Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Public IP in LAN with CARP virtual IP

    HA/CARP/VIPs
    4
    7
    2681
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sander88 last edited by

      Hi,

      I have currently a setup running with public IP's (for VPS servers) in the LAN network. This works fine based on proxy ARP. I would like to make this setup high available using CARP.

      This is what I did:

      • Created a CARP IP on the WAN interface with the public IP-address of one of the VPS servers. Similar like I did with proxy ARP (only a few more fields like subnet, Virtual IP Password, VHID Group and Advertising Frequency).
      • Created a CARP IP on the LAN interface in order to be used a the gateway for the VPS servers which available no matter which of the 2 firewalls is online.

      NAT is disabled in:

      • Firewall > NAT > Outbound - Set to "Disable Outbound NAT rule generation"
      • Advanced > Firewall and NAT > NAT Reflection mode for port forwards - Set to "Disable"

      I'm running PFSense 2.2.2 x64 .

      I already found this topic: https://forum.pfsense.org/index.php?topic=31710.0, but it doesn't work for me.

      This is my result:

      • My VPS can NOT ping the CARP LAN IP.
      • My VPS can NOT ping the LAN IP of firewall 1 (CARP master)
      • My VPS can ping the LAN IP of firewall 2 (CARP backup)

      From outside the network I can ping the VPS, but it's PFSense that's responding to the ping, not the VPS itself. The same when connecting to SSH using the VPS IP; I'm logging into the PFSense SSH server. Somehow PFSense doesn't route the traffic to the VPS but keep it for itself.

      Any suggestions in how to solve this issue?

      Regards,
      Sander

      1 Reply Last reply Reply Quote 0
      • G
        gerdesj last edited by

        What hardware platform is pfSense running on or is it a VM?

        Also: what is WAN (PPPoE/Ethernet etc)?

        1 Reply Last reply Reply Quote 0
        • S
          Sander88 last edited by

          All run as a VM on RHEV/oVirt (3.5).

          1 Reply Last reply Reply Quote 0
          • V
            viragomann last edited by

            Proxy ARP cannot be used with CARP.
            https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

            Use IP Aliases instead.

            1 Reply Last reply Reply Quote 0
            • S
              Sander88 last edited by

              Yes, I know… It's not that I specifically need proxy ARP. It was just testing if all other parts are working ok so that I can be sure CARP is the issue.

              I have a public IP assigned to a server in the LAN (other IPv4 range / subnet as the WAN). Using a proxy ARP virtual IP in PFSense the server is accessible from the web in the LAN using the public IP-address, with CARP not... I'm not sure if it's even possible.

              A few notes:

              • I updated PFSense to the latest version 2.2.4 x64 (different version as when I started this thread).
              • I tested with virtio and e1000 interfaces. For virtio I disabled hardware checksum offloading to prevent other network/connectivity issues.

              The suggested solution of IP aliases won't work I guess (I can't try it right now)? As there is no layer 2 (ARP) so the traffic won't be send from my ISP to my PFSense box... Or am I wrong?

              1 Reply Last reply Reply Quote 0
              • S
                Sander88 last edited by

                Any suggestions?

                1 Reply Last reply Reply Quote 0
                • Derelict
                  Derelict LAYER 8 Netgate last edited by

                  IP aliases respond to ARP.

                  Again: https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

                  I have a public IP assigned to a server in the LAN (other IPv4 range / subnet as the WAN).

                  Is this a routed subnet?

                  In that case the HA comes from your ISP routing the subnet to the CARP address on WAN.

                  Then you need three of the public addresses on the inside (but publically addressed) interface.  One for each HA unit and one for CARP.  Then the other hosts on the publicly-addressed segment use the CARP IP as their default gateway.

                  I don't see any need for VIPs other than the CARP VIPs.

                  Maybe draw up a diagram if I'm misunderstanding what you're trying to do.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense Plus
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy