Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound NAT Pool for Carp

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 591 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wherewolf
      last edited by

      Just trying to understand and confirm.
      I've been using a single outbound NAT address for a rather large user base.
      pfsense 2.6.0 in HA - 202.101.203.170 (carp) with .171 and .172 being the interface addresses for the pfsense's.
      I want to add an outbount NAT pool of 5 additional addresses .173 - .177

      I've figured out how to add the additional Firewall-> Virtual IP Aliases under the single carp address, what I'm trying to confirm is that I ALSO have to add an Firewall->"Alias" to include .170 (original carp) and .173-.177 Virtual Ip Aliases so I can use THAT alias in the outbound NAT assignment? Do I NOT need the VIP alias attached to the CARP address? or do I?

      Alias for Aliases?...... Just trying to make sure I'm doing this correctly.
      I've spent several hours searching and haven't really bottomed out on an example of what I'm trying to do.

      Thanks for any insight!

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Wherewolf
        last edited by

        @wherewolf said in Outbound NAT Pool for Carp:

        what I'm trying to confirm is that I ALSO have to add an Firewall->"Alias" to include .170 (original carp) and .173-.177 Virtual Ip Aliases so I can use THAT alias in the outbound NAT assignment?

        Sure, that is necessary as you cannot express the desired IPs with a network + mask.

        Do I NOT need the VIP alias attached to the CARP address?

        That's needed though. Otherwise the WAN interface cannot use it.

        Alias for Aliases?

        I would put all IPs in a single alias. You can use only one in the NAT rule.

        1 Reply Last reply Reply Quote 0
        • W
          Wherewolf
          last edited by

          Thanks for the feedback

          Firewall / Virtual IPs
          202.101.203.170/24 (vhid: 10) IPV4WANOUTSIDE CARP IPV4 WAN OUTSIDE CARP <<<<--- original CARP address
          202.101.203.173/32 202.101.203.170 (IPV4 WAN OUTSIDE CARP) IP Alias Additional Nat
          202.101.203.174/32 202.101.203.170 (IPV4 WAN OUTSIDE CARP) IP Alias Additional Nat
          202.101.203.175/32 202.101.203.170 (IPV4 WAN OUTSIDE CARP) IP Alias Additional Nat
          202.101.203.176/32 202.101.203.170 (IPV4 WAN OUTSIDE CARP) IP Alias Additional Nat
          202.101.203.177/32 202.101.203.170 (IPV4 WAN OUTSIDE CARP) IP Alias Additional Nat

          Firewall / Aliases / Edit
          Name OUTSIDE_NAT_IPV4
          Description .170 & .173-.177
          IP or FQDN
          202.101.203.170 Main CARP <<<---- included as it was the "original"
          202.101.203.173 Additional
          202.101.203.174 Additional
          202.101.203.175 Additional
          202.101.203.176 Additional
          202.101.203.177 Additional

          Then on the NAT Rule, select "OUTSIDE_NAT_IPV4" as the translation and set it for round robin?

          I think I understand - For outbound NAT pooling , I need the Firewall Alias, but in order to have CARP failover, I ALSO need the Virtual IP Aliases. It's just confusing listing the same addresses in two different "alias" places.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @Wherewolf
            last edited by

            @wherewolf
            Virtual IPs and Aliases are basically different things at all.

            Virtual IPs can be assigned to interfaces as additional IPs. In your case type "IP alias" is the best to be to use here, but also others would be possible, e.g. CARP.
            If they are not CARP themself, they have to be hooked up on the primary CARP VIP for the failover to work.

            Aliases of type IP in this case is an independent array of IP addresses. It doesn't matter if these are assigned to an interface or not. They can be used in firewall or NAT rules.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.