Routing problem in secondary CARP node
-
Hi,
Regular CARP setup, 2.3.2 on both nodes.
The problem is the secondary (inactive) node has no internet access, despite having the routing setup exactly as the primary (active) node.
Primary fw WAN is 77.X.X.2, secondary fw WAN is 77.X.X.3, and gateway for both of them is 77.X.X.1
After reviewing stuff, I don't know what I'm missing. Any ideas?
Thanks a lot,
Rubén.
-
What are your outbound NAT rules?
-
AON with the "any" rule using a specific public IP (77.X.X.4) bounded to the primary firewall as NAT Address.
Ok so. In fact the "any" rule was missing in slave (I suppose it wasn't automatically created due to 77.X.X.4 not being active in secondary), so I created one using as NAT Address the WAN's Interface Address (77.X.X.3) as I understand I can't use 77.X.X.4 on the secondary node since it's only active in the primary. In this way, Internet connectivity works.
But then I guess in the event of a failover I'll have to manually change the outgoing IP from 77.X.X.3 to 77.X.X.4 right?
Thanks!
-
The outbound traffic from all other devices than pfSense should be use the CARP VIP. Only the traffic from the pfSense box itself (127.0.0.0/8) should use the WAN address.
That is valid for both boxes and can be synced from one to the other.A failover is no problem with this settings.
-
Thanks viragomann ;)