Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP NAT rules not working

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    6 Posts 2 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonesr
      last edited by

      Hi all, I'm not sure where this should go but I hope somebody can help.

      I had a setup working fine, using CARP to enable NAT from multiple WAN IPs to a few internal email servers, with a simple dual-homed WAN-LAN system.

      Now I have set up a router-on-a-stick VLAN configuration and no port forwarding rules seem to be working, even on the first WAN address (please correct me if I am wrong, but I understand CARP VIPs are used to listen for second, third etc public IP addresses from the WAN interface, amongst other things, so the 'first' IP address should be a simple WAN->LAN rule?). I have double checked VLAN memberships, IP addresses and deleted/recreated NAT and firewall rules to confirm. A packet capture sees packets arriving on the WAN but nothing on the LAN side.

      Other info:

      There are three internal VLANs, but the servers in question are on the LAN interface
      pfSense 2.0 amd64
      Physical NIC is re0

      Any help is appreciated. I already googled, and RTFM'd - an excellent book BTW, I wasted a day trying to work out VLANs on pfSense, I solved my problem after reading 2 paragraphs of the manual.

      Thanks in advance.

      pfSense AMD64 VGA - Assume latest version.
      Suricata, pfBlockerNG, SquidGuard, squid3.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        If you see it on WAN and not LAN, then either your port forward is wrong, you don't have an associated firewall rule to permit the traffic, you have a block rule that's blocking it, or the internal host isn't reachable.

        1 Reply Last reply Reply Quote 0
        • J
          jonesr
          last edited by

          Thank you for the advice,

          This is one of my rules for the WAN->LAN (standard, first WAN IP to LAN IP, not one of the additional CARP WAN addresses):

          WAN TCP * * LAN address 25 (SMTP) 192.168.0.2 *

          I have recreated the NAT rule, and the firewall rule was automatically created. The only block rules are these:

          The default Private/BOGON rules on the WAN

          The two OPT interfaces I created both have the following rule

              • LAN net * * none

          pfSense can ping the host from the LAN interface.

          If any of that looks wrong to you I would appreciate any help, thanks again.

          pfSense AMD64 VGA - Assume latest version.
          Suricata, pfBlockerNG, SquidGuard, squid3.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            "LAN address" is almost definitely wrong, that should be the actual public IP.

            1 Reply Last reply Reply Quote 0
            • J
              jonesr
              last edited by

              Really? if it is that simple I hope you are right. But just to be sure we are on the same page I'll be more clear about the rule:

              This is from the Firewall: NAT: Port Forward page

              If = WAN

              Proto = TCP

              Src. addr = *

              Src. ports = *

              Dest. addr = LAN Address

              Dest. ports = 25 (SMTP)

              NAT IP = 192.168.0.2

              NAT Ports = *

              If this relates to the WAN interface, I assumed the destination would be the IP of the mail server and the source would simply be WAN.

              Bear with me, I will provide a screenshot when I am on another PC.

              edit: added screenshot

              Rules.png
              Rules.png_thumb

              pfSense AMD64 VGA - Assume latest version.
              Suricata, pfBlockerNG, SquidGuard, squid3.

              1 Reply Last reply Reply Quote 0
              • J
                jonesr
                last edited by

                cmb,

                I went back to the book, and learned quite a bit. I was misunderstanding the options in the rules setup, thank you for giving me a direction to look in, I have it working now.

                In the end I had a look through the firewall logs and saw the 'easy setup' option to create an allow rule and followed the syntax. I didn't realize the feature was there, I'll remember next time.

                pfSense AMD64 VGA - Assume latest version.
                Suricata, pfBlockerNG, SquidGuard, squid3.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.