NAT and internet not working from CARP Secondary Firewall
PFSENSE Ver 2.2
I have worked with many other firewall but new to PFsense. got stuck with 1 issue since last few days.
I have two pfsense firewall installed in two different VM Hosts. i have enable all required parameter for ESXI like promiscuous mode and mac address changed etc. everything is working fine in primary firewall. even when i shutdown primary firewall secondary is becoming master but 1:1 NAT and port forwarding will not work. i have tried many solution but still not getting it resolved,
I'll explain it in details here: i have many /29, /28, and /27 WAN ip pools which i am using in 1:1 natting and in some cases public ip's are directly assigned to server's. I also have 5 Private IP pools all are /24.
I have three interfaces 1 for WAN 1 For LAN & 1 for SYNC in both firewalls.
since i have 5 LAN pools and only 1 LAN interface i have created IP Alias on LAN interface in both firewalls. i know i cannot use ip alias with same ip address in both firewall so it goes like this:
Primary firewall IP alias –-----192.168.X.1/24, 192.168.Y.1/24...
Secondary Firewall IP Alias ---192.168.X.2/24, 192.168.Y.2/24... CARP IP's are 192.168.X.3/24 and 192.168.Y.3/24
Public ip's which i am using for 1:1 NAT are created on WAN interface as CARP ip's with proper Subnet Masks. (I have double checked all subnet masks). and public ip pool which i am assigning directly on servers are created on LAN interface as CARP IP's.
also enable-pure NAT Is enabled with
1) Enables the automatic creation of additional NAT redirect rules for access to 1:1 mappings of your external IP addresses from within your internal networks.
2 )Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.
because without that i am getting firewall page when i try to open any of my mail server of other servers webpage. DNS Rebinding is Also checked,
We have our own DNS Server so not using any DNS Service from Firewall.
NOW From Primary firewall everything is working fine, i mean i am able to browse and access all my servers and internet from my PC's. Primary and Secondary Firewall's are syncing Properly. when Primary goes down Secondary is becoming Master but after that i will not be able to access any of my servers from INSIDE or OUTSIDE. not even able to ping any websites and Name resolution stops working, Nslookup shows request timed out. when i tried to open my mail server's page it will open firewall's page, Pure-NAT is also enabled in secondary but still getting this page. The configuration of secondary firewall is 100% same as the primary but still it is not working.
Please help me to resolve this issue.
From that description, it sounds like you only have promiscuous enabled on the port group of the primary firewall. The virtual CARP MACs aren't getting to the secondary. That's most always why in ESX environments. You can try to packet capture on WAN of the secondary when it has master status, filtered on one of your WAN CARP IPs. If there is no traffic there, then the problem is the vswitch (or something else on the network) not sending the virtual MACs to the secondary.
Thanks cmb for your suggestion.
Currently Primary Firewall is in production so can't check it right now. will definitely check in Night hours and let you know.
1 more thing i want to mention here : i have also created two more firewall for testing purpose in the same VM hosts in which my primary and secondary firewall running. Took two /29 public ip pools and tested 1:1 NAT, Direct public IP's to Servers and Internet from Primary Test F/W and Secondary Test F/W. Everything worked fine. when primary goes down secondary is becoming master within a single ping loss.
Don't know whether there is any issue with Network, Vswitch or Configuration in Production Primary and Secondary Firewall.
Reinstalled Both firewalls and now everythings working fine.