Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN CARP as gateway

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    7 Posts 2 Posters 6.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nian
      last edited by

      Related to this post: http://forum.pfsense.org/index.php/topic,3620.0.html

      I have two pfSense machines I want to run in a load-balanced configuration. It protects a couple of web servers, etc:

      A) pfsense A - 10.1.1.2, gateway 10.1.1.1
      B) pfsense B - 10.1.1.3, gateway 10.1.1.1
      C) CARP virtual IP - 10.1.1.4
      D) web server 1 - 10.1.1.5

      … what configuration do I need on my pfsense machines to get this to work? I set up:

      1. On pfsense A/B, I have CARP virtual IP set up as 10.1.1.4
      2. On web server 1, I have route default added to use the CARP as gateway, but I cannot get it to route. For example, on web 01:
      {{{
      netstat -rn
      route delete default
      route add default 10.1.1.4
      ping www.google.com
      }}}
      ... this is of course, because pfsense A/B both have routes out to the world, through gateway 10.1.1.1

      Is there a NAT configuration, or a firewall rule I'm missing?

      [edit: Updated configuration description, below]

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        You kind of mixed a few things up.

        Your gateway is 10.1.1.1
        The webservers are on the same subnet, but they shouldnt.
        After all you want to route your servers, and that for they have to be on a different subnet.

        –> The CARP VIP will be the gateway for your servers.

        So more something like that:

        Gateway of your ISP: xxx.xxx.xxx.a
        pfSenseA WAN: xxx.xxx.xxx.b
        pfSenseB WAN: xxx.xxx.xxx.c
        CARP IP WAN: xxx.xxx.xxx.d

        pfSenseA LAN: 10.0.0.2
        pfSenseB LAN: 10.0.0.3
        CARP IP LAN : 10.0.0.1
        Server : 10.0.0.m
        Server : 10.0.0.n

        Your servers have as gateway your LAN CARP IP.
        On the WAN side you need at least 3 IP's by your ISP.
        One real IP for each pfSense and the CARP IP which the pfSenses share.
        You can have multiple CARP IP's on WAN.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • N
          nian
          last edited by

          Actually, let me re-clarify then …

          Public network:
          Gateway of ISP: xxx.xxx.xxx.a
          pfSense A WAN: xxx.xxx.xxx.b
          pfSense B WAN: xxx.xxx.xxx.c

          Private network
          Gateway of ISP: 10.0.0.1
          pfSense A LAN: 10.0.0.2
          pfSense B LAN: 10.0.0.3
          CARP IP LAN: 10.0.0.4
          Web Server: 10.0.0.m

          While I do have a CARP IP WAN, it shouldn't factor in this setup; I just want to have the Web Server able to access the Internet (to run updates, for example, or pull from outside sources). I don't really mind if it looks like traffic is coming pfSense A or B WAN. My test is on the web server, run:
          {{{
          ping www.google.com
          #or http
          telnet www.google.com 80
          }}}
          ... and get a response

          Later I'll set up CARP IP WAN to redirect 80 traffic into the Web server, but for now I just want to make sure the internal gateway is in a failover situation, similar to the related post. I want to set the Web server gateway to 10.0.0.4.

          I tried setting a static route on pfSense, destination 10.0.0.4/32 to 10.0.0.1, but that didn't work. Hopefully my setup is a little clearer now. What am I missing?

          It's interesting that CARP is used as a failover to provide services ... can pfsense be used as a failover gateway, too? That's essentially what I'm trying to do! Am I looking at the wrong documentation?

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            You miss the point of routing.
            http://en.wikipedia.org/wiki/Subnetwork
            You can only route between different subnets.

            What you're proposing is to have the gateway of the ISP in the same subnet than your local net which just will not work.

            This would only work with a transparent bridge, but then you dont need CARP.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • N
              nian
              last edited by

              @GruensFroeschli:

              You miss the point of routing.
              http://en.wikipedia.org/wiki/Subnetwork
              You can only route between different subnets.

              What you're proposing is to have the gateway of the ISP in the same subnet than your local net which just will not work.

              This would only work with a transparent bridge, but then you dont need CARP.

              Well, actually, the network is separated into a public and a private network; there is no access at all from the private out to the public, except what is routed. pfsenseA and pfsenseB are the only machines sitting on both the public and the private subnet.

              If I set the gateway of the web server to pfsense A (10.0.0.2), then I can ping out. If I set the gateway of the web server to pfsense B (10.0.0.3), then I can also ping out. The problem is if either pfsenseA or pfsense B go out, how can I get it to automatically failover?

              Thanks!

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                But then the gateway of your ISP cannot be 10.0.0.1

                To get the failover you set the gateway of your servers to the LAN-CARP IP.

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • N
                  nian
                  last edited by

                  So I figured out that the problem is all about return-path. The real network servers had their own default routes and were basically returning traffic along that path instead of through pfsense.

                  The equivalent of this is LVS-DR, for you linux virtual server types out there. Is there an equivalent of LVS-NAT, where web servers route traffic back to the pfsense load balancers that originally requested it?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.