Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA CARP + NAT 1 to 1 (Virtual IP) - Packet loss (backup server managing response)

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 2 Posters 688 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jonathanto
      last edited by

      Hi everyone,

      Strange issue here - we have two PFsense configured with CARP - seems to work perfectly fine.

      All our server traffic goes trough the PFSense.
      Without NAT rule, everything works fine - master PFSense is handling request and reponse.

      When we add a NAT rule 1 to 1 to one of our server in the LAN we have a HUGE problem...

      • PFSense Master does the "echo"
      • PFSense Backup receives the "reply" > we are then loosing 1 packet - it seems to have a cache because other packets are OK.
      • It seems that the packet is lost between than WAN and the LAN

      You can see the problem here

      Master server
      alt text
      alt text

      Backup server
      alt text
      alt text

      Thank you for your help

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Outline exactly what is where, what is pinging what, and what you think is responding erroneously.

        Be specific about what IP address is what.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J Offline
          jonathanto
          last edited by

          Hi,

          Didn't you seen the screenshots? Everything is explained. Outgoing traffic was done by the master and incoming (reply from server) was going trough the backup.

          Finaly after one week of investigation - we've found the problem.

          In the Virtual IP defined (used after in NAT 1..1) we've specified the "WAN" interface instead of the WAN CARP interface

          I think it would be a great idea to put this information in the troubleshooting guide.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.