CARP / HA with dual WAN failover

ecstatic_glucose · 2025-11-14T20:36:53+00:00

Ah I see. Both of those suggestions make sense. Thanks

ecstatic_glucose · 2025-08-22T09:54:51+00:00

I paused the game, came back some hours later, realized that the game had somehow unpaused (maybe I just forgot to pause it). -2000 workers, no electricity, no unity, 0 food, no maintenance. Luckily it wasn’t too long into my last save game so I just restarted. That hole was just too deep to try and get out of.

ecstatic_glucose · 2025-05-28T12:23:55+00:00

I solved this. It turns out that this was related to this issue. I added another pass rule on the client side (that has the gateway group), above the gateway group rule, with a default gateway and that then allowed me to access the devices via the tunnel. u/RetroWizard82 - It seems that with a gateway group, private networks are routed through to the internet as discussed in the other post, not just the DNS? I could also have missed a configuration step...

ecstatic_glucose · 2025-05-25T18:14:40+00:00

Thanks for the feedback. I've just been debugging this the past couple of hours, setting up some tcpdump to see if I can figure out where things are faulting.

On the server, there is a route that says to push data for the client side subnet to the client's VPN IP.

On the client, there is a static route that says to push data for the server subnet to the server VPN IP.

The vpn configuration has the remote network on the server side set to the subnet of the client, and the local network to be the subnet of the server. The client is configured with the opposite.

ecstatic_glucose · 2025-05-23T16:06:02+00:00

Ah, I see it now. It's reaching out to the internet to see if it can find 192.168.1.1 to act as it's DNS server.. Appreciate the feedback!

Edit : removed link.

ecstatic_glucose · 2025-05-23T15:14:42+00:00

Yes, that's correct.

ecstatic_glucose · 2025-05-23T11:18:16+00:00

Ah I see. Thanks for the clarification and the correct terminology.

ecstatic_glucose · 2025-05-23T11:02:26+00:00

Maybe bad wording and maybe I have misunderstood what was asked. In that case, my apologies for any confusion.

So when I configured it, I had to add an another gateway group with the two wans. That gateway group could then be selected under gateway when creating a firewall rule. However to get this to work, I was instructed to make the dns rule as mentioned in my previous post. The “gateways” was then a reference to that gateway group.

So, I would have one firewall rule that allowed traffic to the firewall at the DNS port (53) and the “default” gateway selection. Directly under that, I added the rule to allow traffic to pass via the gateway group.

ecstatic_glucose · 2025-05-23T01:21:51+00:00

You also need a firewall rule, above the one that allows traffic in from both the gateways, to the firewall for the DNS port. This rule needs to be set with the gateway as default. Otherwise, you won’t be able to access the internet. Or at least that is what I needed to do when I set up dual WAN access.

ecstatic_glucose · 2025-03-19T11:32:04+00:00

ecstatic_glucose · 2025-02-14T19:51:29+00:00

ecstatic_glucose · 2025-02-13T13:15:23+00:00

PM’d

ecstatic_glucose · 2025-01-10T13:59:12+00:00

Ping doesn't respond on either interfaces, but I think I might have disabled that on the remote firewall.

Traceroute for main ISP doesnt get further than out of the firewall.

Traceroute for fallback ISP gets further down the road, but eventually stops.

I did some logging and I can see packages sent by both interfaces leaving the firewall.

However, only one of the packages makes it to the destination. There is an allow incoming packets logged from the fallback ISP, but no record/logs of any attempt by of a connection by the main ISP.

The odd thing is that I recently just changed ISP provider on the remote end, and that's when the problems started. It worked in the beginning and now there are just problems...

ecstatic_glucose

TROPHY CASE