CARP - NAT



  • The CARP docs state to use Manual Outbound NAT and warns against NAT rules for "WAN/Public IP addresses of the cluster".  Does that include any public IP configured as a CARP IP on WAN?  Any issues using Hybrid NAT?

    https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)#Setup_Manual_Outbound_NAT


  • Netgate

    You just need to make sure that all outbound NAT (and inbound connections/port forwards, VPN bindings, etc) are on addresses that will swing between the nodes in a CARP event.

    These can be CARP VIPs or IP Aliases riding on CARP VIPs. If you have a subnet routed to one of those, that will also work.

    If you terminate connections on the interface address, that address will only exist on one node not the other so if there is a failover event, the pfsynced state on the other node will be invalid and the connection will die.



  • Makes sense!  Thanks!  I read that to say that Hybrid NAT will not work since it auto-creates rules.  My CARP backup node has been crashing (unresponsive), I suspect this is the culprit.


  • Netgate

    You can use Hybrid if you want, but you still have to override all of the auto rules. It makes sense to get all of your interfaces configured, then switch to manual NAT so all the rules are automatically generated for you. Then just flip them all to an appropriate VIP.



  • @Derelict:

    You can use Hybrid if you want, but you still have to override all of the auto rules. It makes sense to get all of your interfaces configured, then switch to manual NAT so all the rules are automatically generated for you. Then just flip them all to an appropriate VIP.

    if i set my pfsense into Hybrid NAT using CARP the machine is frozen and has to be hard reseted!
    I also suffer strange behaviour using CARP and NATing
    -> https://forum.pfsense.org/index.php?topic=137984.0


  • Netgate

    Then you are doing it wrong somehow.