CARP port forward not working correctly on failover



  • pfSense 2.3.2

    My 2012 Windows VPN server has outbound NAT access through the WAN interface.

    I have port forwarding (all the VPN ports) setup on a CARP VIP going to my Windows server on a separate WAN IP.

    VPN connectivity from the Internet into my Windows server works when the primary pfSense router is master.  (Windows GW set to CARP IP).

    When the primary pfSense router is shut down, the secondary shows Master on all ports.

    When my default gateway is the local interface VIP 10.0.0.1, my Windows VPN shows retransmits and TTL exceeded when attempting to establish a VPN connection.

    If I set my Windows default gateway to the secondary pfSense router 10.0.0.3 bypassing the CARP IP, VPN connectivity works.

    Is there a setting in the outbound NAT for carp failover needed for port forwards?


  • LAYER 8 Netgate

    Outbound NAT and port forwards are pretty much distinct from each other.  Outbound NAT translates source addresses when connections leave an interface. Port forwards translate destination addresses when connections arrive on an interface.

    It is unclear from your description what the problem might be. Are you talking about inbound connections to the VPN server or outbound VPN connections?



  • I'm working with the inbound PF to the VPN server.  I've narrowed it down to the VMWare itself even though the network settings are the same between the two hardware servers.  I'm going through resetting the network settings to see if I can get it working.



  • Fixed.

    I had dual connections active/active from VMWare to the 3750 switch.  I had to setup a channel group on the switch and set the vSwitch to Route based IP hash on top of the security settings.  Not sure why it was working with the similar setup on the Primary server, but both are now setup with the correct load balance settings.


Log in to reply