Problem with carp vip's on wan
-
I've got several zones (WAN, LAN, DMZ, DMZADMIN, and PFSYNC), and everything works great up until I try and add virtual ip's for my public addresses.
Public IP Range: x.x.17.0 - x.x.17.127
Gateway: x.x.17.1
Master FW WAN Interface: x.x.17.2
Backup FW WAN Interface: x.x.17.3I read several other threads that said you shouldn't use proxy arp virtual ip's for public addresses while using carp (unless you disable the virtual ip synching) - and to instead use carp vip's. When I setup my first carp vip for a public address (x.x.17.4), I get a master/master condition (all the other carp vip's show correct master/backup). My objective is to have several public ip's setup with vip's and then use 1:1 nat.
I read this typically occurs when there is a vhid conflict or unreachable ip, and I triple checked everything I could think of and don't see any problems.
- I can ping both wan nics from the lan and public internet
- The pfsync zone is allowing all traffic
- The public ip's are only being used by the interfaces/vip I listed above
- The vhid is unique, and I've tried changing it several times just to make sure
I assume the public vip will never work properly with a master/master, since both firewalls will try and handle it's traffic simultaneously?
Please let me know if there is anything stupid I'm overlooking??? Or, if I should use a different approach to public natted ip's.
Thanks
-
Anybody???