On 11/7/2012 1:23 PM, Jim Pingle wrote:
On 11/7/2012 12:33 PM, [email protected] wrote:
The problem is that on the edge boxes I can
only get to the primary, the slave is inaccessible.
In this case, it's likely that your slave box has a route or IPsec phase
2 defined that covers your client subnet, so the slave thinks it knows
the way back to the client directly and the traffic dies because it
really doesn't.
Easiest way around it is manual outbound NAT on the LAN interface to
make traffic going to the secondary appear to originate from the
primary's LAN IP (on LAN, source = VPN subnet, destination = secondary's
IP, translated to Interface address -- NOT the CARP VIP)
If it's OpenVPN, on 2.0.2 and 2.1, binding the VPN to the CARP VIP will
make the server process stop on the backup unit, so the route wouldn't
be maintained in this case, so it should work fine there, so long as the
VPN is bound to a CARP VIP. When the VIP transitions to master it starts
the VPN processes.
Jim
Jim,
Thanks for the response. I am using OpenVPN with pfSense
2.0.1-RELEASE** (amd64). I have both boxes using public IPs on the WAN.
I VPN into the private address space of the LAN (call it 192.168.0.0/24)
via a public CARP IP which gets my Laptop an address of say 192.168.10 5
and an address of 192.168.0.1 at the OpenVPN end of the tunnel. OpenVPN
then routing to the 192.168.0.0/24 network at both ends(added all this
just for clarity of my statements). When I open a browser to
192.168.0.1 (LAN ip of the master FW) all is good. When I try to browse
to 192.168.0.2(LAN IP of the slave FW) I get nothing. I guess I am
being a bit thick here but I do not understand your last paragraph.
When you say "binding the VPN to the CARP VIP will make the server
process stop on the backup unit" are you referring to the OpenVPN Server
process? If so, that should not effect my ability to connect to the
192.168.0.2 IP, correct? Unfortunately though I can not connect to that
IP. I am probably missing something simple but I am at a loss as to
what. The two DB firewalls have their WAN interface in the
192.168.0.0/24 net (I.E 192.168.0.253 and 192.168.0.254) with a CARP IP
(192.168.0.252) that is used to connect from the LAN servers to the DB
servers. I can get to the web configuration page on both 192.168.0.254
and 192.168.0.253 all the time. I am only having trouble connecting to
the 192.168.0.2 address for the web configuration page of the
backup/slave edge FW unit.
Thanks again for that last response,
JohnM
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
