CARP VIP pings, but nothing else



  • I am really struggling to get anywhere with a new CARP config with Dual WAN. I have been searching for the past three days for an answer but cannot find anything.  I am sure it is somewhere, I just cannot find it.

    I am only trying one WAN link atm as I want to keep the other one untouched until I can get this working properly then I will replicate the settings and hopefully it will work (I am also waiting on a public IP block from my ISP which is being very obstructive about getting these, so it might take some time)

    Basically I have set up the following
    pf01 : 172.16.1.1
    pf02 : 172.16.1.2
    CARP VIP : 172.16.1.3

    HA : 172.16.8.1 and 172.16.8.2 (syncing perfectly)

    WAN (connected to a modem which means having to double NAT for now, my ISP is being stupid about issuing a public IP block, so I have a new private subnet set as a WAN block and then NAT that at the modem)
    pf01 - 172.16.3.1
    pf02 - 172.16.3.2
    CARP VIP - 172.16.3.3

    I have set up a a number of ports mapped 172.16.3.3 (ie the WAN CARP VIP) and am using the 443 map for testing.  At the modem there is a static route for anything aimed at 172.16.1.0/24 to go through 172.16.3.3 (ie, the WAN VIP)

    Using a laptop connected to the 172.16.3 subnet (ie WAN simulation) I can ping all the IPs on both LAN and WAN successfully, but as soon as I try to connect to the https server, it times out.  If I change the port mapping to the WAN IP of the master (172.16.3.1) the page is promptly displayed, so the problem is clearly CARP related.  If I use my mobile data connection and aim it at the public IP of the modem, the same results pertain re the WAN IP port settings, ie if its 172.16.3.1 I get the page but not if its aimed at the CARP VIP.

    The WAN IP interface has the modem's IP address (172.16.3.254, not the public one) as the gateway IP.  Outbound rules have been set using the 172.16.3.3 LAN CARP VIP as the translation address.  The 'WAN' interface is blocking bogons but not private IPs.

    DHCP has both Gateway and DNS servers set to the LAN CARP VIP (172.16.1.3)

    I hope I have given enough information for someone to be able to help sort this becasue it is driving me nuts.  Why is the LAN CARP not being shared?  Everything else seems to be working fine.  The CARP failover switches master and slave perfectly fine, syncing is being performed well … it seems to be JUST the sharing of the LAN CARP VIP is not being used by the gateway for some reason.  What am I missing?  Really confused ...  thank you for your help.



  • In case anyone else needs an answer to a similar problem, while searching for something entirely unrelated, I came across this link
    https://forum.pfsense.org/index.php?topic=42532.0

    In the final post was the solution to my problem which I have cut and pasted from there to here for ease of reference and added some notes of my own relating to the key points.

    The following also pertained to my situation…
    "The router had already been in production for a while and had some NAT port forwards configured"
    "I assumed those rules would carry right over to the CARP setup because the destination was WAN."

    The following is what got me on the right track ....
    "I went to make a new rule for some reason or another and noticed that there was a new destination choice called WAN CARP (what I had named that VIP).  When I realized the firewall was discriminating between real IPs and virtual IPs, I had my answer."

    This bit summed up my situation perfectly too ...
    "I guess I just assumed that my rules were all per-interface, but they're actually more granular than that.  Changed all my regular stuff to the CARP destination"

    When I did the above - it worked.  As the original poster sad, it is worth noting that the NAT rules are quite so granular ...


Log in to reply