PfSense Failover, using VLANs on LAN interface, problems
-
Would you let me know please, I dont know if I have to create a VIP for each VLAN. Also can you tell why or is it ok to have in the backup the LAN VIP as master when it should be backup…
-
the secondary should never be master unless there is a link problem on the primary. I got busy, but I still plan on setting this up.
-
So, how did it go?
-
testing on this went very well. failing back seems problematic as in download was interrupted, but restarted with no problem. It might be fixed already in 2.0.3 .. will try that after a while.
Update:
Second test was fine … download was not interrupted. Could be the systems I am using though .. they are very old PIII machines.Update again: 3rd test was fine ... so just a fluke on the first. Attribute that to slow systems I guess.
Final Update: Nope it was storage space on the workstation that was causing the interruption, not the connection.
-
Great, so the configuration works? could you please tell me how you do it so I can do it here please? ty :D
-
WAN:
Master: x.y.z.254
Secondary: x.y.z.253
CARP VIP: x.y.z.2 (.1 is gateway)
vhid: 1
( I was testing with private IPs with that is behind another pfsense machine)LAN:
Master: a.b.c.254
Secondary: a.b.c.253
CARP VIP: a.b.c.1
vhid: 2Cluster (OPT1):
Master:b.c.d.1
Secondary:b.c.d.2
Standard Clustering setup within pfSense thus far. I am not using directed multicast, but direct ip pfsync, though it was just from earlier testing. (with and without).VLAN13 (OPT2):
Master: c.d.e.254
Secondary: c.d.e.253
CARP VIP: c.d.e.1
vhid: 13VLAN14 (Opt3):
Master: d.e.f.254
Secondary: d.e.f.253
CARP VIP: d.e.f.1
vhid: 14All are /24 subnets.
Course I setup advanced outbound NAT rules and firewall rules for each of the subnets. I put a VM behind VLANs 13 and 14 with the CARP VIP as the gateway and started a download. I then rebooted the master FW and watched the secondary take over and then relinquish control back to the primary when it came up. Downloads were not interrupted nor was the continuous ping.
-
great I really need to do this, well I have some questions about your configuration,
first
Cluster (OPT1):
this would be the SYNC interface right?second
VLAN13 (OPT2):
why OPT2? did you use a real interface? its a VLAN so you need to create a VLAN over an interface, on wich did you created it? my VLANS are on LAN interface, the 4 of them, how are your vlans configured?third
same for VLAN14fourth
how did you configure your outbound nat rules?fifth
did you configure anything else? like DCHP server? any changes at all?thank you again :D.
-
first:
opt1 is the cluster interface tied between the 2 FWs via a crossover cable.second:
huh? that is how you use VLANs. You create them and then assign them to an interface. In this case it was OPT2. You can rename the interface if you like, i could rename opt2 to vlan13 if I liked, I just didn't. It uses the same physical interface as LAN (LAN technically runs on VLAN1). So basically it maps to like:
VLANx -> fxpx -> OPTx. When you assign OPT2, the interface list will show VLAN13 that was just created on top of fxp1. Then you go to opt2 interface configuration to activate it. Then of course assign an interface address. THEN the CARP IP is created and used as the gateway address for that subnet.
Hope that clarifies it.thrird:
see second.fourth:
Easy, switch from auto to manual.then create 2 entries for each VLAN. One for port 500 with static port and the other for all other traffic. It is best to just copy all but the localhost subnets for each VLAN subnet. For my purposes, I used just the WAN address as the natted IP. 1:1 and port forward NAT should work with CARP addresses also.No, I didn't configure DHCP. This would be at a DC for disaster recovery testing, so customers are expected to provide IPs or DHCP server. I suppose it should be possible. I did use DHCP on LAN during the whole test. This is because it is an internal vswitch and would not interfere with the production DHCP server. But that stayed up as well. Course I was not looking for problems on DHCP.
I was configuring a test for my setup
-
hi again, and thanks for your help, the thing is that I have 4 VLANs on the LAN interface, and each one of them uses DCHP, so I will try to run some test later afternoon and I will post the results,
-
Have to manually set the gateway to CARP address but DHCP seems to work fine.