Carp setup issues
-
You are correct on how I have everything setup.
The CARP state is correct on both systems.
I am unable to ping though the firewall or reach any internet sites from the client. I can ping from the pfsense boxes them selves, but the client cannot, and I have verified the client settings numerous times.
-
Have you set rules to allow outbound traffic from your LAN?
For testing set up this rule on LAN interface:
ID Proto Source Port Destination Port Gateway Queue Schedule
IPv4 * * * * * * none OutboundAlso for pinging through the firwall you have to setup additional NAT rule depending on the direction.
pfSense itself responses ping per default on LAN reail and VIP only. If you want to ping WAN VIP you have to add an according rule on WAN if like
IPv4 ICMP * * * * * none allow pingConfigure all your rules to log for debugging. So the "Default deny rule" (if the packet fits to no other rule) will be logged also.
-
Thanks, I verified that the rule is set already on the LAN interface.
I was trying to ping the LAN VIP from the client (10.1.9.160 (client) -> 10.1.9.250 (lan vip)) and did not respond.
I am unable to ping though the firewall from the client also when the gateway is set to the lan vip. pinging either yahoo.com or 8.8.8.8. They both ping fine from the CLI of the pfsense boxes.
-
attaching my current running config to see if it can help shed light in my mess up.
Thanks,
Ben
-
Oh my god!
You have blocked private ip on WAN interface! And your WAN is in a private subnet.
Got to interfaces > WAN and remove the checks at the private network area. That is only for use in internet.Furthermore you have configured a "CARP_WANGW". That is not needed. Delete it please.
I hope it's done by that.
Regards
-
One thing else:
That was the config of your backup, don't know why. Anyway here is the LAN VIP 10.1.9.253. You have written to set it to 250.
The clients have to point at this. -
well, drat, that didn't work. I had created that gateway long ago in TS'ing the issue and just didn't delete it, yet. hmmm, I am out of thoughts myself. I had made a brief change on the LAN VIP to that address just to try a theory at that time and have pointed it back to .250.
I didn't have much hope that it would work as before I pointed everything to the firewall directly (.251) it all works fine. but if I point everything to the lan vip (.250) noting gets though.
-
I cant believe.
:-[Do you have removed the 2 checks at WAN interface config?
I have taken your config and have imported it into a virtual pfSense in a similar environment like yours. I have made the described changes and reconfigured interfaces and IPs to fit for my subnets.
I have made it to the master, then I had to delete and redefined the CARP IPs and the Outbound NAT and now it works well! Both, browsing Websites on LAN client or pinging public IP addresses work here.I cant see why it shouldn't in your environment.
-
at least I am not the only one here banging my head then :)
Maybe when I get the hardware in it will magically work then.
any other thoughts would be most welcome.
-
This is so weird. So I got one of the hardware boxes in and set it up with a basic setup (missing the 3rd nic so I just created a vlan on the LAN network) and setting up the vip 10.1.9.250 and setting the NAT rules destinations to point to the WAN vip and the client gateway to 10.1.9.250. And the bloody thing works. now why it doesn't in my virtual environment, I have no idea.
-
You didn't tell us what kind of hypervisor you are using for your virual pfSense.
Maybe there are some configuration changes to be made. For instance the virtual switch the interfaces are connected to have to allow the interface to change the MAC adresse.
If you use ESX take a look here: https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)
-
Using Oracle VirtualBox.