2017-09-27 22:33 GMT+02:00 Chris L <[email protected]>: > >> On Sep 27, 2017, at 12:43 PM, dayer <[email protected]> wrote: >> >> 2017-09-27 20:29 GMT+02:00 Steve Yates <[email protected]>: >>> I'm not sure if I am following you correctly, but the WAN CARP IP >>> has to be the same on both routers. So router1 has a WAN of a.a.a.a and >>> CARP of a.a.a.b, and router2 has a WAN of a.a.a.c and CARP of a.a.a.b. >>> Same thing with the LAN IPs. >>> >>> -- >>> >>> Steve Yates >>> ITS, Inc. >>> >>> -----Original Message----- >>>> If I had to guess: Are you using a CARP address for outbound NAT? If >>>> not then the connections *will* break on failover. >>> >>> >>> Thanks for your reply, Jon :) >>> >>> Yes, I'm using CARP addresses from each WAN for outbound NAT: >>> - WLAN1 CARP, for WLAN1 >>> - WLAN2 CARP, for WLAN2 >>> >>> In addition, when the *new* master unit routes the established >>> traffic, it continues doing the previous NAT according to the state >>> synchronised from the previous master. So it continues doing outbound >>> NAT with the WLAN2 CARP address, but trying to route through WLAN1. >>> This proves that the new master unit has the synchronised states, but >>> it try to route the established connections according to routing table >>> and not to firewall rules. >> >> Hi Steve! Exactly. It doesn't matter, I know this behavior is some >> difficult to explain. >> >> In my example, according to the diagram from [1]: >> >> PC: >> - LAN: 192.168.2.1 >> - GW: 192.168.2.10 >> >> Pfsense1: >> - LAN: 192.168.2.11 >> - LAN CARP: 192.168.2.10 >> - WAN1: 192.168.56.11 >> - WAN1 CARP: 192.168.56.10 >> - GW1: 192.168.56.1 (default) >> - WAN2: 192.168.57.11 >> - WAN2 CARP: 192.168.57.10 >> - GW2: 192.168.57.1 >> >> Pfsense2: >> - LAN: 192.168.2.12 >> - LAN CARP: 192.168.2.10 >> - WAN1: 192.168.56.12 >> - WAN1 CARP: 192.168.56.10 >> - GW1: 192.168.56.1 (default) >> - WAN2: 192.168.57.12 >> - WAN2 CARP: 192.168.57.10 >> - GW2: 192.168.57.1 >> >> Outbound NAT settings, something like: >> - LAN→WAN1→WAN1 CARP >> - LAN→WAN2→WAN2 CARP >> >> Initially (Pfsense1 master; Pfsense2 backup; Traffic from LAN is >> routing through GW2 according to a firewall rule): >> SSH from PC → LAN → WAN2 (NAT with WAN2 CARP) → GW2 >> >> If I disable CARP in Pfsense1, Pfsense2 is the new master and: >> - The *established* connections do this path (wrong): >> PC → LAN → WAN1 (WAN2 CARP) → GW1 >> - The *new* connections do this path (right): >> PC → LAN → WAN2 (WAN2 CARP) → GW2 > > What are the physical interface names (igb0, em0_vlan120, lagg2_vlan200, etc) > for all of those interfaces? They must match exactly across nodes for pfsync > to work correctly. >
Thank you for your answers. Yes, I've dual WAN and CARP. The routing is goes very well, except for this behaviour if I change the master unit while there're established connections through a not default gateway. The physical interface names are the same in both firewalls, and the firewalls run over the same computer with the same NICs. However, to discard some problem related to LACP I've also reproduced the behaviour in two virtual machines with pfSense and one virtual machine with CentOS like a user LAN. I've put the firewalls config files and a few screenshots about a demonstration in the forum[1] (I don't know if I can attach here several files). Regards, [1]: https://forum.pfsense.org/index.php?topic=136739.msg750616#msg750616 _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
