pfSense Gold Subscription

Author Topic: CARP Network Allocation Problem  (Read 175 times)

0 Members and 1 Guest are viewing this topic.

Offline TheGeek

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
CARP Network Allocation Problem
« on: October 18, 2017, 07:01:16 am »
My setup is like this:

WAN: Two /24 networks 192.168.1.0 and 192.10.50.0 (On the same cable)
LAN: A /23 network 10.10.10.0
DMZ: Bridged with WAN

In order for the 192.10.50.0 to work and route packets i allocated this network using a ProxyARP on 1 out of 2 pfsenses. (And it works, as it should)
I have set CARP adresses on both LAN and WAN, and although they sync settings, and CARP is working as it should, i can only access to DMZ and WAN when 1 out of 2 pfsenses are disconnected.
Each one works individually, but not together.

So, i need to resolve 2 problems in order to get a full redudant firewall.
1) How can i solve the issue with the firewalls not working together?

2) I read this https://forum.pfsense.org/index.php?topic=45209.msg240929#msg240929 but i don't understand how i am supposed to set it up, and which IP i will set as CARP, since i cannot create a CARP network
 

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9047
  • Karma: +1032/-306
    • View Profile
Re: CARP Network Allocation Problem
« Reply #1 on: October 18, 2017, 07:02:36 am »
Bridging is completely incompatible with pfSense CARP/HA. If you choose to go down that path it is incumbent upon you to make sure all of the necessary spanning-tree pieces are in the right place.

Quote
WAN: Two /24 networks 192.168.1.0 and 192.10.50.0 (On the same cable)

This is also asking for trouble. Seems it has found you.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline TheGeek

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: CARP Network Allocation Problem
« Reply #2 on: October 18, 2017, 07:04:35 am »
Unfortunately, it is necessary for me to use bridge as the IPs of the devices i have on my DMZ need to match the WAN's IP.
So, bridge and CARP are not gonna work?

Yes, also the situation with 2 networks on one cable cannot change..  :-[

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9047
  • Karma: +1032/-306
    • View Profile
Re: CARP Network Allocation Problem
« Reply #3 on: October 18, 2017, 07:07:11 am »
It can work, but it's on you to prevent any loops. I am not going down that rabbit hole. Design your network properly.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline TheGeek

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: CARP Network Allocation Problem
« Reply #4 on: October 18, 2017, 07:08:45 am »
Ok, i see.
Trust me, if i could, i would design it properly.
And how could i prevent loops?
Can you give me a link or something to read about it?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9047
  • Karma: +1032/-306
    • View Profile
Re: CARP Network Allocation Problem
« Reply #5 on: October 18, 2017, 07:12:09 am »
I find it humorous that you would be concentrating on HA before fixing such a broken design. If it is worth high-availability it is worth a solid design first.

You prevent layer 2 loops using spanning-tree protocol
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline TheGeek

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: CARP Network Allocation Problem
« Reply #6 on: October 18, 2017, 07:15:40 am »
It is humorous, indeed.
But still, not in my powers to change this.
You wouldn't understand.
But thank you very much for your time.
I will try to see if HA can be achived, otherwise a cloned machine will be standing by, in case of a hardware failure.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9047
  • Karma: +1032/-306
    • View Profile
Re: CARP Network Allocation Problem
« Reply #7 on: October 18, 2017, 07:19:45 am »
I understand perfectly.

It is those who are making you do this who don't understand.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline TheGeek

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: CARP Network Allocation Problem
« Reply #8 on: October 18, 2017, 07:24:57 am »
It is those who are making you do this who don't understand.

Yep.
I guess i am not the only one.