Access to GUI - VPN

viragomann

@MrGamecase
The solution is described in the docs:
Troubleshooting VPN Connectivity to a High Availability Secondary Node

MrGamecase

@viragomann

Indeed it it, I missed that in there guidance.... Thank you

MrGamecase

For example, add a manual outbound NAT rule on the LAN interface, - DONE

source being the VPN subnet, destination being an alias that contains both the primary and secondary node LAN IPs., DONE

Translation would be Interface Address (NOT the CARP VIP!)., I'm confused with this bit

viragomann

@MrGamecase
Why?
The goal is that response pavkets from the backup node come back to the master. So interface address is fine. However, CARP VIP should work ad well, since it is always owned by the master.

MrGamecase

@viragomann said in Access to GUI - VPN:

@MrGamecase
Why?
The goal is that response pavkets from the backup node come back to the master. So interface address is fine. However, CARP VIP should work ad well, since it is always owned by the master.

Im having a complete DUMB moment, Im forgeting im unsing VLAN 10 as management access to the systems. I saw LAN and set it up on the LAN interface wich was why i got confised as to why it wasnt working.

Changing the interfaces to my VLAN 10 interfaces everything now finctions as expected..

Once again Thank you for you help in resolving anoth issue i. had with CARP

MrGamecase

@viragomann

On a complete random note.... i use mesh cenrtal as a systems management / remote access software [ self hosted behind firewall ]. how would i get this to work if primary vPFSense server failed.

the dnns name runs through cloudflare pointingb to the primary

viragomann

@MrGamecase said in Access to GUI - VPN:

the dnns name runs through cloudflare pointingb to the primary

Point the host name to the WAN CARP VIP.

MrGamecase

@viragomann said in Access to GUI - VPN:

@MrGamecase said in Access to GUI - VPN:

the dnns name runs through cloudflare pointingb to the primary

Point the host name to the WAN CARP VIP.

Just to confirm where the red box was pointing to one of the wan on the vPFSense. i change this ti CARP VIP.

also adjusting the wan rule for trhe ports - changing destination to the wan CARP VIP?

viragomann

@MrGamecase
Of course. All access should use the CARP VIP. Likewise all internal devices have to use the respective CARP as default gateway to go to the internet or other network segments.

MrGamecase

@viragomann said in Access to GUI - VPN:

@MrGamecase
Of course. All access should use the CARP VIP. Likewise all internal devices have to use the respective CARP as default gateway to go to the internet or other network segments.

I got ya, Slowly understanding CARP

Thankyou for your help this evenig VERY much apreciated