VLAN vIP's not working.
-
Hi,
I am experiencing a peculiar problem, the vIP for the physical opt0 interface works perfectly however the vIP for the vLANs do not.
I am setting up 2 pfsense 2.1 firewalls in a CARP failover configuration.
I have created 3 vLANs on the opt0 (LAN) interface
FW01 (master)
LAN - 192.168.2.0/24 : IP - 192.168.2.2
vlan3 - 192.168.3.0/24 : IP - 192.168.3.2
vlan4 - 192.168.4.0/24 : IP - 192.168.4.2
vlan5 - 192.168.5.0/24 : IP - 192.168.5.2FW02 (backup)
LAN - 192.168.2.0/24 : IP - 192.168.2.3
vlan3 - 192.168.3.0/24 : IP - 192.168.3.3
vlan4 - 192.168.4.0/24 : IP - 192.168.4.3
vlan5 - 192.168.5.0/24 : IP - 192.168.5.3vIP configuration
LAN - 192.168.2.1
vlan3 - 192.168.3.1
vlan4 - 192.168.4.1
vlan5 - 192.168.5.1I can ping each interface IP from their respective vLANs however only the LAN vip will respond to ping or will work as a gateway.
I have identical firewall rules for each vLAN.
I have checked for obvious mistakes etc and run through the troubleshooting guide.
Can anyone offer any ideas as to the cause of the problem?
Thanks,
Wyvern
-
Sounds like you have trunk/switch configuration issue. Do you have the same VLAN id's configured on your switch and trunk? What kind of switch do you have?
-
Hi thanks for the reply,
I think you may have misunderstood, the vlans work fine if I use the interface ip as the gateway on the pc's the problem is when I use the vIP.
but just in case im misunderstanding :)
switches are HP 1910.
-
Sorry I think I may be explaining this badly :)
If we take vLAN 3 as an example
vLAN interface IP FW01 192.168.3.2
vLAN interface IP FW01 192.168.3.3
CARP vIP 192.168.3.1If I configure a pc and plug it into a port tagged for vlan3 I can ping 192.168.3.2 but not 192.168.3.1
Also I can use 192.168.3.2 as a gateway to browse the internet etc however 192.168.3.1 does not work.
I have heard of similar issues happening in a virtual environment but this is 100% physical.
Cheers
Wyvern
-
are your firewalls physical or virtual devices?
-
Hi,
They are both HP DL360's the LAN interface is using the onboard NIC's
Switches are HP Procurve 1910-24G
Cheers
-
if you could post the config of your firewalls and switches, that would help a lot.
xml config for firewalls, txt config for switches.
-
What carp status you have on both pfSense's GUI?
Any other device on your network using carps or vrrp?
-
What carp status you have on both pfSense's GUI?
Any other device on your network using carps or vrrp?
Hi,
The status on the primary firewall is active and the secondary firewall has backup. There are no other devices using carp.
I will post the configs shortly.
Cheers,
Wyvern
-
I am about to do the same exact setup. I'll let you know if I run into any troubles. However, keep posting your findings. I've got a project due within 1 week and will need to have working solution.
Thanks,
Daniel
-
Really strange but we went live over the weekend just using the primary server and I tested creating a vIP today and it worked….
No idea what went wrong or how it was resolved sorry. But thank you all for your help.
-
If it worked could you post your configuration please? ty :P
-
I think for CARP on ESX you have to have promiscuous mode turned on.
