RE: [pfSense Support] CARP and NAT problems
If the port forwards are on the WAN addresses themselves, to my knowledge they will not fail over. My understanding is that all addresses (and port forwards) that you intend to survive a failover must be on CARP addresses. Dimitri Rodis Integrita Systems LLC -Original Message- From: Justin The Cynical [mailto:cyni...@penguinness.org] Sent: Sunday, May 30, 2010 10:56 PM To: support@pfsense.com Subject: [pfSense Support] CARP and NAT problems Greetings. I finally set up a failover box for CARP. And so far, everything seems to be working fine, with one minor detail. WAN IP range: .65 - .96 .66 - .68 are setup as CARP .65 and .69 are the WAN interfaces Port forwards on .65 and .69 The problem: When this was a single machine, I had port forwards set up on all the IP's, and everything was peachy. However, now with multiple machines, the port forwards on the WAN interfaces will work, depending on the machine that is active. Take a port forward from .65 to internal address (master) Take a port forward from .69 to internal address (backup) The port forward to .65 works, but the .69 does not. If the machines failover (.69 becomes the active machine), the forward for .69 works, but the .65 does not. When .65 comes back up as the active box, the forward on .69 stops working. And since I don't have the WAN addresses as a VIP, this also breaks AON for the mentioned IP's. Last time I looked, I was told that the WAN addresses were useable for IB/OB NAT, but it appears this is not the case, or I'm missing something. Any suggestions on where to look or any words of wisdom? Thank you, Justin - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] CARP and NAT problems
On Mon, May 31, 2010 at 1:56 AM, Justin The Cynical cyni...@penguinness.org wrote: Greetings. I finally set up a failover box for CARP. And so far, everything seems to be working fine, with one minor detail. WAN IP range: .65 - .96 .66 - .68 are setup as CARP .65 and .69 are the WAN interfaces Port forwards on .65 and .69 The problem: When this was a single machine, I had port forwards set up on all the IP's, and everything was peachy. However, now with multiple machines, the port forwards on the WAN interfaces will work, depending on the machine that is active. Take a port forward from .65 to internal address (master) Take a port forward from .69 to internal address (backup) The port forward to .65 works, but the .69 does not. If the machines failover (.69 becomes the active machine), the forward for .69 works, but the .65 does not. When .65 comes back up as the active box, the forward on .69 stops working. That's just how it works. WAN addresses are usable, but only when that particular box is the master. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and NAT problems
On 5/31/10 1:43 PM, Dimitri Rodis wrote: If the port forwards are on the WAN addresses themselves, to my knowledge they will not fail over. My understanding is that all addresses (and port forwards) that you intend to survive a failover must be on CARP addresses. Dimitri Rodis Integrita Systems LLC Yes, I expected the WAN address forwards to not fail-over, and had planned on that. What I did not expect was to have the forwards on the non-active machine not work. Once it became the active machine, they worked, then stopped once the master came back up and took back over. If it matters, one machine was running pfs 1.2.2 and the other 1.2.3, nothing in what I have found indicates that it does. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and NAT problems
On 5/31/10 1:58 PM, Chris Buechler wrote: *snip* The port forward to .65 works, but the .69 does not. If the machines failover (.69 becomes the active machine), the forward for .69 works, but the .65 does not. When .65 comes back up as the active box, the forward on .69 stops working. That's just how it works. WAN addresses are usable, but only when that particular box is the master. Ah, OK, I was given to understand that they were useable all the time as were the CARP addresses, they were just not redundant. Thank you, that's what I was needing to know. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and NAT problems
On Mon, May 31, 2010 at 5:49 PM, Justin The Cynical cyni...@penguinness.org wrote: On 5/31/10 1:58 PM, Chris Buechler wrote: *snip* The port forward to .65 works, but the .69 does not. If the machines failover (.69 becomes the active machine), the forward for .69 works, but the .65 does not. When .65 comes back up as the active box, the forward on .69 stops working. That's just how it works. WAN addresses are usable, but only when that particular box is the master. Ah, OK, I was given to understand that they were useable all the time as were the CARP addresses, they were just not redundant. Thank you, that's what I was needing to know. With one caveat - if you forward something off the WAN IP of the secondary to an internal host, and set that internal host's default gateway to the LAN IP (not CARP) of the secondary, it will work. The problem with that not working in a normal scenario is because the reply traffic goes to the wrong firewall. You really don't want to do that though, gets to be a real mess. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org