1
Now the hard part---
CARP WAN ON PFSENSE BOX 1: would be (12.44.33.8)
CARP WAN ON PFSENSE BOX 2: would be (69.33.44.88)MY OUTBOUND ADVANCE NAT ON PFSENSE BOX 1 WOULD BE MY CARP INTERFACE (??) This is what i don't understand
How do i set it up to use the WAN interface on the PFBOX? do i forget about creating a WAN CARP IP and only use a LAN CARP IP with a VHID of 1 and Advertise Freq.. of 0?
-
Ok, this is getting a little over my head, but see the attached pic for what I had in mind.
I think you would need two WANs on each pfSense box, so you could have each firewall connected to both T1's. Then you could setup a CARP sync for each WAN, and load balance the WANs (this is where I get fuzzy on the details).
Your diagram does not look workable to me, I don't know how can you setup a CARP IP with the WANs on different subnets…You could set up only the LAN carp, do straight WAN setups to each T1, and just manually failover to the secondary if the primary T fails, but this seems far from optimal…
-
dotdash – You hit it right on target. I will order another network card for my device and have it installed.
I will post my findings here with a writeup how to do this.
Great Job!
Thanks
-
I'm trying the same that jpinder70, but with 2 adsl connections (and later will try to setup a redundant balaced ipsec meshed network).
It seems obvious that each pfsense system must have a wan ip of each of the adsl/t1 connections in order to have a carp address for each connection. I only have 1 public static ip per adsl, and will belong to carp interface, because the traffic must go out with this ip, cos is the only routed to my connection by my isp. That way, as the wan adresses must be in the same subnet as the carp address, i will take 2+2 ip that not really belong to me, and i assume that my natted networks never will get to the real ips (anyway these probably doent have any public service that must be directly accessed by my users).
Actually i only have 3 nic in each pfsense. So i'm trying some setups to see if they work without need of 4rt nic, hope to hear your feedback.
I connected both adsl routers, and both wan of pfsenses to the same ethernet segment.
My pfsense1 sync to pfsense2. I tried also to activate that pfsense2 sync to pfsense1. It seems to work, but there is some delay when apply changes, maybe there is some kind of cyclic action :? i don't know if it's ok that setup.
Actually my wan of pfsense1 have the adsl1 public ip, and wan of pfsense2 have the adsl2 public ip. I setup a carp address for adsl1 subnet in pfsense1, and a carp address for adsl2 suvnet in pfsense2. I was expecting for an error in sync, because pfsense1 doesnt know about adsl2 subnet, and pfsense2 neither of adsl1 net. Pfsense system have sync and now i have the carp adresses in both pfsenses. Maybe is not necessary that both pfsesne to be in both wan subnets ?¿¿ i think that yes it's mandatory, because don't seem to work (no error in frontend anyway).Assuming that both subnets are mandatory, i would like to know if it's possible to setup a wan interface with the two wan ips (1 per each adsl conn). Maybe with proxy arp virtual ip ?? i don't see any aliasing option to assign multiple ip to an interface in the frontend (like in rc.conf _alias method in freebsd). I read somewhere that is not recommended, anyone have any hint with this ? maybe this will be an issue in the way the traffic wil go out ??¿ maybe the balacer will not work properly ?
i keep monitoring this thread to see if the jpinder70 setup works.
Thanks.
