CARP Failover on OVH : no Promiscuous allowed… what alternative

aniodon

Hello everyone,
and happy new year !

I have an issue with CARP Failover
OVH (hosting), provides me two esxi host.

i have done my setup with one pfsense smoothly, and i wanted to go further by doing failover.

I have succesfully set up CARP (on my vlans : OK, and XMLRPC : OK)

Problem is, OVH do not allow me to enable promiscuous mode on the WAN interfaces for security reasons.

So the CARP do not work, and i have two MASTER.

OVH team advised me to create a dedicated VLAN to put some interfaces here to do the wan CARP, and find a way to make the communication between this CARP and my wan interface.

I am a little bit confused here… shall i do NAT 1:1 between my WAN and my CARP ? and Then a second NAT Port from the CARP to the webserver ?

Is there other alternatives?

Any suggestions really appreciated !

Thanks in advance for your time,

Olivier

aniodon

Hello everyone !

I have been directed to this tutorial to setup CARP / HA :
http://www.it-connect.fr/fail-over-pfsense-via-carp-et-pfsync/

In this setup, the wan connection is indeed not under CARP.

I really do not understand the wan setup here…

one Wan NIC on each PFSENSE?
on each pfsense, Virtual Ip of the public IP on each wan NIC ?

how to map public IPs in such scenario ?

Did anyone tried such setup ?

thanks in advance

awebster

Interesting setup…they chose to use CARP on the LAN side but not the WAN side if their setup.
They would work fine for outgoing traffic because it will either be from 10.1.1.1 or 10.1.1.2 (in the original article).
Incoming traffic would need to be delivered to a virtual IP that would only respond on whichever box is the master.
Normally running CARP on both LAN  and WAN will detect a failure on either one of these and fail over appropriately, but in this diagram, if the WAN interface failed on the MASTER, the BACKUP would have no way of detecting this and would not take over.

aniodon

Thanks for your answer Awebster

I tested this setup, and the problem is exactly the one you were pointing: incoming traffic cannot correctly be redirected. outgoing is ok.

So i'm back to square one : i probably have to use a dedicated VLAN for my WAN CARP, on which vlan i will be able to turn on promiscuous.

but now i have to redirect all traffic from my WAN interface to the carp on the VLAN, and then find a way to redirect from the carp to the frontal web

I thought i should use 1:1 beetween WAN if and CARP on vlan, and a nat port forwarding between carp VLAN and the lan ip of the frontal.
is this even possible?

i spent days around this, and this never worked properly…

any suggestions?

thanks in advance

awebster

I'm not familiar with OVH, if you can run promiscuous mode on a VLAN that would be the way to do it. 
But as you pointed out, you need to connect the VLAN onto the WAN.  Not sure how this would work.

As far as redirecting incoming traffic, you would need to create either port forwarding on the CARP VIP, eg: port 80 goes to internal host 192.168.1.100 port 80
Or create several additional VIP external addresses if you can get more than 1 WAN IP and either port forward or 1:1 NAT them.

aniodon

thanks for this !

i successfully Natted 1:1 incoming traffic to the carp on the vlan
i tried two things then : natting 1:1 the carp to the internal host, or port forwarding from the carp to the host

neither worked, it seems the traffic stops at the CARP on the vlan and do not seem to reach the internal host…

theorically, a solution with two successive nat would have worked ?

I used the default Nat options... maybe is there one i missed ?

awebster

You need NAT + rules.  What rules do you have in place to allow the traffic? 
Please post screenshot of both.

aniodon

Y es ou course,
I watched firewall logs, nothing gets stuck.
I builded rules matching nats, and outbound too

I Will rebuild my setup tomorrow and take screens tout show you.

aniodon

Hello everyone

Finally managed to setup the carp on WAN

For anyone having the same issue :

• Ovh have added to esx vsphere an option to activate CARP
• In Esx, right click on a VM (you'll have to do this on both VMs) and select at the bottom : Activate CARP
• select any interfaces connected to the vmnetwork (WAN / v1000), and accept

Your interfaces are now on promiscuous mode.

