Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP port forward not working correctly on failover

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    4 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 7
      78firebird
      last edited by

      pfSense 2.3.2

      My 2012 Windows VPN server has outbound NAT access through the WAN interface.

      I have port forwarding (all the VPN ports) setup on a CARP VIP going to my Windows server on a separate WAN IP.

      VPN connectivity from the Internet into my Windows server works when the primary pfSense router is master.  (Windows GW set to CARP IP).

      When the primary pfSense router is shut down, the secondary shows Master on all ports.

      When my default gateway is the local interface VIP 10.0.0.1, my Windows VPN shows retransmits and TTL exceeded when attempting to establish a VPN connection.

      If I set my Windows default gateway to the secondary pfSense router 10.0.0.3 bypassing the CARP IP, VPN connectivity works.

      Is there a setting in the outbound NAT for carp failover needed for port forwards?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Outbound NAT and port forwards are pretty much distinct from each other.  Outbound NAT translates source addresses when connections leave an interface. Port forwards translate destination addresses when connections arrive on an interface.

        It is unclear from your description what the problem might be. Are you talking about inbound connections to the VPN server or outbound VPN connections?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • 7
          78firebird
          last edited by

          I'm working with the inbound PF to the VPN server.  I've narrowed it down to the VMWare itself even though the network settings are the same between the two hardware servers.  I'm going through resetting the network settings to see if I can get it working.

          1 Reply Last reply Reply Quote 0
          • 7
            78firebird
            last edited by

            Fixed.

            I had dual connections active/active from VMWare to the 3750 switch.  I had to setup a channel group on the switch and set the vSwitch to Route based IP hash on top of the security settings.  Not sure why it was working with the similar setup on the Primary server, but both are now setup with the correct load balance settings.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.