The pfSense Store

Author Topic: Client peer-to-peer tunnels between CARP'd pfsenses  (Read 110 times)

0 Members and 1 Guest are viewing this topic.

Offline tm7677

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Client peer-to-peer tunnels between CARP'd pfsenses
« on: October 20, 2017, 09:52:06 am »
Two pfsenses, CARP'd together just fine.  One - the CARP Master - has a client Peer-to-peer OpenVPN tunnel back to a NOC Server Pfsense. The other - CARP Backup - has an identical tunnel configured, but currently disabled.  Just verified that the settings are identical, and the P2P Client tunnel in question is set up to use the WAN VIP IP/interface.  However, since it is configured on the Master, and the current Backup pfsense's tunnel is disabled, that will kill tunnel connection to the NOC, correct?  (Obvious question, but still, feel I should ask...)

The main point of this post is this: IF I enable the tunnel on the Backup pfsense, which is using the same WAN VIP as the Master's P2P tunnel, will that cause routing issues? Or should the two tunnels use unique WAN interfaces, and not the WAN VIP?


Offline viragomann

  • Hero Member
  • *****
  • Posts: 2502
  • Karma: +265/-1
    • View Profile
Re: Client peer-to-peer tunnels between CARP'd pfsenses
« Reply #1 on: October 20, 2017, 10:17:13 am »
Responses will never reach the backup, since they are directed to the WAN VIP which is used by the master.

Enable XMLRPC sync of "OpenVPN configuration" in System > 'High Availability Sync'. So the whole OpenVPN settings are synced to the backup automatically and in case of a failover the backup will re-establish the tunnel.

Offline tm7677

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Client peer-to-peer tunnels between CARP'd pfsenses
« Reply #2 on: October 20, 2017, 11:43:31 am »
Thanks for that! I double checked, and OpenVPN is not selected to sync.