Have a nice day

fattylewis

@aniodon:

Hello everyone

Finally managed to setup the carp on WAN

For anyone having the same issue :

• Ovh have added to esx vsphere an option to activate CARP
• In Esx, right click on a VM (you'll have to do this on both VMs) and select at the bottom : Activate CARP
• select any interfaces connected to the vmnetwork (WAN / v1000), and accept

Your interfaces are now on promiscuous mode.

Have a nice day

Hey man, what service are you using on ovh? im guessing not the dedicated servers?

robwalker

@fattylewis:

@aniodon:

Hello everyone

Finally managed to setup the carp on WAN

For anyone having the same issue :

• Ovh have added to esx vsphere an option to activate CARP
• In Esx, right click on a VM (you'll have to do this on both VMs) and select at the bottom : Activate CARP
• select any interfaces connected to the vmnetwork (WAN / v1000), and accept

Your interfaces are now on promiscuous mode.

Have a nice day

Hey man, what service are you using on ovh? im guessing not the dedicated servers?

Yeah I was wondering the same thing. We use a number of their services and have had no issues using dedicated servers with VMWare and their 'vRack' with several VLANs. CARP works great. I'm guessing you're using dedicated cloud. We use that as well, but don't have CARP running on it.

fattylewis

@robwalker:

@fattylewis:

@aniodon:

Hello everyone

Finally managed to setup the carp on WAN

For anyone having the same issue :

• Ovh have added to esx vsphere an option to activate CARP
• In Esx, right click on a VM (you'll have to do this on both VMs) and select at the bottom : Activate CARP
• select any interfaces connected to the vmnetwork (WAN / v1000), and accept

Your interfaces are now on promiscuous mode.

Have a nice day

Hey man, what service are you using on ovh? im guessing not the dedicated servers?

Yeah I was wondering the same thing. We use a number of their services and have had no issues using dedicated servers with VMWare and their 'vRack' with several VLANs. CARP works great. I'm guessing you're using dedicated cloud. We use that as well, but don't have CARP running on it.

Have you got CARP working on dedicated servers from OVH? Im currently trying to concept something using CARP. So im using 2 pfsense machines on the same esxi host. The second box becomes master for the carp IP but no traffic passes. Im currently thinking its to do with the stupid virtual mac addresses. How have you managed to get this working?

robwalker

We use a lot of their dedicated servers.

If you're just testing it on the same server, I wouldn't have thought there'd be much you'd need to do.

We only use servers with the vrack option. You have to order a vrack on your account and then add the servers to it. We also add an IP block to the vrack for the WAN.

Then we install vmware on the server from OVH's template. This sets up the public network card as the management LAN for vmware.

We then add a virtual switch on the vrack card, and a port group for each VLAN we need with the appropriate VLAN tag. The WAN is untagged. Each port group needs mac spoofing and promiscuous mode ON.

With this setup, pfsense CARP works with both vms on the same host, or on different hosts. The multicast traffic seems to pass over their vrack network with no issues. Amazing considering you can have one node in France and one in Canada on the same Layer 2 network if you wish.

CapitanBlack

Got an answer from OVH that CARP is not possible for their hardware dedicated servers due to network design.

I've solved this using OVH Control Panel API - https://api.ovh.com

1. buy some OVH failover IP's (one or subnet block ) and assign them to "master" firewall in OVH Control Panel

2. create identical "IP alias(es)" for OVH failover IP's attached to WAN interfaces on both "master" and "backup" firewalls.
       Yes, create identical IP Aliases - no IP conflict will ever happen.

3. wrote a Python script that moves above OVH failover IP's to "backup" server in case "master" firewall stops responding for let's say 10 seconds
       Script can work on backup server on any other Linux/Windows server anywhere.

Works just fine - API failover IP move takes about 50-55 seconds to finish.
So, if scripts timeout for your "master" firewall is set to 10 seconds - you are looking at max 60-65 seconds outage for your services.

Boom.