Access to web-configurator and ssh via CARP IPs



  • At first I like the good work of the pfsense-Team.

    I have an issue, which i think arises if i do nat via CARP-IPs.
    Maybe this is a misconfiguration or misunderstandig of how the system works.

    System: 2.3.2-p1, redundant CARP configuration.

    For NAT i use CARP-IPs (often public ips), but if i do so, 
    you can access the webconfiguratior using
    <carp-ip>:443 or SSH via <carp-ip>:22

    The occurs even if i do outbound NAT on CARP ips.

    The alternative would be to use IPs of type other.

    Therefore the following questions arise:

    • How do i forward 443 or 22 using a CARP-IP ?
    • Is there a recommended way to restrict ssh and the webinterface (GUI) to listen only to one or two ips e.g. only the LAN interface ?
    • For a redundant configuration with NAT does the IP-Type other work flowlessly on failover ?

    One workaround is to use floating-rules which block access to ips and services, but i think this does not help for port 22 or 443.

    If you have further questions or need an example, let me know.</carp-ip></carp-ip>