Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Trouble with CARP

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    4 Posts 2 Posters 821 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O Offline
      oeawallis
      last edited by

      Hello everybody!

      We are facing strange behavior with our pfsense HA Cluster:

      Outbound-NAT on the Master (which is replicated to the slave as well), is set to Manual (AON).
      We configured for each vlan:

      | Interface | Source | Source Port | Destination | Destination Port | NAT Address | NAT Port | Static Port |
      |
      |
      | WAN | 192.168.100.0/24 | * | * | * | CARP-VIP (193.x.y.z) | * | randomize port |
      | WAN | 192.168.100.0/24 | * | * | 500 | CARP-VIP (193.x.y.z) | * | static port |

      Now, when i apply these settings to the pfsense (lates version 2.4.0-RELEASE) and then go to one of my VLAN Clients, it comes to crazy dl/ul values.
      Our Machines (NEMONIX servers) are equiped with 10GB copper cards. We have also gigabit uplinks connected to it.
      We do not use any limiters or traffic shaping.

      using the AON (manual) config i get

      BUT when i switch to Automatic NAT (which does not use our outbound NAT VIP for sure) i get:

      (download is limited by some network hardware seemingly haha)

      can anybody explain to me WHY?
      If you need to see any further config let me know

      thanks and have yourselves a nice day !

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Probably something to do with your upstream and that other IP/MAC address. pfSense does not care.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • O Offline
          oeawallis
          last edited by

          @Derelict:

          Probably something to do with your upstream and that other IP/MAC address. pfSense does not care.

          what would the upstream has to do with the other IP/MAC? Sorry but I dont get what you mean  ???  :-\

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Hard to say. But if the only difference is the CARP address being used for NAT that is where I would look.

            ISPs do crazy things.

            Also, you want to move that static port 500 NAT rule above the rule since, if left like that, it will never be matched. Unrelated to your speed issue. Just sayin'.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.