Hi guys, It is too long to write how you can setup CARP. Well, I wrote an article about CARP but not in English language, in my native language which is Turkish. If you want to see you can go to my website, here : https://lifeoverlinux.com/pfsense-2-2-carp-common-address-redundancy-konfigurasyonu/
-- *İbrahim UÇAR* Blogger | https://lifeoverlinux.com <http://lifeoverlinux.com> On Wed, Sep 27, 2017 at 10:43 PM, dayer <day...@gmail.com> wrote: > 2017-09-27 20:29 GMT+02:00 Steve Yates <st...@teamits.com>: > > I'm not sure if I am following you correctly, but the WAN CARP > IP has to be the same on both routers. So router1 has a WAN of a.a.a.a and > CARP of a.a.a.b, and router2 has a WAN of a.a.a.c and CARP of a.a.a.b. > Same thing with the LAN IPs. > > > > -- > > > > Steve Yates > > ITS, Inc. > > > > -----Original Message----- > >> If I had to guess: Are you using a CARP address for outbound NAT? If > >> not then the connections *will* break on failover. > > > > > > Thanks for your reply, Jon :) > > > > Yes, I'm using CARP addresses from each WAN for outbound NAT: > > - WLAN1 CARP, for WLAN1 > > - WLAN2 CARP, for WLAN2 > > > > In addition, when the *new* master unit routes the established > > traffic, it continues doing the previous NAT according to the state > > synchronised from the previous master. So it continues doing outbound > > NAT with the WLAN2 CARP address, but trying to route through WLAN1. > > This proves that the new master unit has the synchronised states, but > > it try to route the established connections according to routing table > > and not to firewall rules. > > Hi Steve! Exactly. It doesn't matter, I know this behavior is some > difficult to explain. > > In my example, according to the diagram from [1]: > > PC: > - LAN: 192.168.2.1 > - GW: 192.168.2.10 > > Pfsense1: > - LAN: 192.168.2.11 > - LAN CARP: 192.168.2.10 > - WAN1: 192.168.56.11 > - WAN1 CARP: 192.168.56.10 > - GW1: 192.168.56.1 (default) > - WAN2: 192.168.57.11 > - WAN2 CARP: 192.168.57.10 > - GW2: 192.168.57.1 > > Pfsense2: > - LAN: 192.168.2.12 > - LAN CARP: 192.168.2.10 > - WAN1: 192.168.56.12 > - WAN1 CARP: 192.168.56.10 > - GW1: 192.168.56.1 (default) > - WAN2: 192.168.57.12 > - WAN2 CARP: 192.168.57.10 > - GW2: 192.168.57.1 > > Outbound NAT settings, something like: > - LAN→WAN1→WAN1 CARP > - LAN→WAN2→WAN2 CARP > > Initially (Pfsense1 master; Pfsense2 backup; Traffic from LAN is > routing through GW2 according to a firewall rule): > SSH from PC → LAN → WAN2 (NAT with WAN2 CARP) → GW2 > > If I disable CARP in Pfsense1, Pfsense2 is the new master and: > - The *established* connections do this path (wrong): > PC → LAN → WAN1 (WAN2 CARP) → GW1 > - The *new* connections do this path (right): > PC → LAN → WAN2 (WAN2 CARP) → GW2 > > > Regards, > > > [1]: https://forum.pfsense.org/index.php?topic=136739.msg749477#msg749477 > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold