Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP + OpenVPN - slave not reachable over VPN

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Polderdijk
      last edited by

      Hi,

      I setup a nice CARP setup and OpenVPN on 2 pfSense boxes in a datacenter. Everything works as expected, but only a tiny problem I can't fix.

      I can't access the slave pfSense box with the internal IP on the 'other side over VPN'.

      Sure, this is expected because the OpenVPN is down on the slave, so I need to add some route/NAT to fix it.

      I see a faq on https://doc.pfsense.org/index.php/CARP_Secondary_Unreachable_Over_VPN

      But I can't figure out how to interpretate all words in the 'For example, add a manual outbound NAT rule on the LAN interface, source being the VPN subnet, destination being an alias that contains both the primary and secondary node LAN IPs. Translation would be Interface Address (NOT the CARP VIP!).'

      I try every combination, without luck.

      So I break it in pieces. Is i understand i need to add this to the 'datacenter side'?

      • add a manual outbound NAT rule on the LAN interface
      • I got it! In Firewall / NAT / Outbound > Add > Interface == LAN :-)
      • source being the VPN subnet:
      • Mmmm. The 'private' VPN subnet? As in VPN / OpenVPN / IPv4 Tunnel Network? Or the 'datacenter side' LAN subnet. I don't know!
      • destination being an alias that contains both the primary and secondary node LAN IPs
      • Yehh, i add a new VIP: Firewall / Aliasses > add both LAN IP's (Interface > LAN > IPv4). I hope this is the way!
      • Translation would be Interface Address (NOT the CARP VIP!).
      • I got Firewall / NAT / Outbound / Translation set to 'Interface Address'

      Save but no luck :(

      1 Reply Last reply Reply Quote 1
      • V
        viragomann
        last edited by

        @Polderdijk:

        • source being the VPN subnet:

        The VPN tunnel network.

        @Polderdijk:

        • destination being an alias that contains both the primary and secondary node LAN IPs
        • Yehh, i add a new VIP: Firewall / Aliasses > add both LAN IP's (Interface > LAN > IPv4). I hope this is the way!

        Ok.

        @Polderdijk:

        • Translation would be Interface Address (NOT the CARP VIP!).
        • I got Firewall / NAT / Outbound / Translation set to 'Interface Address'

        Ok.

        Maybe you have to restart pfSense.

        1 Reply Last reply Reply Quote 0
        • P
          Polderdijk
          last edited by

          Ahh, after re-read, re-read and re-read i found the solution!

          With 'The VPN tunnel network' they mean the subnet from the 'remote side' of the VPN tunnel.

          After change it works :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.