No reply from BACKUP CARP host



  • I have two pfSense 2.0.2 in CARP in which under normal conditions are …
    PF1 = CARP MASTER
    PF2 = CARP BACKUP

    This is the network configuration:

    WAN: 192.168.10.0 / 24
       CARP1: .26
       CARP2: .27
       CARP3: .28
       PF1:   .29
       PF2:   .30
       GW:    .254
    DMZ: 192.168.0.0 / 24
       CARP1: .1
       PF1:   .251
       PF2:   .252
    LAN: 192.0.0.0 / 24 (oops, I inherited, it is not my fault;-)
       CARP1: .254
       PF1:   .251
       PF2:   .252
    SYNC: 192.168.200.0 / 24
       PF1:   .1
       PF2:   .2

    All interfaces have Gateway = None, and in System->Gateway I put 192.168.10.254 checked as Default Gateway on the WAN.

    The configuration of the OpenVPN server:
    Protocol:      UDP
    Device:        tun
    Interface:     WAN_CARP1
    Port:          1194
    Tunnel:        10.102.128.0 / 24
    Local Network: 192.0.0.0 / 24

    Everything works fine except the ping to the IPs of the host in BACKUP state.

    The Windows client opens the VPN to WAN_CARP1 and is able to ping hosts on the LAN, and the IPs of the MASTER host, including all VIPs, but I do not get any response from IPs of BACKUP host.
    Disconnecting PF1 only from the WAN, after a few seconds, I can re-establish the VPN but no longer meet the PF1 IPs, which has become BACKUP host.

    Any idea?



  • @lucapsg:

    Everything works fine except the ping to the IPs of the host in BACKUP state.

    The Windows client opens the VPN to WAN_CARP1 and is able to ping hosts on the LAN, and the IPs of the MASTER host, including all VIPs, but I do not get any response from IPs of BACKUP host.
    Disconnecting PF1 only from the WAN, after a few seconds, I can re-establish the VPN but no longer meet the PF1 IPs, which has become BACKUP host.

    yes… I think / have checked it out when I try to configure a site2site VPN that the backup host has the same OpenVPN routes as the master host... so it can't be reached from other side...

    You can check it by requesting the route:

    on master/backup you can try:

    route -n get <ip of="" lan="" client="">=> on both machines you would get the anser "ovpns1" for instance.

    => perhaps there is a solution with Quagga OSPF which handels the routes dynamically.
        But also here it can be that the static route of the shutdown OpenVPN Server is already set and therefore Quagga can't help out.</ip>



  • Solved!
    As mentioned by jimp (http://forum.pfsense.org/index.php/topic,54537.msg291748.html#msg291748) just add a NAT rule on the MASTER for each IP address of the BACKUP host unreachable from the VPN client .
    Following the above data here is an example, which also includes a rule for the BACKUP IP host in the DMZ.

    Interface       Source                  Source  Destination             Destination     NAT Address     NAT     Static  Description
                                           Port                            Port                            Port    Port
    –------------  ----------------------  ------  ----------------------  --------------  --------------  ------  ------  -------------------------------
    LAN             10.102.128.0/24         *       192.0.0.252/32          *               192.0.0.254     *       NO      Enable PF2 reply to VPN clients
    DMZ             10.102.128.0/24         *       192.168.0.252/32        *               192.168.0.1     *       NO      Enable PF2 reply to VPN clients
    --------------  ----------------------  ------  ----------------------  --------------  --------------  ------  ------  -------------------------------

    During the creation of this NAT rules you must check "No XMLRPC Sync".

    Similar rules can also be added to the BACKUP host, useful if the MASTER WAN connection goes down.
    Simply replace the destination IP address and put the IP of the MASTER, eg. 192.0.0.252/32 becomes 192.0.0.251/32.
    Do the same to any other networks.

    If you add rules also on the BACKUP host, I recommend to disable the option CARP -> "Synchronize NAT" because they would be deleted by the first synchronization.

    In 2.0.2 and 2.1 we shut down OpenVPN if it's bound to a CARP VIP in backup mode.

    On my 2.0.2 OpenVPN still running in BACKUP host and routing tables is identical between the two box.

    Bye.


Log in to reply