Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - robwalker

Pages: [1]
CARP/VIPs / Re: pfSense HA on OVH dedicated servers
« on: January 03, 2018, 11:17:26 am »
We have used CARP on OVH's vRack with no problems. Well, no problems other than OVH being unreliable that is...

I was concerned they might block multicast etc, but it has always worked perfectly well for us. Who told you it wouldn't work? We were able to configure multiple VLANs on the same vRack by adding multiple NICs and setting the VLAN tag in VMWare.

No problems with CARP or config Sync.

General Questions / Re: Crash on 2.2.6 - Syncer?
« on: May 10, 2016, 03:09:39 am »
We had another crash this morning. I submitted the report a few mins ago from the same IP (few mins after 9am UTC+1)

I'm not sure the cause is the same.

General Questions / Re: Crash on 2.2.6 - Syncer?
« on: May 04, 2016, 01:32:14 am »
Thanks for the info, that's much appreciated. The storage is local. 2 SSDs in software RAID 1. I'll have a look in to it further but at first glance there were no errors logged at that time in the host OS. I may have missed something though.

The only other thing that comes to mind is possibly the disks going to sleep or 'spinning down'. Not that they actually spin in this case! I'll check the settings.

General Questions / Re: Crash on 2.2.6 - Syncer?
« on: May 03, 2016, 10:56:41 am »
Sorry the time above is the time of the crash. It will have been submitted between 3 and 5 pm UTC+1 on 3 May 2016  :D

General Questions / Crash on 2.2.6 on Hyper-V
« on: May 03, 2016, 10:42:47 am »
Hi I just logged in to our master firewall node and saw it had crashed and rebooted. The crash report will have been submitted from between midnight and 3AM UTC on 1st May 2016.

There is at least one reference to the syncer process but I'm really not sure I'm looking at the right thing. Pfsense is running as a Hyper-V VM.

We use a lot of their dedicated servers.

If you're just testing it on the same server, I wouldn't have thought there'd be much you'd need to do.

We only use servers with the vrack option. You have to order a vrack on your account and then add the servers to it. We also add an IP block to the vrack for the WAN.

Then we install vmware on the server from OVH's template. This sets up the public network card as the management LAN for vmware.

We then add a virtual switch on the vrack card, and a port group for each VLAN we need with the appropriate VLAN tag. The WAN is untagged. Each port group needs mac spoofing and promiscuous mode ON.

With this setup, pfsense CARP works with both vms on the same host, or on different hosts. The multicast traffic seems to pass over their vrack network with no issues. Amazing considering you can have one node in France and one in Canada on the same Layer 2 network if you wish.

Hello everyone

Finally managed to setup the carp on WAN

For anyone having the same issue :
- Ovh have added to esx vsphere an option to activate CARP
- In Esx, right click on a VM (you'll have to do this on both VMs) and select at the bottom : Activate CARP
- select any interfaces connected to the vmnetwork (WAN / v1000), and accept

Your interfaces are now on promiscuous mode.

Have a nice day
Hey man, what service are you using on ovh? im guessing not the dedicated servers?

Yeah I was wondering the same thing. We use a number of their services and have had no issues using dedicated servers with VMWare and their 'vRack' with several VLANs. CARP works great. I'm guessing you're using dedicated cloud. We use that as well, but don't have CARP running on it.

CARP/VIPs / Re: Adding 250 Virtual IPs
« on: February 03, 2016, 05:11:26 am »
Thanks, I really appreciate your input. It sounds like it's not a great idea. I'll raise it with our provider, but I think we're pushing the boundaries of what they offer. They're a hosting/server provider who deal in bulk rather that bespoke, so anything that deviates from their standard setup is unlikely to be possible.

We may simply add a second pfsense instance to test out these extra IPs. The bulk of them are for one very specific use case which could be diverted through a separate pfsense VM without too much effort.

Thanks again!

CARP/VIPs / Re: Adding 250 Virtual IPs
« on: February 02, 2016, 08:18:56 am »

Thanks for the reply. Yes it certainly would be a management nightmare! The only good thing being that things are very unlikely to change going forward. I shouldn't need to add or remove any more in the future.

Adding them as children of the WAN CARP interface is what I was planning. I definitely don't want that many CARP addresses.

Unfortunately we're limited by our hosting provider. They provide us with a really impressive network and we can use VLAN tags to seamlessly create up to 4000 LANs spanning their datacentres, but in this instance our only real option is to use the IP block directly.

Would you have any concerns from a stability or performance point of view? Or is it just the management nightmare you'd be concerned about?

CARP/VIPs / Re: Adding 250 Virtual IPs
« on: February 02, 2016, 06:47:43 am »
Anyone any thoughts on if ~250 IP Aliases are a good idea on one interface?

CARP/VIPs / Adding 250 Virtual IPs
« on: January 29, 2016, 10:57:53 am »

We've recently moved to pfsense for all our new networks for our SAAS platform. It's working really well for us and gives us a lot more flexibility than the old Juniper SSG units we were using.

For a new environment that we have recently deployed, I need to add most of a /24 as virtual IPs. Looking at the various options, I think they'll have to be IP aliases. We're using CARP for failover, and I don't think the 'other' option will work as these IPs are accessible directly. not routed to a single WAN IP etc.

I've added a handful that we needed before the platform went live, but unfortunately it was rushed in to production because of a serious hardware failure in a legacy DC. My colleague has scripted the required XML as there appears to be no way to bulk add IP Aliases. Before we look at testing it and then finally adding the config, does anyone have any experience with this many IP Aliases? This is going to add around 250 addresses to the WAN interface. Would that be of any concern?

A reasonable number of them will be used in an outgoing NAT pool. I assume that should work OK? I can create an alias for the range and then use it in a NAT rule I believe.


Pages: [1]