[CLOSED] CARP IP as 1:1 NAT



  • Hi everyone,
    So i have these 4 spare public IP, that i tried to to 1:1 NAT to my internal LAN.
    Without CARP/PFSYNC, it runs OK ( I use IP Alias ).

    Now I set up CARP+PFSYNC with 2 Firewall, it runs OK, ONLY for the clients inside to get outside ! ( only outbound NAT ).

    The 1:1 NAT ip that I used is not working on the slave firewall, when master firewall is down,
    even though on the slave firewall i see that the backup status has turn to master status for all CARP IP Addresses.
    Again, I put the CARP(s) IP address on 1:1 NAT web gui. but it never worked when master firewall is down.

    Any help/point is greatly appreciated..


  • LAYER 8 Netgate

    Is the default gateway of the inside host also a CARP VIP on LAN that is properly swinging over to the secondary?

    You might need to post your actual configuration as what you are describing should work fine.



  • @Derelict:

    Is the default gateway of the inside host also a CARP VIP on LAN that is properly swinging over to the secondary?

    You might need to post your actual configuration as what you are describing should work fine.

    Thanks for your time, I will try to include the configs, as i am outside using public wifi.

    I actually use another CARP/HA-Sync dual bandwidth shaper behind the Firewall, which doesnt have NAT, only routing,
    so it's basically like this :

    LAN –> Bandwidth shaper ( CARP IP ) --> FIREWALL ( CARP IP ) --> ISP Gateway.

    I've tested the Bandwidth shaper CARP/HA functionality, they both worked just fine, either master or slave when the other is turned off.

    Bandwidth Shaper has Firewall's CARP IP address as default gateway,
    and Firewall has Shaper's CARP IP as gateway to LAN

    Let me know which config you need to see, i will get it when i got home.

    Thanks !


  • LAYER 8 Netgate

    1:1 NAT should work fine there. Probably need to see the 1:1 NAT and CARP VIPs on primary and secondary.



  • Hi..
    here are the screenshot i've taken:
    .189 is the Firewall's Float IP facing ISP Gateway,
    192.168.1.1 is the Float IP facing the Shaper's Float IP.
    I use darker theme for slave firewall to avoid confusion
    Thanks you very much in advance for looking in to this !

    ![Master Status CARP.jpg](/public/imported_attachments/1/Master Status CARP.jpg)
    ![Master Status CARP.jpg_thumb](/public/imported_attachments/1/Master Status CARP.jpg_thumb)
    ![Slave Status CARP.jpg](/public/imported_attachments/1/Slave Status CARP.jpg)
    ![Slave Status CARP.jpg_thumb](/public/imported_attachments/1/Slave Status CARP.jpg_thumb)
    ![Master Firewall Virtual IPs.jpg](/public/imported_attachments/1/Master Firewall Virtual IPs.jpg)
    ![Master Firewall Virtual IPs.jpg_thumb](/public/imported_attachments/1/Master Firewall Virtual IPs.jpg_thumb)
    ![Slave Firewall Virtual IPs.jpg](/public/imported_attachments/1/Slave Firewall Virtual IPs.jpg)
    ![Slave Firewall Virtual IPs.jpg_thumb](/public/imported_attachments/1/Slave Firewall Virtual IPs.jpg_thumb)
    ![Master Firewall NAT 1 1.jpg](/public/imported_attachments/1/Master Firewall NAT 1 1.jpg)
    ![Master Firewall NAT 1 1.jpg_thumb](/public/imported_attachments/1/Master Firewall NAT 1 1.jpg_thumb)
    ![Slave Firewall NAT 1 1.jpg](/public/imported_attachments/1/Slave Firewall NAT 1 1.jpg)
    ![Slave Firewall NAT 1 1.jpg_thumb](/public/imported_attachments/1/Slave Firewall NAT 1 1.jpg_thumb)



  • I've been trying to capture the packets here,
    I tried to tcptraceroute to Slave Firewall's CARP IP port 443 NATed 1:1 to LAN Host,

    Packets from outside went to slave firewall's CARP IP, NATed ok to LAN IP.
    22:44:59.109168 IP w.x.y.z.59494 > 192.168.10.80.443: tcp 0

    On the 1:1 NATed  LAN host,

    • i can see that packets are coming in, but it just keeps trying to reply without success.
      192.168.10.80.https > w.x.y.z.59494 : Flags [S.], seq 1839487501, ack 2476811853, win 17920, options [mss 8960,nop,nop,sackOK], length 0

    • BUT, if from this 1:1 NATed LAN host, I do tcptraceroute / links to any wtfismyp.com/text, it can reach it, and have proper CARP IP shown.

    phew…


  • LAYER 8 Netgate

    Capture on the LAN address of the secondary pfSense while it is the CARP master. Look at the same traffic. Is that interface receiving the reply traffic? If not, why not?



  • I finally found it !

    It's a bit weird though..
    It turns out that on both master/slave,  of Shaper's –> System -> Routing - Gateways list,
    I still have the bastion firewall's IP when it was still a standalone pfsense, but it's already in DISABLED state !
    and i have the new Bastion Firewall's Floating IP as HA enabled.

    Pure luck ?
    I was out of idea then just delete the hell out of that old ( and disabled ) IP...
    voila !

    Thank you so much for you patience !!


Log in to reply