Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN routing in high availability setup

    General pfSense Questions
    4
    7
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sander88
      last edited by

      Hi,

      I have a high availability setup of PFSense (version 2.3.2). This setup has a site2site VPN to another PFSense box.

      This site2site itself VPN works fine, but here is one issue I'm trying to solve.

      • The master PFSense node can ping a remote IP (through the VPN connection).
      • The backup PFSense node can NOT ping the remote IP (through the VPN connection).

      I guest this is caused by the backup node thinking it can router to this IP-range itself. That makes only sense when the node itself is the master, if not it should route it through the actual master node.

      How can I fix this? I was thinking about using an outbound NAT rule, but I can't get it to work.

      Regards,
      Sander

      1 Reply Last reply Reply Quote 0
      • S
        Sander88
        last edited by

        I didn't figure out how to fix this yet.

        Currently it's fixed in one direction (by using outbound NAT):

        • I can reach both PFSense hosts from the remote site through the site2site VPN.
        • Can only reach the network of the remote site (= VPN client) from the PFSense host running as CARP master.

        Any suggestions?

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          The secondary node cannot route anything via the master node. What you're after isn't logically possible in a proper setup.

          Once you setup HA, the two nodes cease to be individual units for most purposes.

          What is the purpose for attempting to have a live VPN connection outbound on the secondary?

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • S
            Sander88
            last edited by

            The purpose is monitoring. We are using Zabbix and the Zabbix server is on the other site of the VPN.

            Zabbix uses 2 type of connections:

            • Server -> Client/Agent (these checks work fine).
            • Client/Agent -> Server (these checks fail to report back on the CARP slave).
            1 Reply Last reply Reply Quote 0
            • S
              Sander88
              last edited by

              Solved it by putting a Zabbix proxy in the LAN, this server monitors both firewalls and reports back through the VPN tunnel.

              1 Reply Last reply Reply Quote 0
              • B
                bbrendon
                last edited by

                This documentation discusses it but if you have a two clusters, that's 4 firewalls. Which do you apply the outbound NAT rule on?

                https://www.netgate.com/docs/pfsense/highavailability/troubleshooting-vpn-connectivity-to-a-high-availability-secondary-node.html

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  All of them if you needs communication all ways. the rules should be very specific though to avoid catching traffic incorrectly and since they apply per node often they would have 'do not sync' set.
                  This thread is 2 years old though, please open a new thread if you have questions about a similar setup.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.