CARP + VIP + 1:1 NAT - Outgoing traffic, only one machine works?
jewps last edited by
I seem to be having problems with this CARP plus VIP setup I have here. Currently I have two machines running pfSense doing 1:1 NAT with CARP and VIP. I'm not sure if I can even describe the problem because its so inconsistent/flaky. If the server have 1:1 NAT and ProxyARP entries in the firewall, the server has a problem making outgoing connections.
By fiddling around with the ProxyARPs, the server manages to establish outgoing connections. Incoming connections are never a problem for some reason.
However, if I have more than one server with 1:1 and ProxyARP enabled, only one of the two servers are able to make outgoing connections.
Its a typical CARP/VIP/1:1 NAT. Config is as followed:
2 x Pfsense boxes
- WAN Interface: Master's WAN IP is x.x.x.1/24, Slave is x.x.x.2/24
- LAN Interface: 192.168.100.1, Slave 192.168.100.2
- SYNC Interface: 192.168.50.1, Slave 50.2
VIP for CARP:
- WAN: x.x.x.119/24, vhid 1
- LAN: 192.168.100.10/24, vhid 2
- 1. x.x.x.110/24
- 2. x.x.x.105/24
- 1. x.x.x.110 -> 192.168.100.110
- 2. x.x.x.105 -> 192.168.100.100
Advance NAT: LAN to CARP VIP .119
CARP Status shows the master as master and slave as slave. Configs do synchronize perfectly and as such, config is identical for both firewall machines.
On each of the clients, its configured to use the LAN VIP as the gateway, DNS and so forth. The funny thing is, this setup was working with one pfsense box but as I tried to add another, this problem started to happen.
This doesn't happen to regular DHCP clients so for example, if I connected my laptop to the LAN, I do get the right IP information and is able to connect out to the internet just fine. I use iptools.com to check the current IP I'm connecting with and with a regular client, I do see the master public wan IP used as my connecting IP.
Same for NAT'd servers so if I somehow managed to open a connection to iptools.com with one of the 1:1 servers, I do get the right IPs (x.110, or x.105)
Anyone have any ideas? I thought it was my custom kernel (the thread is in the hardware forum) so I switched the master/slave roles around. Same thing. I even tried to disable the CARP on the slave machine, nope.
im having the same problem
two machines using carp
NAT 1:1, the first rule works perfectly for one server while the second rule does not work at all (the machine looses internet connectivity)
i have the EXACT same setup…
i am running 1.2 rc4 on both
in the log i get this error on the ip im trying to 1:1 nat that does not work kernel: arp: 00:19:d1:55:ba:95 is using my IP address 126.96.36.199!
for all the other carp ips i get this
kernel: arp_rtrequest: bad gateway 188.8.131.52 (!AF_LINK)
Feb 5 14:45:15 kernel: arp_rtrequest: bad gateway 10.0.0.1 (!AF_LINK)
Feb 5 14:45:16 kernel: arp_rtrequest: bad gateway 184.108.40.206 (!AF_LINK)
Feb 5 14:45:17 kernel: arp_rtrequest: bad gateway 220.127.116.11 (!AF_LINK)
anyone have any ideas?
found a possible but werid solution im gonna let this run ove rnight to see if it works
in the virtual ip area where you specify carp i changed the new 1:1 address group from 4 to 2 which is a group that is already in use with something else and it seems to work fine.
again, i will reply tommorow to let you know if this worked.
Btw.. if this does work, why can you not add a new carp ip and keep increasing the group #?
wut is the VHID?
that did not work it instantly failed
ok, i upgraded to RC 5 2008-Feb-06 10:18:01 build
it seems to work but i am going to let it run for two days. If it works after the two days this problem is resolved
so see u in 2 days…