2017-09-27 20:29 GMT+02:00 Steve Yates <[email protected]>: > I'm not sure if I am following you correctly, but the WAN CARP IP has > to be the same on both routers. So router1 has a WAN of a.a.a.a and CARP of > a.a.a.b, and router2 has a WAN of a.a.a.c and CARP of a.a.a.b. Same thing > with the LAN IPs. > > -- > > Steve Yates > ITS, Inc. > > -----Original Message----- >> If I had to guess: Are you using a CARP address for outbound NAT? If >> not then the connections *will* break on failover. > > > Thanks for your reply, Jon :) > > Yes, I'm using CARP addresses from each WAN for outbound NAT: > - WLAN1 CARP, for WLAN1 > - WLAN2 CARP, for WLAN2 > > In addition, when the *new* master unit routes the established > traffic, it continues doing the previous NAT according to the state > synchronised from the previous master. So it continues doing outbound > NAT with the WLAN2 CARP address, but trying to route through WLAN1. > This proves that the new master unit has the synchronised states, but > it try to route the established connections according to routing table > and not to firewall rules.
Hi Steve! Exactly. It doesn't matter, I know this behavior is some difficult to explain. In my example, according to the diagram from [1]: PC: - LAN: 192.168.2.1 - GW: 192.168.2.10 Pfsense1: - LAN: 192.168.2.11 - LAN CARP: 192.168.2.10 - WAN1: 192.168.56.11 - WAN1 CARP: 192.168.56.10 - GW1: 192.168.56.1 (default) - WAN2: 192.168.57.11 - WAN2 CARP: 192.168.57.10 - GW2: 192.168.57.1 Pfsense2: - LAN: 192.168.2.12 - LAN CARP: 192.168.2.10 - WAN1: 192.168.56.12 - WAN1 CARP: 192.168.56.10 - GW1: 192.168.56.1 (default) - WAN2: 192.168.57.12 - WAN2 CARP: 192.168.57.10 - GW2: 192.168.57.1 Outbound NAT settings, something like: - LAN→WAN1→WAN1 CARP - LAN→WAN2→WAN2 CARP Initially (Pfsense1 master; Pfsense2 backup; Traffic from LAN is routing through GW2 according to a firewall rule): SSH from PC → LAN → WAN2 (NAT with WAN2 CARP) → GW2 If I disable CARP in Pfsense1, Pfsense2 is the new master and: - The *established* connections do this path (wrong): PC → LAN → WAN1 (WAN2 CARP) → GW1 - The *new* connections do this path (right): PC → LAN → WAN2 (WAN2 CARP) → GW2 Regards, [1]: https://forum.pfsense.org/index.php?topic=136739.msg749477#msg749477 _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
