Pfsense HA with 2 LAN interface

fred974 · May 18, 2020, 12:59pm

Hi,

I have managed to get a working HA for my pfSense using the steps on the video you created here.

When I connect to the LAN, everyting work perfectly. However I have issue when I create a second LAN to the Network.

I Created a new Vlan on top of my LAN interface and from pfSense, I can ping the computer on the new LAN but the computer cannot ping the LAN carp IP that has been set in the outbound NAT or google.com.

When I look at the error log, I see
Default deny rule IPv4 (1000000103)
Do I need to add the new LAN Ip to the firewall virtual ip list or to the NAT rule?
On the firewall rule, I have an allow * rule for the new LAN so it allows access to the internet.

Thank you in advance

rtucker · May 18, 2020, 1:57pm

You may take a look at the following on the Netgate forum for assistance.

fred974 · May 18, 2020, 2:12pm

@rtucker I have sse that link bfore I posted but It didn’t explain what I need to add to solve my issue.
I think I need to do someting with the outbound NAT but not sure what exactly

LTS_Tom · May 18, 2020, 2:39pm

The LAN IP addresses (or VLAN) should be CARP virtual addresses.

fred974 · May 18, 2020, 3:21pm

Hi @LTS_Tom ,
Sorry but I am not following you.
I have a LAN on a physical port and I set a static IP.

and In the LAN DHCP I set the DNS and gateway to the CARP IP

When I created the vlan, I selected the LAN as parent interface

How do I set the VLAN as the CARP IP?

Sorry if this is a stupid question.
Thank you for your help

fred974 · May 18, 2020, 3:55pm

Do I need to recreate the steps of adding new virtual IP for the VLAN?
172.16.200.1 on interface pf1
172.16.200.2 on interface pf2
172.16.200.3 as CARP

LTS_Tom · May 18, 2020, 4:54pm

Yes, I usually do
172.16.200.1 as CARP
172.16.200.2 on interface pf1
172.16.200.3 on interface pf2
Because most people are used to seeing .1 as the gateway.

fred974 · May 18, 2020, 4:57pm

Yes, make sense.
Do I need to create another pfsync or will the existing one do?
Also, does it mean that I need to change all my public IP from IP ‘Alias’ to CARP?

fred974 · May 18, 2020, 4:59pm

The last question, Does the CARP subnet matter?
172.16.200.1/28
or
172.16.200.1/24

LTS_Tom · May 18, 2020, 5:17pm

The CARP subnet has to match. If the 172.16.200.3 & 172.16.200.2 are both /24 then the CARP should be as well.

fred974 · May 18, 2020, 5:39pm

Do I need to change all my public IP from IP ‘Alias’ to CARP?

LTS_Tom · May 18, 2020, 6:48pm

Only if you want the HA to work.

fred974 · May 18, 2020, 6:54pm

I added the new CARP virtual addresses and I can see on both primary and slave firewall that the CARP status is set to ‘MASTER’ on both firewall is that normal?

I am also still unable to ping google.com from my VM
centos-net

fred974 · May 19, 2020, 9:09am

In order to ping the outside world, do I need to add the new_lan in the NAT mapping?

fred974 · May 20, 2020, 10:14am

I managed to fix it by adding an outbound NAT rule mapping. (thank you steve).
The CARp master issue was because I didn’t set the switch port to trunk so the 2 pfsense couldn’t see each other on vlan 200.

Hope this help someone else later