Setting up CARP cluster for LAN and WAN VIPs at the same time

captain kirk · Feb 26, 2007, 2:26 PM

I'm currently working on a project that would allow remote users and remote store branches to VPN into our corporate network (PPTP for the road warriors and IPsec for the store branches who will be using Netgear's FVS-338 VPN routers), but would like to have them access a VIP on the WAN side. The users that work in the corporate headquarters on the other hand would also need access to the internet.

What I'm looking at is configuring the CARP cluster with a WAN vip for the VPN and also a LAN vip for the users working in the headquarters. Would it be possible to have a cluster of 2 pfSense servers that would serve as a redundant gateway which would provide failover for incoming AND outgoing traffic at the same time?

hoba · Feb 26, 2007, 6:28 PM

Absolutely. Have a look at http://pfsense.com/mirror.php?section=tutorials/carp/carp-cluster-new.htm .
Additional to this you need to set your IPSEC failover settings to use the WAN CARP IP (VPN, IPSEC, failover tab). For PPTP you need to add 2 additional rules for the CARP WAN IP to allow protocol GRE and TCP 1723 to it at firewall>rules, wan tab. I have exactly such a setup running.

sullrich · Feb 26, 2007, 8:13 PM

http://doc.pfsense.org/index.php/Setting_up_CARP_with_pfSense

captain kirk · Feb 27, 2007, 5:32 PM

Hi! Thanks so much for your help! The one thing that I'm stuck on, though, is the DHCP settings. When testing it out with only one node in the CARP cluster, DHCP would not assign me any IPs. I've followed the tutorial, but still no go. Statically assigned IPs with the gateway and dns set to the VIP works fine, though. Is there something I missed? Again, thanks for your help! :D

dotdash · Feb 28, 2007, 4:37 PM

Check the logs. I had a similar problem with failover dhcp and it turned out to be because time was out of sync on one of the boxes causing DHCPd to bomb due to the time discrepancy.

sullrich · Feb 28, 2007, 4:41 PM

Recent snapshots sync the time with ntpdate on bootup. Please upgrade.

heiko · Mar 1, 2007, 7:40 PM

Hello,

i think i misunderstand something. I have also a carp cluster with 25 ipsec tunnels and all works fine without ipsec. The Master WAN Ip ist 217.6.55.4 , the backup carp ist 217.6.55.5 and the VIP ist 217.6.55.6. On the master i cannot change anything on the tunnel def., because the remote side is setting to 217.6.55.4. In the carp cluster i syncronize IPSEC, so when the master fails, the remote side have a settting to 217.6.55.4, but the backup member is 217.6.55.5. I can set the ipsec failover on the master to the vip 217.6.55.6 but i cannot understand this scenario, because the backup member ist at the WAN 217.6.55.5…..

I think, i get a little bit help to understand the settings.... a liitle bit confusing?

Grreetings from Germany
Heiko

sullrich · Mar 1, 2007, 7:43 PM

#1. Setup your tunnels to use "IP address" and the VIP carp member
#2. Visit Vpn, IPSEC, Failover IPSEC, define the VIP ip address
#3. Visit the other end of the tunnel, make sure the remote gateway is
set as the CARP VIP
#4. There is no step 4. Enjoy your failover IPSEC.

heiko · Mar 1, 2007, 8:01 PM

Hello,

it´s all greek to me. Scott, i found this with google, but i understand not which settings are do you mean

–> Setup your tunnels to use "IP address" and the VIP carp member

Do you mean the tunnel settings my identifier as the ip adress?
I have to have lost one's way...., i think

Thank you for your help!
Heiko

sullrich · Mar 1, 2007, 8:31 PM

IP address = CARP public ip

heiko · Mar 1, 2007, 8:41 PM

Hello Scott,

excuse me…

do you mean the settings in the conn. of ipsec or other...?

i`m stupid

Heiko

hoba · Mar 1, 2007, 8:50 PM

vpn>ipsec, failover tab. Set your shared CARP IP there.

heiko · Mar 2, 2007, 1:20 PM

Hallo Hoba,
ich schreibs noch einmal auf deutsch, habe wahrscheinlich wirklich nen Brett vorm Kopf. Tut mir leid, aber ich will´s halt verstehen..

wenn ich doch zwei wan-adressen und eine vip wan habe, diese als failover einsetze, die tunnel doch aber auf die wan adresse des masters gemappt sind, wie funktioniert dann ein failover. oder wird in einem Carp Cluster mit eingesetzter VIP als IPSEC failover immer diese in die racoon.conf geschrieben und die eigentliche WAN Adresse des masters vernachlässigt?

Vielleicht verstehe ich es ja diese Jahr noch?
Gruß
Heiko

hoba · Mar 2, 2007, 2:39 PM

Richtig, die im IPSEC failover tab angegebene Adresse wird dann für den lokalen IPSEC Traffic verwendet und kann somit auch vom Slave übernommen werden.

heiko · Mar 2, 2007, 2:49 PM

danke, jetzt habe ich es
gruß
heiko