Using a CARP IP adress for a dedicated Gateway



  • Hi All,

    I have an issue for which one I didn't found a solution.

    Here is the setup (two pfSense boxes) :

    2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:22 EDT 2013
    FreeBSD 8.3-RELEASE-p11

    Cluster HA/CARP/pfSync
    LAN1 is the LAN I/F for the fisrt pfsense Box
    LAN2 is the LAN I/F for the second pfsense Box
    WAN1 is the WAN I/F for the fisrt pfsense Box
    WAN2 is the WAN I/F for the second pfsense Box

    LAN1 = 192.168.10.254/24 - em1
    LAN2 = 192.168.10.253/24 - em1
    LAN_CARP = 192.168.10.10/24 (vhid 1)

    PFSYNC1 = 10.0.0.254/24 - em2
    PFSYNC2 = 10.0.0.253/24 - em2

    This vhid_1 id the LAN Default Gateway for network 192.168.10.0/24

    WAN1 = z.x.y.210/29 - em0
    WAN2 = z.x.y.211/29 - em0
    WAN_CARP = z.x.y.213/26 (vhid_2)
    WAN Gateway = z.x.y.214/29

    A second gateway is also defined to reach a different subnet :

    GW250 = 192.168.10.250/24
    Remote network to reach : 192.168.33.0/24
    I/F : LAN

    Here is where the trouble begins (if it is a trouble, I would like to be sure)…

    If I perform a TRACEROUTE from a Windows Box or Unix Box inside the 192.168.10.0/24, Packets are leaving by the default Gateway… A Windows tracert gave me extra details, ie packets are using the LAN1 IP address 192.168.10.254.

    So, my question is to know if it possible to bind the gateway (GW250) to the CARP group (192.168.10.10/24) instead of the LAN1 or LAN2 (192.168.10.254 or 192.168.10.253 during a Failover) ?

    Coud it be a routing trouble ? Do I need a dedicated I/F setup to forward traffic from LAN to Remote_LAN 192.168.33.0/24 ?

    Tanks a lot for help and your opinions :-)


  • Banned

    https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F#CARP

    Must be in the same subnet as an IP address on the interface (real interface IP or IP alias.)



  • Hi,

    I would like extra explanations, may be I missed something.

    Below, details about the config.

    Now, some traceroute details :

    A - Traceroute from pfSense to remote LAN2

    [2.1-RELEASE][root@pfsensemaster]/root(1): traceroute 192.168.3.33
    traceroute to 192.168.3.33 (192.168.3.33), 64 hops max, 52 byte packets
    1  192.168.10.250 (192.168.10.250)  0.505 ms  0.777 ms  0.429 ms
    2  10.255.240.1 (10.255.240.1)  7.494 ms  8.246 ms  7.968 ms
    3  10.34.158.2 (10.34.158.2)  19.967 ms  20.303 ms  19.952 ms
    4  192.168.3.33 (192.168.3.33)  19.975 ms  19.805 ms  19.948 ms

    Everything is OK

    Now, traceroutre from a Linux bos inside LAN1 to LAN2, the default Gateway is 192.168.10.10 of LAN1 :

    root@S-Linux: pts/0: 6 files 164Kb # traceroute 192.168.3.33
    traceroute to 192.168.3.33 (192.168.3.33), 30 hops max, 60 byte packets
    192.168.10.254 (192.168.10.254)  0.357 ms  0.364 ms  0.335 ms
    192.168.10.250 (192.168.10.250)  0.854 ms  0.890 ms  0.873 ms
    3  10.255.240.1 (10.255.240.1)  8.133 ms  8.139 ms  8.112 ms
    4  10.34.158.2 (10.34.158.2)  19.944 ms  21.940 ms  21.913 ms
    5  192.168.3.33 (192.168.3.33)  21.887 ms  21.897 ms  21.868 ms

    Is this normal that the first hop using 192.168.10.254 instead of 192.168.10.10 ??? Why packets first are leaving to IP = 192.168.10.254 and then back to 192.168.10.10 ?

    This the routing table of the Linux box :

    root@S-Linux: pts/0: 6 files 164Kb # netstat -rn
    Table de routage IP du noyau
    Destination    Passerelle      Genmask        Indic  MSS Fenêtre irtt Iface
    192.168.10.0    0.0.0.0        255.255.255.0  U        0 0          0 eth0
    169.254.0.0    0.0.0.0        255.255.0.0    U        0 0          0 eth0
    0.0.0.0        192.168.10.10  0.0.0.0        UG        0 0          0 eth0

    Could it be a reason why I have some routing troubles from LAN2 to LAN1 ???

    I will really appreciate your help about this issue :-)







Log in to reply