Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routed subnet / Nat to CARP

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    5 Posts 2 Posters 898 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      Lillefjer
      last edited by

      Hey

      I got a HA setup with 3 ISP's connected.
      Yesterday we did a test failover over on the HA part and i didnt went as expectet.

      I got a /24 routed from each ISP to a WAN CARP on each ISP.
      Some of thoes IP's from the /24 is used to a DMZ zone (routed right thru) and some used for NAT Port forward.
      Should all of those ips form the /24 be added as IP Alias on the WAN CARP or just the one used for NATs?

      Some of the errors from yesterday was that the ips routed thru worked but not the NAT'ed ones.
      I cant seem to find anything in the handbook about this subject abouted IP used for NATs in this HA setup.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        It depends on what they are being used for.

        Addresses from a routed subnet on one ISP will not work on any other ISPs unless you are announcing them to all of them via BGP or something - at least inbound. You might be able to get outbound working by using Outbound NAT on the WANs that do not have those addresses natively.

        Going to need a lot more details as to your situation in order to provide more targeted feedback. Use one example of what appeared not to work and give details on that one thing.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • L Offline
          Lillefjer
          last edited by

          Hey.

          I dont mix the /24 subnets from the other ISP's, that i got right :)
          And i also got the outbound nat working right, the problem/question is about the inbound nat / port forward.

          The question is, do i need to add the IP address's i use for NAT AS a carp address?
          My ISP is routing the /24 subnet to the carp address so i know the backup node gets the traffic if i failover, but it didnt work with the NAT's

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Why are you port forwarding and using NAT at all if you have a routed /24?

            If it is routed you do not need a VIP to do a port forward. Just set the Destination to Single host or alias and enter the address on the routed subnet. The traffic will arrive, NAT will be applied, firewall rules will be checked, and the packet forwarded on its way inside. Zero reason that won't work on an HA failover unless they are really not routing to the CARP VIP.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • L Offline
              Lillefjer
              last edited by

              Hey

              The reason for the NAT is because its part of a DNS failover.
              I got it working like this:
              WAN1 IP: 1.2.3.4 NAT'ed to 172.10.0.1
              WAN2 IP: 4.3.2.1 NAT'ed to 172.10.0.1

              That way i got a WAN failover to the same server.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.