VPN does not connect with CARP address but does with WAN address

bgibson

Hello there,
We have setup two pfsense boxes in full carp failover. We have two WAN's with 5 static IP addresses each. Other locations we have done this at works perfectly. Unfortunately, my setup here does not like the Virtual IP address created for my AT&T connection. When we configure the open VPN address with the carp address, it will not connect. When it's set to the static IP, it works no problem. From what I have read, the issue seems to be with the DSL modem not having "promiscuous" mode enabled, or the VIP does not contain a mac address so it can not authenticate. Can anyone enlighten me on where the issue may reside? I've tried explaining the issue to AT&T but I'm not sure they understand Pfsense or at least the techs I have talked to are not sure. We need this working since this location is not fully redundant. Any input would be great!

bgibson

Below is the openvpn error I get once we set the interface to the carp address.
May 21 15:40:32 openvpn[28266]: SIGUSR1[soft,ping-restart] received, process restarting
May 21 15:40:34 openvpn[28266]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
May 21 15:40:34 openvpn[28266]: Re-using pre-shared static key
May 21 15:40:34 openvpn[28266]: Preserving previous TUN/TAP instance: ovpnc2
May 21 15:40:34 openvpn[28266]: UDPv4 link local (bound): x.x.x.x (carp address for Wan2)
May 21 15:40:34 openvpn[28266]: UDPv4 link remote: x.x.x.x:x
May 21 15:41:34 openvpn[28266]: Inactivity timeout (–ping-restart), restarting

cmb

what type of AT&T service is it? Uverse RGs require stupid config changes before additional IPs will work. That sounds like the IP isn't working at all, which makes me think Uverse and its usual problems.

bgibson

Thanks for the response! I'm going to call now as this is our backup ISP and I'm not 100% sure if it's uverse or not. Is this something they will be able to change and if so, what am I asking them to change?

bgibson

From what AT&T could gather, I do not have a Uverse account. It's a business account, with a dsl connection.

bgibson

Any other possibilities that would cause this?

MLIT

Can you connect another host to the public network on the non-working side? –- Try to connect the two hosts that on the same network with OpenVPN. If it doesn't work, then it is not necessarily a problem with the AT&T modem causing the problem.

If it does work, everything is pointing to the modem. Do other services with CARP work fine?

bgibson

Yes, I can connect the two host using openvpn pointing to the wans static IP address, but when I point it to the Carp address, the VPN goes down and gives us the error listed above. My Time Warner Cable connection works fine, it's only with our ATT connection. TWC is 35x5 with 5 static IP, and our ATT connection is 768x768 dsl with 5 static IP.

MLIT

I think you misunderstood me, but I believe the issue is the DSL modem.

Can you get into your DSL modem? Generally you can change the setting for it by browsing to the IP address that is the default gateway on the WAN for your DSL network.