CARP Backup can't access remote resource over site-to-site OpenVPN
-
We have two sites each using a pair of pfSense firewalls configured for HA. They are connected via a site-to-site OpenVPN setup. I'm aware of the issue and solution described at https://docs.netgate.com/pfsense/en/latest/troubleshooting/ha-vpn-secondary.html, and the solution has been implemented on both ends. Our issue is the reverse; the backup firewall is not able to access a resource on the remote network (presumably for the same reason described in the page above), and I'm having a hard time figuring out a good way to overcome it.
So far I've only thought of adding a NAT rule that listens on a CARP VIP on the LAN interface. In experimenting with this, I found that the backup firewall was able to access the resource through the NAT rule, but the master firewall was not able to access the resource this way. This was the case for all three kinds of NAT reflection types. I feel like the solution is another Outbound NAT rule or a static route, but I'm not sure what rule I could make that wouldn't mess up the routing for whatever firewall has the CARP master role...
The master one is able to access the resource directly, so I could setup separate configs for each, but this is part of a config in pfBlockerNG, so I would really like to use a config that works for both firewalls so I don't have to manually copy configs between the two.
-
@caleb-hornbeck
Why does the backup need to access anything on the remote site? -
@viragomann
The pfBlockerNG package pulls a list of IPs that's generated by a server in the remote site. -
@caleb-hornbeck
To route that over the VPN is not be trivial, I guess. It might be easier to route it over the WAN and access the server by a public IP. -
@viragomann Or put the pfblocker file on an inside network that both nodes have ready access to. Sync it to a reachable server or something.
