Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP Failover on OVH : no Promiscuous allowed… what alternative

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    14 Posts 5 Posters 7.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aniodon
      last edited by

      Hello everyone,
      and happy new year !

      I have an issue with CARP Failover
      OVH (hosting), provides me two esxi host.

      i have done my setup with one pfsense smoothly, and i wanted to go further by doing failover.

      I have succesfully set up CARP (on my vlans : OK, and XMLRPC : OK)

      Problem is, OVH do not allow me to enable promiscuous mode on the WAN interfaces for security reasons.

      So the CARP do not work, and i have two MASTER.

      OVH team advised me to create a dedicated VLAN to put some interfaces here to do the wan CARP, and find a way to make the communication between this CARP and my wan interface.

      I am a little bit confused here… shall i do NAT 1:1 between my WAN and my CARP ? and Then a second NAT Port from the CARP to the webserver ?

      Is there other alternatives?

      Any suggestions really appreciated !

      Thanks in advance for your time,

      Olivier

      1 Reply Last reply Reply Quote 0
      • A
        aniodon
        last edited by

        Hello everyone !

        I have been directed to this tutorial to setup CARP / HA :
        http://www.it-connect.fr/fail-over-pfsense-via-carp-et-pfsync/

        In this setup, the wan connection is indeed not under CARP.

        I really do not understand the wan setup here…

        one Wan NIC on each PFSENSE?
        on each pfsense, Virtual Ip of the public IP on each wan NIC ?

        how to map public IPs in such scenario ?

        Did anyone tried such setup ?

        thanks in advance

        1 Reply Last reply Reply Quote 0
        • awebsterA
          awebster
          last edited by

          Interesting setup…they chose to use CARP on the LAN side but not the WAN side if their setup.
          They would work fine for outgoing traffic because it will either be from 10.1.1.1 or 10.1.1.2 (in the original article).
          Incoming traffic would need to be delivered to a virtual IP that would only respond on whichever box is the master.
          Normally running CARP on both LAN  and WAN will detect a failure on either one of these and fail over appropriately, but in this diagram, if the WAN interface failed on the MASTER, the BACKUP would have no way of detecting this and would not take over.

          –A.

          1 Reply Last reply Reply Quote 0
          • A
            aniodon
            last edited by

            Thanks for your answer Awebster

            I tested this setup, and the problem is exactly the one you were pointing: incoming traffic cannot correctly be redirected. outgoing is ok.

            So i'm back to square one : i probably have to use a dedicated VLAN for my WAN CARP, on which vlan i will be able to turn on promiscuous.

            but now i have to redirect all traffic from my WAN interface to the carp on the VLAN, and then find a way to redirect from the carp to the frontal web

            I thought i should use 1:1 beetween WAN if and CARP on vlan, and a nat port forwarding between carp VLAN and the lan ip of the frontal.
            is this even possible?

            i spent days around this, and this never worked properly…

            any suggestions?

            thanks in advance

            1 Reply Last reply Reply Quote 0
            • awebsterA
              awebster
              last edited by

              I'm not familiar with OVH, if you can run promiscuous mode on a VLAN that would be the way to do it. 
              But as you pointed out, you need to connect the VLAN onto the WAN.  Not sure how this would work.

              As far as redirecting incoming traffic, you would need to create either port forwarding on the CARP VIP, eg: port 80 goes to internal host 192.168.1.100 port 80
              Or create several additional VIP external addresses if you can get more than 1 WAN IP and either port forward or 1:1 NAT them.

              –A.

              1 Reply Last reply Reply Quote 0
              • A
                aniodon
                last edited by

                thanks for this !

                i successfully Natted 1:1 incoming traffic to the carp on the vlan
                i tried two things then : natting 1:1 the carp to the internal host, or port forwarding from the carp to the host

                neither worked, it seems the traffic stops at the CARP on the vlan and do not seem to reach the internal host…

                theorically, a solution with two successive nat would have worked ?

                I used the default Nat options... maybe is there one i missed ?

                1 Reply Last reply Reply Quote 0
                • awebsterA
                  awebster
                  last edited by

                  You need NAT + rules.  What rules do you have in place to allow the traffic? 
                  Please post screenshot of both.

                  –A.

                  1 Reply Last reply Reply Quote 0
                  • A
                    aniodon
                    last edited by

                    Y es ou course,
                    I watched firewall logs, nothing gets stuck.
                    I builded rules matching nats, and outbound too

                    I Will rebuild my setup tomorrow and take screens tout show you.

                    1 Reply Last reply Reply Quote 0
                    • A
                      aniodon
                      last edited by

                      Hello everyone

                      Finally managed to setup the carp on WAN

                      For anyone having the same issue :

                      • Ovh have added to esx vsphere an option to activate CARP
                      • In Esx, right click on a VM (you'll have to do this on both VMs) and select at the bottom : Activate CARP
                      • select any interfaces connected to the vmnetwork (WAN / v1000), and accept

                      Your interfaces are now on promiscuous mode.

