PFense Failover inboud
-
Hello
I've clustered 2 pfsenses with VIP
Wan VIP 192.168.1.200
LAN VIP 192.168.0.1No issue four the outbound traffic (nat outbound manuel WAN 2 translate to VIP 192.168.0.200)
BUT
The WAN is behind my ISP box (NATED) the DMZ is set to the real IP of the first PFsense not the VIP.
As soon as I change the DMZ to 192.168.0.200; I'm unable to access the servers on the LAN.
Do I need to create a inbound rule or something ?
Thanks for help
-
You seem to have the same subnet on WAN and LAN.
Unless you are bridging this will not work. (And if you bridge, you don't need the VIP anymore). -
oups sorry sorry
192.168.1.200
-
You write that as soon as you change the inbound NAT on the ISP provided box you can't access your server(s) anymore.
You already have a rule in place to forward traffic from your primary IP to your server(s).
Did you adjust this NAT and firewall rules on the pfSense to reflect the change from primary IP to VIP? -
The master firewall was a standalone one. Everything was fine.
The Slave firewall got the same rules propagated from the master.
The master got the "hard" IP 192.168.1.249 (slave 192.168.1.248)
The VIP is 192.168.0.200When the DMZ is set on 249. Everything works for inbound.
When the DMZ is set on 248. Everything works for inbound.When the DMZ is set on 200 (the VIP). No service outside of the LAN.
Is it clearer ? :)
-
Okay, what is the sunet mask used on the CARP interface? It should match the real interfaces. It is not like ProxyARP where you use just a /32. If WAN ips are /24, then so should the CARP VIP. Same for IP Alias.
-
Everything is fine on the subnet front
/24
EverywhereThe wan is /24 end to end
-
Just making sure because CARP VIP defaults to /32 and most forget to change that to match the WAN subnet. It still sounds like something is wrong with the CARP VIP setup, can you go into it and screen shot that? Also just noticed that the CARP VIP is not in the same subnet as the WAN. This cannot be. It must be in the same subnet as the WAN address. Perhaps a typo?
Also, did you setup manual outbound NAT to use the CARP VIP and not the WAN interface address? -
Nailed IT
I forgot something … the WAN vSwitch in my ESXI wasn't set to properli for the carp.
Promiscuous mode accepted(but was correctly set for the LAN)
