Netgate SG-1000 microFirewall

Author Topic: CARP with 1 WAN IP  (Read 219 times)

0 Members and 1 Guest are viewing this topic.

Offline sagaroth

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
CARP with 1 WAN IP
« on: January 26, 2018, 07:37:59 am »
Hello everyone!

I encounter a blockage in my Failover PFsense configuration.
My Sync works perfectly on the 172.16.1.0 network.
So I wanted to set up a CARP configuration in order to allow an HA to all my internal network but also to be able to access my PFsense from the outside if one of the two nodes falls.

The problem is that I only have one public IP delivered by my service provider (OVH).
I don't know how to configure CARP with only one public IP.


Thank you in advance for your help:)
« Last Edit: January 26, 2018, 07:56:55 am by sagaroth »

Offline dotdash

  • Hero Member
  • *****
  • Posts: 1952
  • Karma: +102/-3
    • View Profile
Re: CARP with 1 WAN IP
« Reply #1 on: January 26, 2018, 09:40:02 am »
I'm pretty sure I've posted this before, but here are some notes:
I say WAN here, if it's not your WAN, then use the correct OPTx interface instead.
Put private ips on the WAN interfaces of the primary and secondary firewalls.
I used the public ips with a 10. for the first octet and the correct subnet mask
If it's a /30 you may have to use .1 and .2 or something. It probably doesn't matter.
Leave the gateway blank for now. Uncheck the block private option.

Make sure you are cabled in correctly, you may want to put the secondary in carp maintence mode

Add a CARP vip on the interface with the public IP.

Add the gateway

add an outbound nat rule, something like this-
WAN 'this firewall' * * * (CARP IP) * NO

Restart dpinger after adding the rule.

Update interface with gateway.

Gateway status should show up on primary, but will be down on secondary.

Add port forwards and outbound nat as usual, using public carp.

Offline sagaroth

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: CARP with 1 WAN IP
« Reply #2 on: February 01, 2018, 04:32:22 am »
Hi, sorry for the response time and thank you for your information:)
I applied what you advised me, but unfortunately, I still don't have Internet with my CARP configuration.

Let me explain myself:

I made a VLAN dedicated to my SYNC with IP master 172.16.1.2 and slave 172.16.1.3. The Sync works perfectly
Afterwards, I configured my WAN interfaces with IP master 172.17.1.2 and 172.17.1.3 respectively.

I then added the public IP of my default gateway to each of my nodes.

After that, I added my VIP carp (which was correctly replicated on my second node).
At this point, my first node has a master CARP status and my second node has a slave CARP status.

Finally, I created my NAT outbound rule like this:


WAN Interface, Source Any, Source Port *, Destination *, Destination Port *, NAT Address: My public IP, Nat Port *


I then created a test FW rule forcing the use of my public gateway for all traffic coming from my WAN interface.

Despite this configuration, I still don't have an Internet connection, would I have missed a configuration?

Offline dotdash

  • Hero Member
  • *****
  • Posts: 1952
  • Karma: +102/-3
    • View Profile
Re: CARP with 1 WAN IP
« Reply #3 on: February 01, 2018, 09:20:44 am »
Sounds about right, but I would use more specific NAT rules. Mine are something like-
WAN 'This Firewall' * * * (Public carp VIP) * (no static)
WAN (lan subnet) * * * (Public carp VIP) * (no static)

Offline sagaroth

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: CARP with 1 WAN IP
« Reply #4 on: February 01, 2018, 10:15:48 am »
I applied this same configuration to my NAT.
My Gateway remains offline on my master, I have restarted, as you advised me, the dpinger service but the logs return a no route to host. This Gateway is however well configured and is applied as the default Gateway.
(I've enabled the promiscious mode in my vswitch)
« Last Edit: February 01, 2018, 10:41:43 am by sagaroth »

Offline dotdash

  • Hero Member
  • *****
  • Posts: 1952
  • Karma: +102/-3
    • View Profile
Re: CARP with 1 WAN IP
« Reply #5 on: February 01, 2018, 12:17:23 pm »

My Gateway remains offline on my master, I have restarted, as you advised me, the dpinger service but the logs return a no route to host.
Try, from Diagnostics / Ping, selecting the Public CARP VIP as the source address, and pinging the gateway.
Just to verify, subnet mask on the CARP VIP is correct and gateway is reachable from that subnet?

Offline sagaroth

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: CARP with 1 WAN IP
« Reply #6 on: February 02, 2018, 03:15:56 am »
The ping doesn't work even if I put the CARP VIP as a source.
After verification, the subnet mask of my CARP VIP is correct.
My gateway uses this same mask and is in the same network as my VIP CARP.

Offline sagaroth

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: CARP with 1 WAN IP
« Reply #7 on: February 02, 2018, 08:45:45 am »
I added my VIP LAN CARP today that I configured like this:

IP LAN PFsense1:10.10.10.10.252/24
IP LAN PFsense2:10.10.10.10.253/24
VIP LAN: 10.10.10.10.254/24

What surprises me is that this VIP CARP is not reachable from my LAN network (A Virtual Machine in 10.10.10.61).

Offline dotdash

  • Hero Member
  • *****
  • Posts: 1952
  • Karma: +102/-3
    • View Profile
Re: CARP with 1 WAN IP
« Reply #8 on: February 02, 2018, 09:45:20 am »
(I've enabled the promiscious mode in my vswitch)
Any way you can test with a physical setup to rule out the hypervisor config? Honestly sounds like something is up with the vswitch if you can't ping each box from the vmnetwork...

Offline sagaroth

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: CARP with 1 WAN IP
« Reply #9 on: February 02, 2018, 10:11:53 am »
I also think there is a problem with the hypervisor, because my WAN connection works perfectly without CARP.
Unfortunately I don't have the possibility to physically test this configuration because this hypervisor is hosted at OVH.