They need to be enabled and set to use the CARP VIP.

Hi, So the simplest question is: in a carp setup how what can I do to be sure that also slave can reach internet? In your MASTER, Firewall/NAT/Outbound, make your Mappings similar to the attached pic, 2nd entry. In your case all references to WAN1 should just be WAN. If as you say your CARP is properly configured, the MASTER settings should replicate to the SLAVE via the SYNC interfaces. You do have SYNC interfaces, properly configured & connected, right? What does this 2nd entry do? It ensures that internet access for the pfSense machines (MASTER/SLAVE) themselves (127.0.0.0/8), goes thru their respective WAN IP addresses. As for your "several" LANs, LAN2 in particular, create rule(s) similar to the 4th entry. This ensures the allowed LAN machines can access the internet via the designated WAN CARP VIP. Anyway if you followed the CARP setup docs, all those entries should have been more or less taken cared of already. Cheers. Edwin [image: pfs-nat-outbound.jpg_thumb] [image: pfs-nat-outbound.jpg]

Like I said, you will probably need to pcap to see what is really going on. Are you using your own switch or the ISP device?

Same here. I'm using WAN CARP as "GRE Remote Address" on two pfSense boxes but it doesn't work. If I change to WAN addresses, all is OK.

Hi, in my case (v 2.4.2-RELEASE (amd64) ), I solved it with the following settings: Outbound NAT Mode = Hybrid Outbound NAT rule generation Putting below as the 1st rule in Firewall/NAT/Outbound (in primary, will replicate to backup), see pic below Iface=WAN - src=This Firewall - dst=* - NAT=WAN Address P.S. been using pfSense since 2006 but this is my 1st post. edit: oops my 2nd post actually, the 1st was way back 2015  :D so I beg you tolerance if I woke up a sleeping thread or broke some forum rules just wanted to help Ed

Found my answer.  Of course it took an entire post to go back and ask myself "did you check the fundamentals".. I'm running on ESXi 6.5 .. While I had enabled the LAN vSwitch for promiscuous/forged/mac, I had not done the same for the WAN vSwitch. Once I made that change, this worked.  Let that be a lesson.  It's not always the firewall, but it's almost always the user.  :)

Yes. Me. I have tried to duplicate several of these reports and the only case I can find where there might be a problem is described here: https://redmine.pfsense.org/issues/8100

Yeah, kinda weird. It's the only box where we have a vip on the WAN interface, so it slipped through the cracks when we tested it on another box.

Hi, you might take a look into a lagg. This is what I have done. Two interface going to two switches. This are bound in a failover. On top of this you can setup carp. This eliminates the bridging and the problem that brings it in.

Anyone, please ?

So you just want the traffic from each LAN to appear to exit from a different VIP when it leaves WAN? You can do that easily with outbound NAT. 1. Add the VIPs if you haven't already, and make sure they work 2. Firewall > NAT, Outbound tab, set it to Hybrid mode and save. 3. Add a rule on that page for the WAN interface, match a source of the first LAN subnet, translation address is your first VIP 4. Copy that rule, change the source to your second LAN, and set the translation address to your second VIP If you only have one VIP and want to use the WAN address for one of those, you can do that too, just set the translation addresses to be whatever you need/want. Anything beyond that (like stopping the networks from reaching each other) is up to your local rules on their interfaces, the outbound NAT only controls what happens when their traffic exits WAN.

Yes, the CARP traffic is allowed automatically. It is far too easy for user rules to break CARP unintentionally, and since it is multicast and thus only found in the local L2 segment, it is not a significant risk to allow the traffic. The automatic CARP rules also exempt CARP traffic from NAT.

Tjis issue is resolved

You can select what to be synced in System > High Availability Sync. pfBlockerNG and Suricata have options to enable sync of all settings, other packages may also have sync options.