Cannot access to my VIP (Carp + pfsync)
-
Hello,
I've the following problem. I've configured Load Balancing for my web application. Now i can access (with ping)to my VIP only from vpn.
From the dmz i can't ping 172.16.101.10
From the lan i can't ping 10.0.0.10
I think that the problem is Outbound/NAt Rules or Load balancing. I don't know
Please, if anyone may help to resolve this problem.I've 2 PFServer + Carp + PFsync
Below there are the configuration.Server A
WAN –> 178.33.94.33
DMZ --> 172.26.101.1
LAN --> 10.0.0.1
SYNC --> 10.155.0.1Server B
WAN --> 178.33.94.34
DMZ --> 172.26.101.2
LAN --> 10.0.0.2
SYNC --> 10.155.0.2VIP
WAN --> 178.33.94.43
DMZ --> 172.26.101.10
LAN --> 10.0.0.10In the picture in the attach there is outbound rules.
Regards.
-
The NAT address should not be * but the ip address of the CARP VIP.
-
Hi,
For me it is unclear.
On Which rules I must set the WAN VIP IP? I've inserted in all rules, but it does not works still.
Regards.
Matteo -
For all but 127.0.0.1. that needs to stay with the WAN. What load balancing are you referring to? Your setup does not look lke a multi-wan setup. Did you setup the CARP VIP with /32 or /24 subnet CIDR?
-
Hello Podillarius,
Sorry if I'm unclear.
I want to implement one cluster active/passive with 2 nodes pfsense.
I don't want implement a multi-wan setup.
This cluster must:
1. Public and balance (balance demon) a web site with 1 VIP WAN –> 178.33.94.43 on 3 dmz servers;
2. Internet access and default gateway for DMZ and LAN with 2 VIP;
DMZ --> 172.26.101.10
LAN --> 10.0.0.10
3. Openvpn;
4. IDS;
5. Snort;Thanks for your help.
Regards.
Matteo -
Ok. what is the CIDR of your VIPs? The CIDR needs to match the corresponding interface. I would not worry about the other packages until you have the basec config down.
-
Hi,
In Attach there the picture with the cidr.
From few minutes, our provider give me the following information(pfsense are virtual machine):
1. Promiscuous mode on the vSwitch
2. "MAC Address changes"
3. "Forged transmits"Are disabled on virtual switch.
May be that, is this the problem?
Regards.
-
Yes Promiscuous mode must be enabled for CARP. Not sure about the others, but change one at a time.
-
HI,
Our provider cannot modify this settings on virtual switch.
Now I lost the carp configuration.
Now I have 2 pfsense and I want to implementate with DNS the balance.
I want to set NS server on our pfsense.
What do you think?
Regards.
MAtteo -
I have never tried it, but I guess you could use xmlrpc sync to only sync dns. I don't have 2 free machines ATM to test.