Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [CLOSED] CARP IP as 1:1 NAT

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    8 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nicknack
      last edited by

      Hi everyone,
      So i have these 4 spare public IP, that i tried to to 1:1 NAT to my internal LAN.
      Without CARP/PFSYNC, it runs OK ( I use IP Alias ).

      Now I set up CARP+PFSYNC with 2 Firewall, it runs OK, ONLY for the clients inside to get outside ! ( only outbound NAT ).

      The 1:1 NAT ip that I used is not working on the slave firewall, when master firewall is down,
      even though on the slave firewall i see that the backup status has turn to master status for all CARP IP Addresses.
      Again, I put the CARP(s) IP address on 1:1 NAT web gui. but it never worked when master firewall is down.

      Any help/point is greatly appreciated..

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Is the default gateway of the inside host also a CARP VIP on LAN that is properly swinging over to the secondary?

        You might need to post your actual configuration as what you are describing should work fine.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • N
          nicknack
          last edited by

          @Derelict:

          Is the default gateway of the inside host also a CARP VIP on LAN that is properly swinging over to the secondary?

          You might need to post your actual configuration as what you are describing should work fine.

          Thanks for your time, I will try to include the configs, as i am outside using public wifi.

          I actually use another CARP/HA-Sync dual bandwidth shaper behind the Firewall, which doesnt have NAT, only routing,
          so it's basically like this :

          LAN –> Bandwidth shaper ( CARP IP ) --> FIREWALL ( CARP IP ) --> ISP Gateway.

          I've tested the Bandwidth shaper CARP/HA functionality, they both worked just fine, either master or slave when the other is turned off.

          Bandwidth Shaper has Firewall's CARP IP address as default gateway,
          and Firewall has Shaper's CARP IP as gateway to LAN

          Let me know which config you need to see, i will get it when i got home.

          Thanks !

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            1:1 NAT should work fine there. Probably need to see the 1:1 NAT and CARP VIPs on primary and secondary.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • N
              nicknack
              last edited by

              Hi..
              here are the screenshot i've taken:
              .189 is the Firewall's Float IP facing ISP Gateway,
              192.168.1.1 is the Float IP facing the Shaper's Float IP.
              I use darker theme for slave firewall to avoid confusion
              Thanks you very much in advance for looking in to this !

              ![Master Status CARP.jpg](/public/imported_attachments/1/Master Status CARP.jpg)
              ![Master Status CARP.jpg_thumb](/public/imported_attachments/1/Master Status CARP.jpg_thumb)
              ![Slave Status CARP.jpg](/public/imported_attachments/1/Slave Status CARP.jpg)
              ![Slave Status CARP.jpg_thumb](/public/imported_attachments/1/Slave Status CARP.jpg_thumb)
              ![Master Firewall Virtual IPs.jpg](/public/imported_attachments/1/Master Firewall Virtual IPs.jpg)
              ![Master Firewall Virtual IPs.jpg_thumb](/public/imported_attachments/1/Master Firewall Virtual IPs.jpg_thumb)
              ![Slave Firewall Virtual IPs.jpg](/public/imported_attachments/1/Slave Firewall Virtual IPs.jpg)
              ![Slave Firewall Virtual IPs.jpg_thumb](/public/imported_attachments/1/Slave Firewall Virtual IPs.jpg_thumb)
              ![Master Firewall NAT 1 1.jpg](/public/imported_attachments/1/Master Firewall NAT 1 1.jpg)
              ![Master Firewall NAT 1 1.jpg_thumb](/public/imported_attachments/1/Master Firewall NAT 1 1.jpg_thumb)
              ![Slave Firewall NAT 1 1.jpg](/public/imported_attachments/1/Slave Firewall NAT 1 1.jpg)
              ![Slave Firewall NAT 1 1.jpg_thumb](/public/imported_attachments/1/Slave Firewall NAT 1 1.jpg_thumb)

              1 Reply Last reply Reply Quote 0
              • N
                nicknack
                last edited by

                I've been trying to capture the packets here,
                I tried to tcptraceroute to Slave Firewall's CARP IP port 443 NATed 1:1 to LAN Host,

                Packets from outside went to slave firewall's CARP IP, NATed ok to LAN IP.
                22:44:59.109168 IP w.x.y.z.59494 > 192.168.10.80.443: tcp 0

                On the 1:1 NATed  LAN host,

                • i can see that packets are coming in, but it just keeps trying to reply without success.
                  192.168.10.80.https > w.x.y.z.59494 : Flags [S.], seq 1839487501, ack 2476811853, win 17920, options [mss 8960,nop,nop,sackOK], length 0

                • BUT, if from this 1:1 NATed LAN host, I do tcptraceroute / links to any wtfismyp.com/text, it can reach it, and have proper CARP IP shown.

                phew…

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Capture on the LAN address of the secondary pfSense while it is the CARP master. Look at the same traffic. Is that interface receiving the reply traffic? If not, why not?

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • N
                    nicknack
                    last edited by

                    I finally found it !

                    It's a bit weird though..
                    It turns out that on both master/slave,  of Shaper's –> System -> Routing - Gateways list,
                    I still have the bastion firewall's IP when it was still a standalone pfsense, but it's already in DISABLED state !
                    and i have the new Bastion Firewall's Floating IP as HA enabled.

                    Pure luck ?
                    I was out of idea then just delete the hell out of that old ( and disabled ) IP...
                    voila !

                    Thank you so much for you patience !!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.