Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Asymmetric routing after fail over - MultiWAN, but single IP on WAN1
« previous
next »
Print
Pages: [
1
]
Author
Topic: Asymmetric routing after fail over - MultiWAN, but single IP on WAN1 (Read 2588 times)
iMx
Full Member
Posts: 202
Karma: 15
Asymmetric routing after fail over - MultiWAN, but single IP on WAN1
«
on:
March 07, 2019, 01:38:39 pm »
I have the following HA setup, with multi-WAN, I’m hoping one of your clever people might be able to suggest a workaround. Albeit probably a hacky work around, as I realise this is a hacky setup!
Node A
WAN1: 10.0.0.1/30 (RFC1918)
WAN2: 37.x.x.1/27 (Default GW)
Node B
WAN1: 10.0.0.2/30 (RFC1918)
WAN2: 37.x.x.2/27 (Default GW)
CARP:
WAN1 VIP: 78.x.x.1/30 (Single IP from ISP)
WAN2 VIP: 37.x.x.3/27
IP Aliases:
80.x.x.1/27 - WAN1 (routed by ISP to 78.x.x.1). Gateway set to WAN1 gateway (78.x.x.2/30)
80.x.x.2/27 - WAN1 (routed by ISP to 78.x.x.1). Gateway set to WAN1 gateway (78.x.x.2/30)
80.x.x.3/27 - WAN1 (routed by ISP to 78.x.x.1). Gateway set to WAN1 gateway (78.x.x.2/30)
...
80.x.x.30/27 - WAN1 (routed by ISP to 78.x.x.1). Gateway set to WAN1 gateway (78.x.x.2/30)
Gateways, monitoring disabled for both:
WAN1: 78.x.x.2/30
WAN2: 37.x.x.30/27 (Default GW)
- Single IP from the ISP for WAN1, which is configured as a CARP VIP with RFC1918 on Node A and Node B
- A further /27 subnet is routed to the single CARP IP for WAN1
- IP aliases are set up for the same VHID as WAN1 CARP
- WAN2 has the default gateway, all IP addresses are externally reachable/routable (non-rfc1918)
When I perform a fail over from Node A -> Node B, with state synced, the IP aliases fail over correctly. However, the egress packets for 80.x.x.0/27 IP aliases are routed out of the default WAN2 gateway once failed over to Node B. If I clear the state on the firewall, things then sort themselves out.
Presumably as there is no routing table entry for the WAN1 CARP gateway, it takes the default route after failover - which is egress via WAN2. When I clear the state, it then routes correctly via pf. If I disable state sync, the fail over happens, state is lost, but routing is correct - i.e in and out of WAN1 for 80.x.x.0/27.
Is the work around to just not sync state? Or is there a way for state to be synced, but for it to route correctly egress via WAN1 for 80.x.x.0/27 immediately after fail over?
Logged
iMx
Full Member
Posts: 202
Karma: 15
Re: Asymmetric routing after fail over - MultiWAN, but single IP on WAN1
«
Reply #1 on:
March 09, 2019, 10:13:23 am »
I think this may have been a 19.1.x bug somewhere, upgrading to 19.1.3 I'm no longer able to replicate this - with state sync enabled.
Logged
iMx
Full Member
Posts: 202
Karma: 15
Re: Asymmetric routing after fail over - MultiWAN, but single IP on WAN1
«
Reply #2 on:
March 09, 2019, 10:36:12 am »
Actually, yes I can. I still had state sync disabled on the secondary node. With bidiretional state sync re-enabled, the same problem occurs as originally documented.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Asymmetric routing after fail over - MultiWAN, but single IP on WAN1