                      Have a nice day

                      1 Reply Last reply Reply Quote 1
                      • F
                        fattylewis
                        last edited by

                        @aniodon:

                        Hello everyone

                        Finally managed to setup the carp on WAN

                        For anyone having the same issue :

                        • Ovh have added to esx vsphere an option to activate CARP
                        • In Esx, right click on a VM (you'll have to do this on both VMs) and select at the bottom : Activate CARP
                        • select any interfaces connected to the vmnetwork (WAN / v1000), and accept

                        Your interfaces are now on promiscuous mode.

                        Have a nice day

                        Hey man, what service are you using on ovh? im guessing not the dedicated servers?

                        1 Reply Last reply Reply Quote 0
                        • R
                          robwalker
                          last edited by

                          @fattylewis:

                          @aniodon:

                          Hello everyone

                          Finally managed to setup the carp on WAN

                          For anyone having the same issue :

                          • Ovh have added to esx vsphere an option to activate CARP
                          • In Esx, right click on a VM (you'll have to do this on both VMs) and select at the bottom : Activate CARP
                          • select any interfaces connected to the vmnetwork (WAN / v1000), and accept

                          Your interfaces are now on promiscuous mode.

                          Have a nice day

                          Hey man, what service are you using on ovh? im guessing not the dedicated servers?

                          Yeah I was wondering the same thing. We use a number of their services and have had no issues using dedicated servers with VMWare and their 'vRack' with several VLANs. CARP works great. I'm guessing you're using dedicated cloud. We use that as well, but don't have CARP running on it.

                          1 Reply Last reply Reply Quote 0
                          • F
                            fattylewis
                            last edited by

                            @robwalker:

                            @fattylewis:

                            @aniodon:

                            Hello everyone

                            Finally managed to setup the carp on WAN

                            For anyone having the same issue :

                            • Ovh have added to esx vsphere an option to activate CARP
                            • In Esx, right click on a VM (you'll have to do this on both VMs) and select at the bottom : Activate CARP
                            • select any interfaces connected to the vmnetwork (WAN / v1000), and accept

                            Your interfaces are now on promiscuous mode.

                            Have a nice day

                            Hey man, what service are you using on ovh? im guessing not the dedicated servers?

                            Yeah I was wondering the same thing. We use a number of their services and have had no issues using dedicated servers with VMWare and their 'vRack' with several VLANs. CARP works great. I'm guessing you're using dedicated cloud. We use that as well, but don't have CARP running on it.

                            Have you got CARP working on dedicated servers from OVH? Im currently trying to concept something using CARP. So im using 2 pfsense machines on the same esxi host. The second box becomes master for the carp IP but no traffic passes. Im currently thinking its to do with the stupid virtual mac addresses. How have you managed to get this working?

                            1 Reply Last reply Reply Quote 0
                            • R
                              robwalker
                              last edited by

                              We use a lot of their dedicated servers.

                              If you're just testing it on the same server, I wouldn't have thought there'd be much you'd need to do.

                              We only use servers with the vrack option. You have to order a vrack on your account and then add the servers to it. We also add an IP block to the vrack for the WAN.

                              Then we install vmware on the server from OVH's template. This sets up the public network card as the management LAN for vmware.

                              We then add a virtual switch on the vrack card, and a port group for each VLAN we need with the appropriate VLAN tag. The WAN is untagged. Each port group needs mac spoofing and promiscuous mode ON.

                              With this setup, pfsense CARP works with both vms on the same host, or on different hosts. The multicast traffic seems to pass over their vrack network with no issues. Amazing considering you can have one node in France and one in Canada on the same Layer 2 network if you wish.

                              1 Reply Last reply Reply Quote 0
                              • C
                                CapitanBlack
                                last edited by

                                Got an answer from OVH that CARP is not possible for their hardware dedicated servers due to network design.

                                I've solved this using OVH Control Panel API - https://api.ovh.com

                                1. buy some OVH failover IP's (one or subnet block ) and assign them to "master" firewall in OVH Control Panel

                                2. create identical "IP alias(es)" for OVH failover IP's attached to WAN interfaces on both "master" and "backup" firewalls.
                                      Yes, create identical IP Aliases - no IP conflict will ever happen.

                                3. wrote a Python script that moves above OVH failover IP's to "backup" server in case "master" firewall stops responding for let's say 10 seconds
                                      Script can work on backup server on any other Linux/Windows server anywhere.

                                Works just fine - API failover IP move takes about 50-55 seconds to finish.
                                So, if scripts timeout for your "master" firewall is set to 10 seconds - you are looking at max 60-65 seconds outage for your services.

                                Boom.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.