Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Accessing the slave from remote networks

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    3
    6
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bakisho
      last edited by

      Hello
      I work with PF-Sense for a few years and I use HA.
      I have a problem that I never understood how to solve...
      I can't access the slave server from remote networks.
      I know it can be solved using a NAT rule, but never understood how to implement it.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @bakisho
        last edited by

        @bakisho If you’re using a NAT forward it’s probably
        https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        DerelictD 1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate @SteveITS
          last edited by Derelict

          @steveits https://docs.netgate.com/pfsense/en/latest/troubleshooting/ha-vpn-secondary.html

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          B 1 Reply Last reply Reply Quote 1
          • B
            bakisho @Derelict
            last edited by

            @derelict
            Thanks, this is what I was looking for.
            But, The implementation is not clear (to me).
            I don't understand "destination being an alias that contains both the primary and secondary node LAN IPs"

            for example,
            my LAN is 192.168.0.0/24
            my master is 192.168.0.2
            my slave is 192.168.0.3
            Carp IP is 192.168.0.1
            VPN is 172.18.80.0/24

            So I need to create an outbound NAT rule on the Master .
            Interface: LAN
            Source: VPN 172.18.80.0/24
            Destination: LAN 192.168.0.0/24
            Address: Interface Address

            What am I missing ???

            DerelictD 1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate @bakisho
              last edited by

              @bakisho You probably don't want it to be so wide because you might not want to NAT to everything on the LAN, just to the other node.

              Make a host alias containing:

              192.168.0.2 and 192.168.0.3

              Use that alias as the destination.

              You make the alias using both so it will match the traffic when run on the primary and when synced to the secondary.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              B 1 Reply Last reply Reply Quote 0
              • B
                bakisho @Derelict
                last edited by

                @derelict
                IT WORKS!
                Thank you

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post