Configuring CARP with Multiple WAN connections
-
I have 2 PePlinks acting as wan aggregators and then 2 PFsense boxes running 2.1 acting as routing DHCP and VLAN management.
My questions is around the WAN side of the setup. is a WAN VIP required for CARP? I am having trouble configuring what this topology looks like this http://i.imgur.com/dqffEab.png
Do the wan aggregators need to have different subnets? how would a VIP work in this scenario?
Thanks for the input.
-
is a WAN VIP required for CARP?
yes, if you always need to source from the same wan ip.
no if you just need to failover to the secondary firewall. (you still need carp on all lan interfaces) -
no if you just need to failover to the secondary firewall. (you still need carp on all lan interfaces)
I set CARP up on my LAN interface, but under the CARP status page it shows both Firewalls status as MASTER.
Should I be able to ping the carp interface on FW2 from FW1?
For example:
Carpinterface on FW1 is 10.10.10.1
Carpinterface on FW2 is 10.10.10.2Should I be able to ping 10.10.10.2 from the LAN on FW1 ?
-
I set CARP up on my LAN interface, but under the CARP status page it shows both Firewalls status as MASTER.
then your firewalls can't see each other, and they both think they should be master. are they physical or virtual?
-
The firewalls are both physical they are Dell poweredge 2950's.
I added a PASS rule in each FW's carp interface, do I need to add a similar rule on the other interfaces?
How can they sync all the rules/settings if they can't see each other? I am also able to ping the other FW from the ping utility if I select my source interface as the carp interface.
-
It's on the lan interface they can't see each other… Smetimes i have to boot the secondary firewall after the initial carp configuration. Have you tried that?
Can you ping the primary firewalls lan ip from the secondary firewall?
-
Apparently after a night of my rig sitting they are now appearing as "Backup" and "Master" appropriately. I can reach the primary and backup IPs from LAN and if I connect to the VIP it directs to the MASTER fw.
All I have to do now is add a VIP for each of my VLANs right? and then the VLANs should fail over too ? Each FW is connected to it's own WAN aggregator with to a different ISP I don't think I need to create a VIP for the WAN, what is your advice here?
Thanks for all your insight and advice.
-
All I have to do now is add a VIP for each of my VLANs right?
Yep…
Your traffic will source from your firewalls wan ip. If you need it to always source from the same ip, then you need a carp wan ip and manually configure outgoing nat.
-
Any advice on routing?
I am able to ping anything internally but can't reach the internet
A traceroute to www.google.com will show the MASTER FW IP responding twice and then ending like this
1 10.0.0.2 (10.0.0.2) 0.232 ms 0.236 ms 0.219 ms
2 10.0.0.2 (10.0.0.2) 0.234 ms !H 0.231 ms !H 0.238 ms !HMy virtual IP is 10.0.0.1 and the slave ip is 10.0.0.3
I updated the DNS and Gateway in the DHCP server settings to be the virtual IP.
I can also ping what should be the next hop 10.37.7.1 ( the wan aggregator) but as you can see from traceroute the route is not quite right.
Thanks
-
Please post your config or network diagram
-
Here are screen shots of the different screens let me know if you need more info.
http://imgur.com/xSftVxH,PCIPb7i,es257OX,iaHuros,yDaam4d,JWfg73C#0
-
I am able to ping www.google.com from the WAN interface. I can not ping my LAN VIP (10.0.0.1) from the WAN interface, could this be a problem?
-
I figured this out, apparently if you make a gateway from the interfaces tab it can gain priority and cause your routing to break? Probably user error on my end but once I removed the gateway I was able to route traffic again.
Thanks for your help.