2.2.6 to 2.3.2 - pfSense web server serving request for CARP IPs instead of NAT

  • Greetings all,

    Upgraded from 2.2.6 to 2.3.2 recently and have run into an issue (just like https://forum.pfsense.org/index.php?topic=114201.0).

    I have a pair of pfSense firewalls, each with their own outside (WAN) IP that share 3 CARP IPs (again, on WAN side).  The pfSense web server is running https on port 8081.  The problem, when a server inside the LAN side tries to reach another server (LAN side) using their public IP, the pfSense web server intercepts the traffic (as observed in the /var/log/nginx.log file).

    FW1: Public_IP
    FW2: Public_IP

    Server-1:  Public_IP:  (CARP) NAT to Inside_IP
    Server-2:  Public_IP:  (CARP) NAT to Inside_IP

    If Server-1 makes an http request to Server-2 via inside IP, no problem at all.
    If Server-1 makes an http request to Server-2 via outside (CARP) IP, the pfSense web server intercepts the traffic

    Our test tool reports the following error when using the outside (CARP) address:

    <title>301 Moved Permanently</title>
    # 301 Moved Permanently
    * * *

    As per the other forum thread, pfSense v2.2.6 did not have this problem.  The other thread suggests using Proxy ARP addresses instead of CARP addresses, but I have two firewalls in a cluster and need complete failover capability.

    Is this new behavior expected, or is this a bug?

  • HSTS


    Search for HSTS and you'll find some more threads.

  • Thanks for the pointer.  While I needed that option set, I also had to enable the checkbox for WebGUI redirect (System–>Advanced).

    BTW - A huge shout-out to the pfSense technical support team.  After struggling with this for a few hours, I opened a ticket and immediately had a couple of great engineers on the phone (maybe 2min wait at most).  Brandon and Chris helped figure out the problem in short order as well as clear up some questions about CARP, NAT, and NAT Reflection.  Thanks guys!

Log in to reply