> On Sep 27, 2017, at 12:43 PM, dayer <[email protected]> wrote: > > 2017-09-27 20:29 GMT+02:00 Steve Yates <[email protected]>: >> I'm not sure if I am following you correctly, but the WAN CARP IP has >> to be the same on both routers. So router1 has a WAN of a.a.a.a and CARP of >> a.a.a.b, and router2 has a WAN of a.a.a.c and CARP of a.a.a.b. Same thing >> with the LAN IPs. >> >> -- >> >> Steve Yates >> ITS, Inc. >> >> -----Original Message----- >>> If I had to guess: Are you using a CARP address for outbound NAT? If >>> not then the connections *will* break on failover. >> >> >> Thanks for your reply, Jon :) >> >> Yes, I'm using CARP addresses from each WAN for outbound NAT: >> - WLAN1 CARP, for WLAN1 >> - WLAN2 CARP, for WLAN2 >> >> In addition, when the *new* master unit routes the established >> traffic, it continues doing the previous NAT according to the state >> synchronised from the previous master. So it continues doing outbound >> NAT with the WLAN2 CARP address, but trying to route through WLAN1. >> This proves that the new master unit has the synchronised states, but >> it try to route the established connections according to routing table >> and not to firewall rules. > > Hi Steve! Exactly. It doesn't matter, I know this behavior is some > difficult to explain. > > In my example, according to the diagram from [1]: > > PC: > - LAN: 192.168.2.1 > - GW: 192.168.2.10 > > Pfsense1: > - LAN: 192.168.2.11 > - LAN CARP: 192.168.2.10 > - WAN1: 192.168.56.11 > - WAN1 CARP: 192.168.56.10 > - GW1: 192.168.56.1 (default) > - WAN2: 192.168.57.11 > - WAN2 CARP: 192.168.57.10 > - GW2: 192.168.57.1 > > Pfsense2: > - LAN: 192.168.2.12 > - LAN CARP: 192.168.2.10 > - WAN1: 192.168.56.12 > - WAN1 CARP: 192.168.56.10 > - GW1: 192.168.56.1 (default) > - WAN2: 192.168.57.12 > - WAN2 CARP: 192.168.57.10 > - GW2: 192.168.57.1 > > Outbound NAT settings, something like: > - LAN→WAN1→WAN1 CARP > - LAN→WAN2→WAN2 CARP > > Initially (Pfsense1 master; Pfsense2 backup; Traffic from LAN is > routing through GW2 according to a firewall rule): > SSH from PC → LAN → WAN2 (NAT with WAN2 CARP) → GW2 > > If I disable CARP in Pfsense1, Pfsense2 is the new master and: > - The *established* connections do this path (wrong): > PC → LAN → WAN1 (WAN2 CARP) → GW1 > - The *new* connections do this path (right): > PC → LAN → WAN2 (WAN2 CARP) → GW2
What are the physical interface names (igb0, em0_vlan120, lagg2_vlan200, etc) for all of those interfaces? They must match exactly across nodes for pfsync to work correctly. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
