2.2.6 to 2.3.2 - pfSense web server serving request for CARP IPs instead of NAT



  • Greetings all,

    Upgraded from 2.2.6 to 2.3.2 recently and have run into an issue (just like https://forum.pfsense.org/index.php?topic=114201.0).

    I have a pair of pfSense firewalls, each with their own outside (WAN) IP that share 3 CARP IPs (again, on WAN side).  The pfSense web server is running https on port 8081.  The problem, when a server inside the LAN side tries to reach another server (LAN side) using their public IP, the pfSense web server intercepts the traffic (as observed in the /var/log/nginx.log file).

    Example:
    FW1: Public_IP 10.10.10.1
    FW2: Public_IP 10.10.10.2
    CARP-IP-1 10.10.10.5
    CARP-IP-2 10.10.10.6
    CARP-IP-3 10.10.10.7

    Server-1:  Public_IP: 10.10.10.5  (CARP) NAT to Inside_IP 192.168.1.21
    Server-2:  Public_IP: 10.10.10.6  (CARP) NAT to Inside_IP 192.168.1.22

    If Server-1 makes an http request to Server-2 via inside IP, no problem at all.
    If Server-1 makes an http request to Server-2 via outside (CARP) IP, the pfSense web server intercepts the traffic

    Our test tool reports the following error when using the outside (CARP) address:

    
    <title>301 Moved Permanently</title>
    
    <center>
    
    # 301 Moved Permanently
    
    </center>
    
    * * *
    
    <center>nginx</center>
    
    

    As per the other forum thread, pfSense v2.2.6 did not have this problem.  The other thread suggests using Proxy ARP addresses instead of CARP addresses, but I have two firewalls in a cluster and need complete failover capability.

    Is this new behavior expected, or is this a bug?



  • HSTS

    https://forum.pfsense.org/index.php?topic=118761.msg657405#msg657405

    Search for HSTS and you'll find some more threads.



  • Thanks for the pointer.  While I needed that option set, I also had to enable the checkbox for WebGUI redirect (System–>Advanced).

    BTW - A huge shout-out to the pfSense technical support team.  After struggling with this for a few hours, I opened a ticket and immediately had a couple of great engineers on the phone (maybe 2min wait at most).  Brandon and Chris helped figure out the problem in short order as well as clear up some questions about CARP, NAT, and NAT Reflection.  Thanks guys!


Log in to reply