CARP with 2 pfsenses boxes and WANFailover - HELP ;) !
I'm working at a non-profit. I'm not a netadmin / sysadmin, I'm just your regular IT guy. Please, bear this fact in mind when reading the following ;-)
I'm having issues setting up CARP between 2 pfSense firewalls.
I made a diagram of our network and attached a jpg to this post. You'll find all the adressing there.
I've tried to follow to the letter the explanations in the pfsense guide :
- WAN addressing
- LAN addressing
- pfsync addressing
- CARP virtual IPs
- Outbound NAT for CARP
- pfsync configuration
It might be that things have changed in the new release of pfsense. Or I'm just doing it wrong ;)
What's working :
- Everything on the PRIMARY.
- When a client computer browse the web, the reported IP is the CARP VIP (xxx.xxx.xxx.148)
- Syncing from the PRIMARY to the SECONDARY in real time, with pfsync.
When the troubles starts :
We are using pfsense's DHCP server. When I alter the configuration of the DHCP server on the PRIMARY, as described in the pfsense guide (gateway : 172.16.1.52, Failover peer 172.16.1.51 in my case, see attached diagram), DHCP leases are not attributed anymore. Clients don't have access to internet, obviously.
Clients manually configured with fixed IPs still have access to internet.
If I reset the config of the DHCP to the previous state, everything falls back to normal behavior.
I had to disable pfsync synchronization for the DHCP server, but this is resulting of the previous issue. Two DHCP servers cannot work on the same subnet configured this way.
If I manually set a client IP/subnet and use the SECONDARY as a gateway, there is no internet access for this client. But the SECONDARY can access the WAN interfaces and internet just fine (I can ping from the SECONDARY to any WAN address and check if there are pfsense udpates). This might be because of the CARP not allowing the SECONDARY to serve client request until the PRIMARY fails ?
I understand that you will need more informations (screenshots ?) to help me. Just let me know what you need.
dotdash last edited by
You should have a CARP VIP on your LAN subnet also. This IP should be the default GW for clients. You need one for the WAN2, but you should try to get rid of the double NAT there.
Thanks for your reply. My diagram was not complete, I already had the VIP setup for all interfaces.
It's working since this morning. I'm not exactly sure what was wrong. I've setup the DHCP servers as I've already done a few times without success, but this time it worked. I let a few days go by before making my final attempt. I red the chapter about configuring CARP (especially the DHCP part) before proceeding. Maybe I needed the break.
Anyway, this issue is solved. Thanks !