OVH Community, your new community space.

ESXi, pfSense and failover IP

hitsujitmo

02-11-2016, 12:34

Originally Posted by radioactivshark

I have been working on this also and it's proved a right sod to do.

That config of yours will work fine, but the moment you restart the pfSense box, you will lose that "route add" rule.

Sorry for the late addition but:

To tackle the lack of the route add on restart. Create a script /usr/local/sbin/gateway-up.sh

Code:

#!/bin/sh
route add -net XXX.XXX.XXX.254/32 -iface em0
route add default XXX.XXX.XXX.254

Also create the script /usr/local/sbin/gateway-down.sh

Code:

#!/bin/sh
route del default XXX.XXX.XXX.254
route del -net XXX.XXX.XXX.254/32 -iface em0

chmod +x both scripts

Now we just need a hook to execute these scripts when em0 goes up and down. Create the following as /etc/devd/gateway.conf

Code:

notify 1 {
	match "system" "IFNET";
	match "subsystem" "em0";
	match "type" "LINK_UP";
	action "/usr/local/sbin/gateway-up.sh";
};

notify 1 {
	match "system" "IFNET";
	match "subsystem" "em0";
	match "type" "LINK_DOWN";
	action "/usr/local/sbin/gateway-down.sh";
};

You can now safely reboot at any stage.

Makeshift

07-11-2015, 02:53

Hey guys - Apologies if I'm necroing this a little.

I've managed to get it set up, my VMs are working brilliantly with a WAN, LAN and OPT1(the bridge). My pfsense runs on a failover IP and all my VMs on the LAN have their nat managed by pfsense and have internet, it's great.

However, I'm not quite sure how to do port forwarding in this case. I ran a simple webserver on 8000 on an ubuntu vm (on 192.168.1.104), set a firewall rule on WAN where the destination was the webserver host and the destination port was 8000, but I can't seem to get it to resolve. I don't even get any firewall block logs.

Is there something I'm missing? I've tried several different configurations and this seemed the most obvious one to me, though this is one of the weirder setups I've worked with.

Thanks.

harpss1ngh

22-10-2015, 11:50

For all those people like me who still couldn't get internet access even after configuring outbound NAT, you could try going to the DHCP Server settings and setting 192.168.1.1 as the default gateway. By default dhcp uses the interfaces gw but for some reason it didn't work for me so I had to set it anyway. I also set the DNS servers to 192.168.1.1, 8.8.8.8, 8.8.4.4.

That should allow your machines to set the default route, (or you could just manually set it yourself each time you restart I guess, but where's the fun in that?!).

Hope that helps.

Also...
Currently trying to get Cisco ASAv to work in place of pfsense with IPSEC VPN to my Cisco ASA at another site...if I do i'll post a guide on this forum (for me as I need IPSEC site-to-site VPN I can't use the ASA's Transparent Mode, will have to use routing mode, however I can't get the normal routing mode to work as the gateway has to be on the same subnet on the outside interface (apparently). Watch this space.

EDIT: Done! Have a look at my guide I'm about to post in a separate thread

ciacho

07-05-2015, 13:07

Hello,

J've trouble with this setup.

VM (Lubuntu) is connected to LAN (192.168.1.0/24 in pfSense) and can only access lan gw: 192.168.1.1 (ping 8.8.8.8 - 100% packet loss). No internet connection.

pfSense VM: em0 is connected to WAN (IP failover from OVH: 178.XXX.XXX.X34 with virtual MAC: 00:XX:XX:XX:XX:d4 entered in Interfaces/WAN) em1 is connected to LAN

ESXi view:

WAN interface config:

Diagnostic/Routes:

Where it can be a problem?

Problem solved via cowboykid!

http://magiksys.blogspot.be/2012/12/...re-ovh-ip.html

The final step after your* config is to change the Firewall NAT Outbound Rule as demonstared in section : Attach and IP to the WAN side.

Basically you add a new rule in the pfsense Firewall / Nat section in the outbound tab, and specify the source packets with your lan subnet.

This will give your VM's internet access on the NAT(lan) network.

radioactivshark

17-10-2014, 23:28

I have been working on this also and it's proved a right sod to do.

That config of yours will work fine, but the moment you restart the pfSense box, you will lose that "route add" rule.

I phoned up their support also after I received a rather snotty email that my server was sending out "unnecessary arp requests" and I should rectify this immediately. The support agent told me I should be using /32 and not /24 for my subnet and that I had the wrong gateway.

He then seemed rather horrified when I told him and gave him the link to the guide on the OVH howto page that shows the use of /24 and .254 as gateway. So the guide at OVH with it's screenshots turned out to be wrong. He said that this would be rectified and that I should correct my server settings accordingly.

Also they seem to suggest that 1 arp request in 20 minutes is "unnecessary" and I don't buy that at all. I do however see that if every server was sending out ARP requests that it could cause issues.

cowboykid

14-10-2014, 11:36

I found the solution following this guide;

http://magiksys.blogspot.be/2012/12/...re-ovh-ip.html

The final step after your* config is to change the Firewall NAT Outbound Rule as demonstared in section : Attach and IP to the WAN side.

Basically you add a new rule in the pfsense Firewall / Nat section in the outbound tab, and specify the source packets with your lan subnet.

This will give your VM's internet access on the NAT(lan) network.

Thought I should post this as I was looking for a solution for 2 days.

cowboykid

12-10-2014, 23:19

Hi Jonlewi5,

I'm having the exact same problem as you where my NAT(lan) can't access the internet but my WAN is connected just fine. Did you ever resolve your issue? Would really help me out!

jonlewi5

22-02-2013, 17:22

This took me all day to get working.. so figured id share!

*Create a virtual MAC for the failover IP in OVH Manager*
1) Add an additional switch to VMware
2) Create a VM for pfSense, add 2 nics, one connected to each switch (ill call them wan and lan)
Id suggest having nic1 on WAN and nic to on LAN

3)Install pfSense
4)Add both NIC's in pfsense. If you are using the above setup, WAN will be em0 and LAN will be em1
5)Enable DHCP on em1
6)Create a new VM, install or run the live cd of ubuntu.
7)Log into pfsense in the ubuntu vm and go to 192.168.1.1
8)Go to "interfaces" then "WAN"
9)Change type to static, change the MAC address to the one from ovh manager
10)Set the IP address to failover IP /32
11)Save the configuration.

Now, go back to the pfsense VM and select option 8 (shell)
Lets assume the IP address on my dedicated server (NOT the failover) is 1.2.3.4. In this section i needed to change the last octet to 254. so it would be 1.2.3.254
So i would type in this...
route add -net 1.2.3.254/32 -iface em0

route add default 1.2.3.254

Thats it. That worked for, can access the VM over the public address on the failover IP.
Not saying this will work for everyone..but it works for me.
At the moment, im having trouble with the ubuntu VM being able to get online though, but im working on it, likely my pfsense config somewhere.

If anyone knows of a better way to do this, then im all ears...really!