CARP + VIP + 1:1 NAT - Outgoing traffic, only one machine works?



  • Hey guys,

    I seem to be having problems with this CARP plus VIP setup I have here. Currently I have two machines running pfSense doing 1:1 NAT with CARP and VIP. I'm not sure if I can even describe the problem because its so inconsistent/flaky. If the server have 1:1 NAT and ProxyARP entries in the firewall, the server has a problem making outgoing connections.

    By fiddling around with the ProxyARPs, the server manages to establish outgoing connections. Incoming connections are never a problem for some reason.

    However, if I have more than one server with 1:1 and ProxyARP enabled, only one of the two servers are able to make outgoing connections.

    Its a typical CARP/VIP/1:1 NAT. Config is as followed:

    2 x Pfsense boxes

    • WAN Interface: Master's WAN IP is x.x.x.1/24, Slave is x.x.x.2/24
    • LAN Interface: 192.168.100.1, Slave 192.168.100.2
    • SYNC Interface: 192.168.50.1, Slave 50.2

    VIP for CARP:

    • WAN: x.x.x.119/24, vhid 1
    • LAN: 192.168.100.10/24, vhid 2

    ProxyARP:

    • 1. x.x.x.110/24
    • 2. x.x.x.105/24

    1:1:

    • 1. x.x.x.110 -> 192.168.100.110
    • 2. x.x.x.105 -> 192.168.100.100

    Advance NAT:  LAN to CARP VIP .119

    CARP Status shows the master as master and slave as slave. Configs do synchronize perfectly and as such, config is identical for both firewall machines.

    On each of the clients, its configured to use the LAN VIP as the gateway, DNS and so forth. The funny thing is, this setup was working with one pfsense box but as I tried to add another, this problem started to happen.

    This doesn't happen to regular DHCP clients so for example, if I connected my laptop to the LAN, I do get the right IP information and is able to connect out to the internet just fine. I use iptools.com to check the current IP I'm connecting with and with a regular client, I do see the master public wan IP used as my connecting IP.

    Same for NAT'd servers so if I somehow managed to open a connection to iptools.com with one of the 1:1 servers, I do get the right IPs (x.110, or x.105)

    Anyone have any ideas? I thought it was my custom kernel (the thread is in the hardware forum) so I switched the master/slave roles around. Same thing. I even tried to disable the CARP on the slave machine, nope.



  • im having the same problem

    two machines using carp

    NAT 1:1, the first rule works perfectly for one server while the second rule does not work at all (the machine looses internet connectivity)

    i have the EXACT same setup…

    i am running 1.2 rc4 on both

    in the log i get this error on the ip im trying to 1:1 nat that does not work kernel: arp: 00:19:d1:55:ba:95 is using my IP address 128.210.145.38!

    for all the other carp ips i get this

    kernel: arp_rtrequest: bad gateway 128.210.145.246 (!AF_LINK)
    Feb 5 14:45:15 kernel: arp_rtrequest: bad gateway 10.0.0.1 (!AF_LINK)
    Feb 5 14:45:16 kernel: arp_rtrequest: bad gateway 128.210.145.21 (!AF_LINK)
    Feb 5 14:45:17 kernel: arp_rtrequest: bad gateway 128.210.145.38 (!AF_LINK)

    anyone have any ideas?



  • found a possible but werid solution im gonna let this run ove rnight to see if it works

    in the virtual ip area where you specify carp i changed the new 1:1 address group from 4 to 2 which is a group that is already in use with something else and it seems to work fine.

    again, i will reply tommorow to let you know if this worked.

    Btw.. if this does work, why can you not add a new carp ip and keep increasing the group #?

    wut is the VHID?



  • that did not work it instantly failed



  • ok, i upgraded to RC 5 2008-Feb-06 10:18:01 build

    it seems to work but i am going to let it run for two days.  If it works after the two days this problem is resolved

    so see u in 2 days…


Locked