How to use Carp IP for outgoing traffic
-
Hello all,
I‘ve got two nets from my provider
A.A.A.0/29 (Transfer net from Provider)
and
B.B.B.0/23 (official net for our use)
and I am using two pfsense boxes in a redundant configuration.
Both nets are official nets and not private nets. All traffic from the internet is routed to A.A.A.6 by my provider.
The WAN side of Box 1 has the IP A.A.A.4 – Box2 has A.A.A.5 – The providers gateway is A.A.A.1
Both Boxes are sharing a carp address A.A.A.6
The B net is divided in two nets B.B.0.0/24 on LAN the interface B.B.1.0/24 on OPT1 interface.
The Lan Interface has the IP B.B.0.2 on Box1 and B.B.0.3 on Box2
Both Boxes are sharing a carp address B.B.0.1 on the LAN interface as gateway for the LAN net
I’ve the same setup on the OPT1 interface with the B.B.1.0 net
All of the above is configured without NAT
Currently Box1 is the master.
Unfortunately outgoing packets from the B.B.x.x nets are using the main IP from the pfsense (A.A.A.4) boxes and not the carp IP (A.A.A.6) on the WAN side.
What did I make wrong?
I won’t use NAT cause any system in the LAN or OPT1 net should access Internet with its own ip.
Where is my mistake?
-
Go to Firewall > NAT > Outbound. If it is set to "Automatic outbound NAT rule generation", mark "Manual Outbound NAT rule generation" and hit the save button.
Go down and edit the WAN rules to meet your needs or add additional if needed. At Traslation select your CARP VIP. -
Hello viragoman,
maybe I am missunderstanding something but I would say that if I follow your recomendation every IP form my LAN would be translated into the IP of the WAN carp address.
Thats is the behaviour I'd like to avoid.
Please correct me.
-
You can determine by source address (range) which source addresses should be translated to the translation address. If you want to translate packets from particular hosts to another address like B.B.0.1 just select it at Translation dropdown.
-
You want to enable manual outbound NAT then disable/delete the rules that match the LAN networks so NAT is not performed at all for those source IP addresses.
-
Sorry for my bad english. Maybe that's the reason for missunderstanding.
I'd like to avoid natting off my lan addresses, but I'd like outgoing connections to be routed over the WAN CARP address.
Currently if I do a traceroute all my pakets are leaving the pfsense via the physical WAN interface address and are not translated.
If I switch on NAT with CARP translation interface then they are leaving the pfsense via CARP Interface address but they are tranlated into the CARP Interface address.
What I want to obtain is:
LAN addresses should not be translated AND sould leave the pfsense via the WAN CARP address
Any help is apreciated
-
Why do you care what the IP address of that hop is? The IP packet will have a source IP address of the host and a destination address somewhere out there. As long as it is routed out the correct interface to the correct next-hop IP address is all that matters. CARP is irrelevant.
You do want to be sure the upstream is routing your routed subnets to the CARP VIP so failover will work properly.
-
What I want to obtain is:
LAN addresses should not be translated AND sould leave the pfsense via the WAN CARP address
Packet can't leave pfSense "via the WAN CARP address". That is just a virtual IP address, nothing physical. Packets may leave pfSense via an interface or can be routed to a gateway. They just have a source and a destination address, and these can be translated or not.
