Outbound NAT Pool for Carp

Wherewolf · Sep 15, 2022, 1:14 PM

Just trying to understand and confirm.
I've been using a single outbound NAT address for a rather large user base.
pfsense 2.6.0 in HA - 202.101.203.170 (carp) with .171 and .172 being the interface addresses for the pfsense's.
I want to add an outbount NAT pool of 5 additional addresses .173 - .177

I've figured out how to add the additional Firewall-> Virtual IP Aliases under the single carp address, what I'm trying to confirm is that I ALSO have to add an Firewall->"Alias" to include .170 (original carp) and .173-.177 Virtual Ip Aliases so I can use THAT alias in the outbound NAT assignment? Do I NOT need the VIP alias attached to the CARP address? or do I?

Alias for Aliases?...... Just trying to make sure I'm doing this correctly.
I've spent several hours searching and haven't really bottomed out on an example of what I'm trying to do.

Thanks for any insight!

viragomann · Sep 15, 2022, 1:14 PM

@wherewolf said in Outbound NAT Pool for Carp:

what I'm trying to confirm is that I ALSO have to add an Firewall->"Alias" to include .170 (original carp) and .173-.177 Virtual Ip Aliases so I can use THAT alias in the outbound NAT assignment?

Sure, that is necessary as you cannot express the desired IPs with a network + mask.

Do I NOT need the VIP alias attached to the CARP address?

That's needed though. Otherwise the WAN interface cannot use it.

Alias for Aliases?

I would put all IPs in a single alias. You can use only one in the NAT rule.

Wherewolf · Sep 15, 2022, 1:50 PM

Thanks for the feedback

Firewall / Virtual IPs
202.101.203.170/24 (vhid: 10) IPV4WANOUTSIDE CARP IPV4 WAN OUTSIDE CARP <<<<--- original CARP address
202.101.203.173/32 202.101.203.170 (IPV4 WAN OUTSIDE CARP) IP Alias Additional Nat
202.101.203.174/32 202.101.203.170 (IPV4 WAN OUTSIDE CARP) IP Alias Additional Nat
202.101.203.175/32 202.101.203.170 (IPV4 WAN OUTSIDE CARP) IP Alias Additional Nat
202.101.203.176/32 202.101.203.170 (IPV4 WAN OUTSIDE CARP) IP Alias Additional Nat
202.101.203.177/32 202.101.203.170 (IPV4 WAN OUTSIDE CARP) IP Alias Additional Nat

Firewall / Aliases / Edit
Name OUTSIDE_NAT_IPV4
Description .170 & .173-.177
IP or FQDN
202.101.203.170 Main CARP <<<---- included as it was the "original"
202.101.203.173 Additional
202.101.203.174 Additional
202.101.203.175 Additional
202.101.203.176 Additional
202.101.203.177 Additional

Then on the NAT Rule, select "OUTSIDE_NAT_IPV4" as the translation and set it for round robin?

I think I understand - For outbound NAT pooling , I need the Firewall Alias, but in order to have CARP failover, I ALSO need the Virtual IP Aliases. It's just confusing listing the same addresses in two different "alias" places.

viragomann · Sep 15, 2022, 2:06 PM

@wherewolf
Virtual IPs and Aliases are basically different things at all.

Virtual IPs can be assigned to interfaces as additional IPs. In your case type "IP alias" is the best to be to use here, but also others would be possible, e.g. CARP.
If they are not CARP themself, they have to be hooked up on the primary CARP VIP for the failover to work.

Aliases of type IP in this case is an independent array of IP addresses. It doesn't matter if these are assigned to an interface or not. They can be used in firewall or NAT rules.