Gateway Groups w/ VIPs

MatthewH · Feb 25, 2015, 10:05 PM

When setting up a gateway group, there's a virtual IP drop down, but it doesn't allow me to pick one of the VIPs I've setup; only "Interface Address" is available. I setup 2 /32 IP Alias VIPs; one for each WAN.

I have 2 WANs and each WAN has 5 static IPs. I think I have IPSec failover working for the primary gateway IPs with dynamic DNS. I need to get another pair of static IPs to failover. I thought I'd assign the other static IPs to IP Alias VIPs, then setup gateway groups with pairs of VIPs…

I read somewhere that only CARP VIPs could be assigned to gateway groups? I tried changing a VIP from IP Alias to CARP, but it said CARP VIPs couldn't be /32?

I'm using 2.1.5. I should be able to update to 2.2.0 if that would help with this.

Any help would be greatly appreciated.

I also posted this to the CARP/VIPs forum because it seems to touch on both subjects.

-Matt

MLIT · Feb 26, 2015, 4:24 PM

I setup 2 /32 IP Alias VIPs; one for each WAN.

Why would you do this? A /32 is a single IP address, not a network. This is the equivalent of setting the subnet mask to 255.255.255.255 on your computer. It won't be able to access anything directly from that IP. This needs to be the same as the network size. Seeing as you've got 5 usable IPs, I'm guessing this should be set to /29.

but it said CARP VIPs couldn't be /32?

This makes sense. To use CARP between two PFsense boxes, you need 3 IP addresses in the same network (1 for each interface on each box and then a virtual IP). A /32 does not contain 3 IP addresses.

MatthewH · Feb 26, 2015, 5:50 PM

Thank you for the reply.

My fiber WAN is a /24 netmask and the cable WAN is a /29 netmask. I updated the 2 IP Alias entries with the correct netmasks. I then tried to select them in the gateway group setup and they still didn't appear.

I don't really want to make the VIPs CARPs, because I don't know what to use for VHID info and advertising settings in this application. I had just come across a posting from a while ago where someone said the code only allowed CARP VIPs to be selected in gateway group setup.

If it helps any, what I'm trying to do is have pfsense update a dynamic dns provider with which interface is up, like you would for IPSec failover, but our VoIP trunk provider is going to use the DNS to failover the VoIP if one of our WANs goes down. Because of the port range the VoIP trunk uses, I need it to have its own external IP.

MLIT · Feb 26, 2015, 11:40 PM

I checked it on some test boxes and it doesn't seem to give me the option to use an IP Alias (Bug Maybe?). We are running CARP on some live boxes and the CARP VIP's show in there when we are using Gateway Groups.

Why do you need to send DDNS the virtual IP? Can't you just send them the IP address on the WAN interfaces? Have you setup failover yet between the two connections? The option you mention is not needed for failover.

One other thing I'm going to warn you about –- We have cable in several of our remote offices where they give us a /29. If the default gateway on that interface is the cable modem, you need to look at changing which IP address PFsense monitors to determine whether the gateway is up or down. If it is your WAN's default gateway and you don't change it, the DOCSIS side of your cable modem can go out, but the gateway will show as up because PFSense can still ping your cable modem.

Derelict · Feb 26, 2015, 11:52 PM

Highly doubt it's a bug. There must be sound reasons why the other VIP types can't be used in that capacity. Don't know enough about them to be able to say.

https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

I would just use CARP VIPs. Just set a random password and use anything for the IDs. I usually use something like the value of the last octet of the IP address. Maybe bump the advertising frequency up higher to minimize the hellos.

I just created a CARP VIP, then a gateway group for it and it was available for selection in Dynamic DNS.

MatthewH · Mar 2, 2015, 4:40 PM

@MLIT:

Why do you need to send DDNS the virtual IP? Can't you just send them the IP address on the WAN interfaces? Have you setup failover yet between the two connections? The option you mention is not needed for failover.

I need the virtual IPs because our VoIP trunk provider needs the entire 1024 - 65535 port range directed to our VoIP card so it has to use a different WAN IP than the rest of our LAN. The VoIP provider is going to use the dyn DNS host name instead of a static IP for sending our calls. Yes, I did setup failover for the non-virtual WAN IPs, which is everything except the VoIP.

@MLIT:

One other thing I'm going to warn you about –- We have cable in several of our remote offices where they give us a /29. If the default gateway on that interface is the cable modem, you need to look at changing which IP address PFsense monitors to determine whether the gateway is up or down. If it is your WAN's default gateway and you don't change it, the DOCSIS side of your cable modem can go out, but the gateway will show as up because PFSense can still ping your cable modem.

Thanks. I had already used tracert to a web address and made the cable monitor IP the address of the next hop after the gateway modem. I was thinking of doing more tracerts to different addresses and moving the monitor IP to the last hop that was the same every time. Thoughts?

Thanks for your help.

MatthewH · Mar 2, 2015, 4:48 PM

@Derelict:

I would just use CARP VIPs. Just set a random password and use anything for the IDs. I usually use something like the value of the last octet of the IP address. Maybe bump the advertising frequency up higher to minimize the hellos.

Ok, it does seem to work using CARP VIPs. I picked a random VIP password and VHID group and set the advertising frequency to 254 base and 0 skew for both VIPs. Does this create a security vulnerability, making CARP available on WAN interfaces? Also, I'm now getting notifications that the two carp VIPs have "resumed the state "BACKUP"" and then "has resumed the state "MASTER."" I'm assuming those can be safely ignored?

Thanks for your help.

Derelict · Mar 2, 2015, 4:49 PM

Are those messages happening once or are they repeating?

MatthewH · Mar 2, 2015, 4:53 PM

@Derelict:

Are those messages happening once or are they repeating?

The Backup ones happened once for each VIP almost immediately after applying the change, 12 minutes later the Master ones happened once for each VIP, and in the 37 minutes since there have been no more notifications.

Derelict · Mar 2, 2015, 6:23 PM

I think they will come up as backup until they don't see hellos for a multiple of the advertising frequency so your settings might be a little excessive. Just going to 2 seconds cuts the hello traffic in half. Going to 10 cuts it by 90%. in general, as I understand it, YMMV etc.