DHCP using virtual IP with CARP configuration does not work!

hoba

VIP type Other? It has to be a shared CARP VIP.

V-man

Thanks Hoba for advise.

You are the MAN:)!

Yep, It works now, but I am slightly confused.

If I use for DNS settings on DHCP server set up tab: 4.2.2.1- Public DNS it works fine,
but when I do DNS: 172.16.24.3 (virtual ip) it does not.

I do have DNS servers typed in on "General Setup" page, and Allow DNS server list to be overriden by DHCP/PPP on WAN - unchecked.

I also noticed when I renewing or reacquiring my network connection it always grabs DHCP server from Secondary CARP machine instead of having it from Primary one. Though when Secondary machine is down it grabs it from primary and vise versa. Is this correct pfSense behavior?

Thanks again!

hoba

The pfSens itself need dns servers set at system>general to be able to do lookups. As your WAN is not DHCP (I guess as CARP won't work with DHCP wans) enter them manually there. If you want the pfSense to be the dns for your clients you have to enable the dnsforwarder at services>dns forwarder (which will use the assigned dns servers from system>general). Also make sure you do allow tcp/udp on port 53 to the CARP VIP for the clients (not sure if you have a restricted ruleset for your clients).

Regarding the DHCP-Server you have some odd behaviour here. Are you sure you have entered the failover peer IP correctly and the master/backup state of your CARP is correct?

V-man

DCHP fail over peer ip are Correct. Secondary box is pointing to primary IP 172.16.24.1 and primary to 172.16.24.1. Also i checked states Status> CARP>  on secondary machine it shows backup and primary shows Master on all virtual IP.

I also noticed that not all computes on the network are using secondary as default DHCP server. There are couple that use primary box as DHCP server. Could it possibly be that the root of the problem in dhcp lease times? I went to DHCP leases and it looks like leases table are inconsistent one with each other?

Overall DHCP server with fail over works though, do you think it is safe to use it the way it is now?

Thanks.

hoba

@V-man:

DCHP fail over peer ip are Correct. Secondary box is pointing to primary IP 172.16.24.1 and primary to 172.16.24.1. …

Is that a typo? That the master points at itself?

V-man

Oh, I am sorry! This is a typo it points 172.16.24.2 -Primary points to secondary.

hoba

Do you have a restrictive ruleset at the interfaces where the dhcp servers are talking to each other that could block communication between them in some way?

V-man

I only have rules on LAN that are mentioned in the tutorial to set up load balancing!!! http://doc.pfsense.org/index.php/MultiWanVersion1.2

Firewall: Rules > LAN
Proto Source Port Destination      Port  Gateway
*      LAN net *    WAN2 net        *  172.16.32.1            -DMZ2
*      LAN net *    172.16.34.0/24 *  45.64…..                -DMZ1
*      LAN net *      *                  *  Load Balancing          -Load Balance

hoba

I wonder if that causes the dhcp server communication get redirected to the loadbalancing gateways directly. Can you just for testing change the an to any rule to use the default gateway and see if this makes a difference? If yes, we have to add some special rules but that's the easiest test for now.

V-man

Here is what I found out…

Yesterday night and I am 100% sure of that, DHCP server was pointing to the CARP BOX2.
This morning I ran ipconfig /all and it was pointing to CARP BOX1, then I disabled and enabled network connection to renew DHCP and it was  pointing to BOX2 again. After reading your post I disabled all rules except the one with LOAD BALANCER and changed it to default gateway.

I renewed connection and got routed to BOX1 DHCP server. Then I connected another PC to the network and got routed to DHCP BOX1.
I thought that your solution worked out. I went back to my PC renewed connection and got back on DHCP BOX2. I guess it was not enough for me, so I used another nic in my pc. I unplagued the cable from old nic into the new one and got DHCP BOX1 right away. Renewed connection and still DHCP BOX1, reverted rules to original ones and still DHCP BOX1. It does not matter now how many times I renew connection I still get BOX1.

For the moment I thought that it should work now. I went back to PC that I just connected to network. It was sitting on DHCP BOX1. I renewed connections and it went to DHCP BOX2.

I am guessing that this is not the firewall problem!