CARP with 2 different subnet

Guldil

Hi,

I'm using pfsense 2.1.5 with OVH "Cloud solution" based on Vmware 5.5.

Very important : CARP is working with one subnet. I'm using it since one year.

Now i want to add another IP subnet one but how can i achieve that ?

I have two blocks :

~~> A.B.C.192/29 with gateway A.B.C.254

X.Y.Z.192/29 with gateway X.Y.Z.254~~

A.B.C.192/26 with gateway A.B.C.254
X.Y.Z.192/26 with gateway X.Y.Z.254

My WAN is configured with A.B.C range

If i add X.Y.Z.200 to CARP i get the message "No Interface IP in that subnet"
If i create first an IP ALIAS X.Y.Z.200 then i can create a CARP with X.Y.Z.201 but i can't "ping"

One solution is to create a second "WAN" interface with X.Y.Z range but i get a lot of VRPP announce in my firewall log (CARP advertise from one subnet to the other one…)

What am i doing wrong ?

Thanks

Guldil

viragomann

@Guldil:

If i create first an IP ALIAS X.Y.Z.200 then i can create a CARP with X.Y.Z.201 but i can't "ping"

That's the way it should work.
At first create an Alias IP on each of the CARP partners, then go to the master and create the CARP IP in the same subnet.

Ensure that your ping is routed correctly and that the ruleset allows pinging. You cannot ping X.Y.Z.201 from a host in A.B.C.192/29, cause their ping is directed to the gateway A.B.C.254

Guldil

@viragomann:

Ensure that your ping is routed correctly and that the ruleset allows pinging

how can i verify that ?
i don't have to put a gateway or route somewhere ?

I recreate 2 IP ALIAS (.200, .201), one CARP IP (.202)

With PacketCapture on my master Pfsense, i see
PING_IP > X.Y.Z.202 echo requet …
X.Y.Z.202 > PING_IP echo reply ...

Bug from PING_IP i have no response.

I put a NAT rules to redirect traffic and same result, timeout.

Looks like my CARP IP is up, routed but something is brokern somewhere...

viragomann

@Guldil:

A.B.C.192/29 with gateway A.B.C.254
X.Y.Z.192/29 with gateway X.Y.Z.254

My WAN is configured with A.B.C range

If i add X.Y.Z.200 to CARP i get the message "No Interface IP in that subnet"
If i create first an IP ALIAS X.Y.Z.200 then i can create a CARP with X.Y.Z.201 but i can't "ping"

If the CIDR are correct then your IPs are in different subnets!

The gateway A.B.C.254 is not in  X.Y.Z.192/29! The subnet ist  X.Y.Z.192 -  X.Y.Z.199.
Also X.Y.Z.254, X.Y.Z.200 and X.Y.Z.201 are not in X.Y.Z.192/29.

If you have a subnet X.Y.Z.192/29 the IPs goes from X.Y.Z.192 to X.Y.Z.199. Just 8 IPs.
X.Y.Z.192 is the network address, X.Y.Z.199 is the broadcast address. Never assign these to any interface! These addresses are used for special purposes.

You may change your settings to have larger subnets like /24. So you have 256 IPs.

If your network setting is correct the ping reply should find the way to the source host.

Guldil

i'm sorry i have two /26 subnet not /29.

i know that my subnet are different and to each other. but how can i tell pfsense that ?

one solution i found is to create a second "WAN" interface with my second subnet (and his gateway)
with this configuration, it's working ! CARP are up everywhere (Ping,  NAT & Outbound !)

Only problem, firewall logs is filled with VRRP advertises (CARP announces from range A.B.C.192 /26 on X.Y.Z.192/26 interfaces and CARP announce from range X.Y.Z.192 /26 on A.B.C.192/26 interface).

I really think it's a gateway problem when i create Alias IP, i can't tell him to use a specific gateway…