VPN routing in high availability setup

  • Hi,

    I have a high availability setup of PFSense (version 2.3.2). This setup has a site2site VPN to another PFSense box.

    This site2site itself VPN works fine, but here is one issue I'm trying to solve.

    • The master PFSense node can ping a remote IP (through the VPN connection).
    • The backup PFSense node can NOT ping the remote IP (through the VPN connection).

    I guest this is caused by the backup node thinking it can router to this IP-range itself. That makes only sense when the node itself is the master, if not it should route it through the actual master node.

    How can I fix this? I was thinking about using an outbound NAT rule, but I can't get it to work.


  • I didn't figure out how to fix this yet.

    Currently it's fixed in one direction (by using outbound NAT):

    • I can reach both PFSense hosts from the remote site through the site2site VPN.
    • Can only reach the network of the remote site (= VPN client) from the PFSense host running as CARP master.

    Any suggestions?

  • Rebel Alliance Developer Netgate

    The secondary node cannot route anything via the master node. What you're after isn't logically possible in a proper setup.

    Once you setup HA, the two nodes cease to be individual units for most purposes.

    What is the purpose for attempting to have a live VPN connection outbound on the secondary?

  • The purpose is monitoring. We are using Zabbix and the Zabbix server is on the other site of the VPN.

    Zabbix uses 2 type of connections:

    • Server -> Client/Agent (these checks work fine).
    • Client/Agent -> Server (these checks fail to report back on the CARP slave).

  • Solved it by putting a Zabbix proxy in the LAN, this server monitors both firewalls and reports back through the VPN tunnel.

  • This documentation discusses it but if you have a two clusters, that's 4 firewalls. Which do you apply the outbound NAT rule on?


  • Netgate Administrator

    All of them if you needs communication all ways. the rules should be very specific though to avoid catching traffic incorrectly and since they apply per node often they would have 'do not sync' set.
    This thread is 2 years old though, please open a new thread if you have questions about a similar setup.


Log in to reply