Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Best Practice: Remote Access to CARP Firewall

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 574 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • junicastJ
      junicast
      last edited by

      Hi,

      when having CARPed firewalls and working from remote, I cannot access the secondary firewall because its routing table is trying to answer on its very own ovpns interface because the routing table says so.

      Thus I cannot reach my secondary firewall from remote via OpenVPN.

      Is there any best practice for this problem?

      Thank you!

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @junicast
        last edited by viragomann

        @pmisch
        You can set up an Outbound NAT rule to translate source address in packets destined to the secondary pfSense into the LAN address. So responses will be directed back to the masters LAN IP and the routing will work.

        Best practise: On the master box add an alias for both pfSense LAN IPs.
        Go to Outbound NAT. Ensure that it's working in hybrid or manual mode.
        Add a rule:
        interface: LAN
        source: OpenVPN tunnel network
        destination: the alias you've added before
        translation: interface address

        The XMLRPC sync will copy that rule to the backup box and the alias ensures that it fits for both. So if the secondary is the master you're also able to access the first one.

        junicastJ 1 Reply Last reply Reply Quote 1
        • S
          SteveITS Galactic Empire
          last edited by

          A non-VPN solution would be to allow access to the routers' WAN IPs, port 443, from your IP address. Of course that works if you have a static IP where you are.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • junicastJ
            junicast @viragomann
            last edited by

            @viragomann
            Thank you very much.
            What do you think about IPv6? Is also NAT best practice?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.