pfSense English Support > CARP/VIPs

CARP with 1 WAN IP

(1/2) > >>

sagaroth:
Hello everyone!

I encounter a blockage in my Failover PFsense configuration.
My Sync works perfectly on the 172.16.1.0 network.
So I wanted to set up a CARP configuration in order to allow an HA to all my internal network but also to be able to access my PFsense from the outside if one of the two nodes falls.

The problem is that I only have one public IP delivered by my service provider (OVH).
I don't know how to configure CARP with only one public IP.


Thank you in advance for your help:)

dotdash:
I'm pretty sure I've posted this before, but here are some notes:
I say WAN here, if it's not your WAN, then use the correct OPTx interface instead.
Put private ips on the WAN interfaces of the primary and secondary firewalls.
I used the public ips with a 10. for the first octet and the correct subnet mask
If it's a /30 you may have to use .1 and .2 or something. It probably doesn't matter.
Leave the gateway blank for now. Uncheck the block private option.

Make sure you are cabled in correctly, you may want to put the secondary in carp maintence mode

Add a CARP vip on the interface with the public IP.

Add the gateway

add an outbound nat rule, something like this-
WAN 'this firewall' * * * (CARP IP) * NO

Restart dpinger after adding the rule.

Update interface with gateway.

Gateway status should show up on primary, but will be down on secondary.

Add port forwards and outbound nat as usual, using public carp.

sagaroth:
Hi, sorry for the response time and thank you for your information:)
I applied what you advised me, but unfortunately, I still don't have Internet with my CARP configuration.

Let me explain myself:

I made a VLAN dedicated to my SYNC with IP master 172.16.1.2 and slave 172.16.1.3. The Sync works perfectly
Afterwards, I configured my WAN interfaces with IP master 172.17.1.2 and 172.17.1.3 respectively.

I then added the public IP of my default gateway to each of my nodes.

After that, I added my VIP carp (which was correctly replicated on my second node).
At this point, my first node has a master CARP status and my second node has a slave CARP status.

Finally, I created my NAT outbound rule like this:


WAN Interface, Source Any, Source Port *, Destination *, Destination Port *, NAT Address: My public IP, Nat Port *


I then created a test FW rule forcing the use of my public gateway for all traffic coming from my WAN interface.

Despite this configuration, I still don't have an Internet connection, would I have missed a configuration?

dotdash:
Sounds about right, but I would use more specific NAT rules. Mine are something like-
WAN 'This Firewall' * * * (Public carp VIP) * (no static)
WAN (lan subnet) * * * (Public carp VIP) * (no static)

sagaroth:
I applied this same configuration to my NAT.
My Gateway remains offline on my master, I have restarted, as you advised me, the dpinger service but the logs return a no route to host. This Gateway is however well configured and is applied as the default Gateway.
(I've enabled the promiscious mode in my vswitch)

Navigation

[0] Message Index

[#] Next page

Go to full version