Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.2.6 to 2.3.2 - pfSense web server serving request for CARP IPs instead of NAT

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    3 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      rkelleyrtp
      last edited by

      Greetings all,

      Upgraded from 2.2.6 to 2.3.2 recently and have run into an issue (just like https://forum.pfsense.org/index.php?topic=114201.0).

      I have a pair of pfSense firewalls, each with their own outside (WAN) IP that share 3 CARP IPs (again, on WAN side).  The pfSense web server is running https on port 8081.  The problem, when a server inside the LAN side tries to reach another server (LAN side) using their public IP, the pfSense web server intercepts the traffic (as observed in the /var/log/nginx.log file).

      Example:
      FW1: Public_IP 10.10.10.1
      FW2: Public_IP 10.10.10.2
      CARP-IP-1 10.10.10.5
      CARP-IP-2 10.10.10.6
      CARP-IP-3 10.10.10.7

      Server-1:  Public_IP: 10.10.10.5  (CARP) NAT to Inside_IP 192.168.1.21
      Server-2:  Public_IP: 10.10.10.6  (CARP) NAT to Inside_IP 192.168.1.22

      If Server-1 makes an http request to Server-2 via inside IP, no problem at all.
      If Server-1 makes an http request to Server-2 via outside (CARP) IP, the pfSense web server intercepts the traffic

      Our test tool reports the following error when using the outside (CARP) address:

      
<title>301 Moved Permanently</title>

<center>

# 301 Moved Permanently

</center>

* * *

<center>nginx</center>

      As per the other forum thread, pfSense v2.2.6 did not have this problem.  The other thread suggests using Proxy ARP addresses instead of CARP addresses, but I have two firewalls in a cluster and need complete failover capability.

      Is this new behavior expected, or is this a bug?

      1 Reply Last reply Reply Quote 0
      • N Offline
        NOYB
        last edited by

        HSTS

        https://forum.pfsense.org/index.php?topic=118761.msg657405#msg657405

        Search for HSTS and you'll find some more threads.

        1 Reply Last reply Reply Quote 0
        • R Offline
          rkelleyrtp
          last edited by

          Thanks for the pointer.  While I needed that option set, I also had to enable the checkbox for WebGUI redirect (System–>Advanced).

          BTW - A huge shout-out to the pfSense technical support team.  After struggling with this for a few hours, I opened a ticket and immediately had a couple of great engineers on the phone (maybe 2min wait at most).  Brandon and Chris helped figure out the problem in short order as well as clear up some questions about CARP, NAT, and NAT Reflection.  Thanks guys!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.