Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Confirm my NAT config

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    7 Posts 3 Posters 837 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JohnSmith127
      last edited by JohnSmith127

      I know this is related to NAT, but i've lodged it under this section, as it's in relation to my HA setup and the right config with the CARP IP.

      Having some weird comms issues on the backup PFSense, and wondered if someone is able to sanity check my setup, and confirm i've done everything right, mainly around the NAT config.

      Our environment has a Edge Router with public IP on the WAN end and 10.1.1.1 on the internal (LAN) side.
      This is patched into a Cisco Switch (No special config)
      Then both my PFSenses are patched into this switch on their WAN side, with IP's 10.1.1.10(A) and 10.1.1.11(B) and i'm using 10.1.1.5 has the VirtualIP (CARP)
      Comms through it work fine, but i've noticed the backup PFSense has slowness logging in, and cannot resolve anything. But can ping 1.1.1.1 etc.
      I'm assuming the slowness is due to the DNS not resolving.

      Here's my NAT setup. The IP address of the NAT Address is the CARP IP (10.1.1.5) and the automatic rules includes ALL the subnets i have on the LAN side.

      PFSense-NAT.PNG

      Thanks

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You do not want to NAT your interface address to the CARP VIP. It won't be able to connect out unless it is CARP MASTER.

        In your case your RFC1918 alias catches the interface address.

        Put exclusions in for traffic sourced from both 127.0.0.0/8 and 10.1.1.0/24. NO NAT rules above what you have should suffice.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • JeGrJ
          JeGr LAYER 8 Moderator
          last edited by

          I'd go a step further than @Derelict and X the NAT completely.

          • Delete the Hybrid Mappings
          • Switch to manual mode
          • let the generated 127.0.0.1 Sources be done via "WAN address"
          • change the local networks (192.168.x or whatever you blacked out...) to your CARP VIP instead of WAN address. If you want to keep the rules short, you could add the RFC1918 prefix, but I find that a bit "biiig", so just create an alias like "local networks" and add all networks you would NAT outgoing to your VIP.

          Be done :)

          Also switching to manual gives a much finer control of what is actually NATted and where. But that's just IMHO :)

          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 0
          • J
            JohnSmith127
            last edited by

            Thanks for the input folks.

            Derelict, yeah good spot, i actually really confused the matter by changing the actual IP addresses we use in this post, to hide the info. So apologises for that. Our WAN interface address is actually outside the RFC1918 range. Again, apologises for confusion.

            JeGr, yeah i was thinking of doing that. But wasn't sure if it would work correctly with our setup.
            I have an outage planned tonight, and will try switching back to Manual mode and see how it goes. I'll come back and update the post after that.

            Thanks again

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              All of these details matter.

              I would delete all of the custom rules, switch to Automatic NAT, switch to Manual NAT, then change the resulting NAT rules that actually NAT inside traffic to utilize the CARP VIP.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • J
                JohnSmith127
                last edited by

                Hi Derelict, yeah i know, and i felt dumb when i realised i'd done that. Apologises again.

                Your plan sounds good, i'll do the change tonight and update the post.

                Thanks for your help.

                1 Reply Last reply Reply Quote 0
                • J
                  JohnSmith127
                  last edited by

                  Follow up!

                  Yeah i basically followed Derelicts info and moved to Manaual NAT rules, then changed the IP to my CARP VIP for my WAN.

                  Everything seems happier now.

                  Thanks for your help.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.