LAN CARP as gateway

nian

Related to this post: http://forum.pfsense.org/index.php/topic,3620.0.html

I have two pfSense machines I want to run in a load-balanced configuration. It protects a couple of web servers, etc:

A) pfsense A - 10.1.1.2, gateway 10.1.1.1
B) pfsense B - 10.1.1.3, gateway 10.1.1.1
C) CARP virtual IP - 10.1.1.4
D) web server 1 - 10.1.1.5

… what configuration do I need on my pfsense machines to get this to work? I set up:

1. On pfsense A/B, I have CARP virtual IP set up as 10.1.1.4
2. On web server 1, I have route default added to use the CARP as gateway, but I cannot get it to route. For example, on web 01:
{{{
netstat -rn
route delete default
route add default 10.1.1.4
ping www.google.com
}}}
... this is of course, because pfsense A/B both have routes out to the world, through gateway 10.1.1.1

Is there a NAT configuration, or a firewall rule I'm missing?

[edit: Updated configuration description, below]

GruensFroeschli

You kind of mixed a few things up.

Your gateway is 10.1.1.1
The webservers are on the same subnet, but they shouldnt.
After all you want to route your servers, and that for they have to be on a different subnet.

–> The CARP VIP will be the gateway for your servers.

So more something like that:

Gateway of your ISP: xxx.xxx.xxx.a
pfSenseA WAN: xxx.xxx.xxx.b
pfSenseB WAN: xxx.xxx.xxx.c
CARP IP WAN: xxx.xxx.xxx.d

pfSenseA LAN: 10.0.0.2
pfSenseB LAN: 10.0.0.3
CARP IP LAN : 10.0.0.1
Server : 10.0.0.m
Server : 10.0.0.n

Your servers have as gateway your LAN CARP IP.
On the WAN side you need at least 3 IP's by your ISP.
One real IP for each pfSense and the CARP IP which the pfSenses share.
You can have multiple CARP IP's on WAN.

nian

Actually, let me re-clarify then …

Public network:
Gateway of ISP: xxx.xxx.xxx.a
pfSense A WAN: xxx.xxx.xxx.b
pfSense B WAN: xxx.xxx.xxx.c

Private network
Gateway of ISP: 10.0.0.1
pfSense A LAN: 10.0.0.2
pfSense B LAN: 10.0.0.3
CARP IP LAN: 10.0.0.4
Web Server: 10.0.0.m

While I do have a CARP IP WAN, it shouldn't factor in this setup; I just want to have the Web Server able to access the Internet (to run updates, for example, or pull from outside sources). I don't really mind if it looks like traffic is coming pfSense A or B WAN. My test is on the web server, run:
{{{
ping www.google.com
#or http
telnet www.google.com 80
}}}
... and get a response

Later I'll set up CARP IP WAN to redirect 80 traffic into the Web server, but for now I just want to make sure the internal gateway is in a failover situation, similar to the related post. I want to set the Web server gateway to 10.0.0.4.

I tried setting a static route on pfSense, destination 10.0.0.4/32 to 10.0.0.1, but that didn't work. Hopefully my setup is a little clearer now. What am I missing?

It's interesting that CARP is used as a failover to provide services ... can pfsense be used as a failover gateway, too? That's essentially what I'm trying to do! Am I looking at the wrong documentation?

GruensFroeschli

You miss the point of routing.
http://en.wikipedia.org/wiki/Subnetwork
You can only route between different subnets.

What you're proposing is to have the gateway of the ISP in the same subnet than your local net which just will not work.

This would only work with a transparent bridge, but then you dont need CARP.

nian

@GruensFroeschli:

You miss the point of routing.
http://en.wikipedia.org/wiki/Subnetwork
You can only route between different subnets.

What you're proposing is to have the gateway of the ISP in the same subnet than your local net which just will not work.

This would only work with a transparent bridge, but then you dont need CARP.

Well, actually, the network is separated into a public and a private network; there is no access at all from the private out to the public, except what is routed. pfsenseA and pfsenseB are the only machines sitting on both the public and the private subnet.

If I set the gateway of the web server to pfsense A (10.0.0.2), then I can ping out. If I set the gateway of the web server to pfsense B (10.0.0.3), then I can also ping out. The problem is if either pfsenseA or pfsense B go out, how can I get it to automatically failover?

Thanks!

GruensFroeschli

But then the gateway of your ISP cannot be 10.0.0.1

To get the failover you set the gateway of your servers to the LAN-CARP IP.

nian

So I figured out that the problem is all about return-path. The real network servers had their own default routes and were basically returning traffic along that path instead of through pfsense.

The equivalent of this is LVS-DR, for you linux virtual server types out there. Is there an equivalent of LVS-NAT, where web servers route traffic back to the pfsense load balancers that originally requested it?