HA + VIP + MultiWAN Issue (no internet on slave)
-
Hi.
I've followed the tutorials for setting MultiWAN HA, and everything seems to be working fine, except the fact there is no internet on slave/secondary as long as it doesn't become master.
In documentation it says:"If there is an outbound NAT rule on the WAN with a Source of any, it can cause problems with traffic on the firewall, including monitoring traffic, because that will also NAT traffic from the firewall itself. This can be especially problematic if the source address is changed to a CARP VIP. Fix the outbound NAT."
I do have outbound NAT for CARP VIP, but I don't know what it means to "fix it".
Any idea how to fix this?(my test scenario is pinging 8.8.8.8)
-
@marama said in HA + VIP + MultiWAN Issue (no internet on slave):
Hi.
I've followed the tutorials for setting MultiWAN HA, and everything seems to be working fine, except the fact there is no internet on slave/secondary as long as it doesn't become master.
In documentation it says:"If there is an outbound NAT rule on the WAN with a Source of any, it can cause problems with traffic on the firewall, including monitoring traffic, because that will also NAT traffic from the firewall itself. This can be especially problematic if the source address is changed to a CARP VIP. Fix the outbound NAT."
I do have outbound NAT for CARP VIP, but I don't know what it means to "fix it".
Any idea how to fix this?(my test scenario is pinging 8.8.8.8)
Yeah, you need the rule not to use ANY as source, because that rule will have the firewall’s own internet destined traffic use the NAT rule (which includes traffic originating from it’s non HA/VIP/CARP WAN address).
So instead of ANY as source, use the private networks on your LAN/DMZ side in either an alias group, or use the “LAN Network, DMZ network” built-in groups. -
@keyser , seems to be working!!! Thank you.
So I've removed "any" for both of our WAN outbound NAT settings, and I've made the change on slave. Or should I have done it on master and have it synced to slave? On master I've ticked all the boxes on XMLRPC Sync page (HA Sync), so I guess NAT will get overwritten.
Would the correct move to set up an alias on master, include all our private networks in the alias on master, set "any" to "alias network", and have everything synced to slave?EDIT: the Gateways on slave are still showing 100% loss (offline), but I can ping them, probably another issue.
-
@marama Yep, do it on master and have it synced to the slave.
-
@keyser ok, will do.
I'm a bit afraid of removing the "any", since I need to be sure to include all the relevant networks in the alias. Do I also have to include the ipsec and openvpn networks, translations/mapping networks... ?
Is there a way to leave "any", but then have explicit NAT rule handle the firewall traffic? -
@marama said in HA + VIP + MultiWAN Issue (no internet on slave):
@keyser ok, will do.
I'm a bit afraid of removing the "any", since I need to be sure to include all the relevant networks in the alias. Do I also have to include the ipsec and openvpn networks, translations/mapping networks... ?
Is there a way to leave "any", but then have explicit NAT rule handle the firewall traffic?Yes, you need to have vpn networks and such in the alias as Well.
I normally always make an alias called private networks i use for stuff like that.
It contains:192.168.0.0/16
172.16.0.0/12
10.0.0.0/8That way any private (internal thing - including future uses) is covered - But not the FW and its public addresses.
Btw - that same alias is Very good in internet access allow rules instead of ANY. Use it as destination with the NOT (!) feature.
