CARP Secondary Unreachable Over VPN

  • I have readed the document, but I don't understand where apply the manual outbound NAT.
    In the primary, secondary or both servers?

    Can someone explain me step by step, how to configure the rule for outbound NAT and where?
    The local address  of the openVPN in the master is

    ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
    options=80000 <linkstate>inet6 fe80::224:81ff:fe7e:43e1%ovpns1 prefixlen 64 scopeid 0xb
    inet –>  netmask 0xffffffff
    nd6 options=21 <performnud,auto_linklocal>groups: tun openvpn
    Opened by PID 42792


    Rafel Amer</performnud,auto_linklocal></linkstate></up,pointopoint,running,multicast>

  • The rule should be active on both, so you can also access FW1 while FW2 is master. However, since you will have activated NAT rule sync in System > High Availability Sync you only need to set it on FW1 and must set up a rule, which can work on both.

    Assuming you want to access your firewall by their LAN IPs:
    First add an alias for both LAN IPs, the master and backup. Firewall > Aliases > IP. Call it e.g. FW1_2_LAN.
    Go to Firewall > NAT > Outbound. If the Outbound NAT Mode is set to Automatic check "Hybrid Outbound NAT rule generation" and hit Save below.
    Then add a new rule:
    Interface: LAN
    Protocol: TCP
    Source: <vpn tunnel="" subnet="">Destination: "Network" and enter "FW1_2_LAN" (the alias you've added first)
    Translation Address: Interface address
    Save the rule.

    Now source addresses of outgoing packets leaving the masters LAN interface destined for the backups LAN are translated to the masters LAN address, so the backup sends its responses back to the master and they are directed back to the VPN client. This also works reverse on the other firewall while it's the master and the vpn client is connected to it.</vpn>

Log in to reply