CARP Secondary Unreachable Over VPN
rafel.amer last edited by
I have readed the document https://doc.pfsense.org/index.php/CARP_Secondary_Unreachable_Over_VPN, but I don't understand where apply the manual outbound NAT.
In the primary, secondary or both servers?
Can someone explain me step by step, how to configure the rule for outbound NAT and where?
The local address of the openVPN in the master is
ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::224:81ff:fe7e:43e1%ovpns1 prefixlen 64 scopeid 0xb
inet 10.11.8.1 –> 10.11.8.2 netmask 0xffffffff
nd6 options=21 <performnud,auto_linklocal>groups: tun openvpn
Opened by PID 42792
viragomann last edited by
The rule should be active on both, so you can also access FW1 while FW2 is master. However, since you will have activated NAT rule sync in System > High Availability Sync you only need to set it on FW1 and must set up a rule, which can work on both.
Assuming you want to access your firewall by their LAN IPs:
First add an alias for both LAN IPs, the master and backup. Firewall > Aliases > IP. Call it e.g. FW1_2_LAN.
Go to Firewall > NAT > Outbound. If the Outbound NAT Mode is set to Automatic check "Hybrid Outbound NAT rule generation" and hit Save below.
Then add a new rule:
Source: <vpn tunnel="" subnet="">Destination: "Network" and enter "FW1_2_LAN" (the alias you've added first)
Translation Address: Interface address
Save the rule.
Now source addresses of outgoing packets leaving the masters LAN interface destined for the backups LAN are translated to the masters LAN address, so the backup sends its responses back to the master and they are directed back to the VPN client. This also works reverse on the other firewall while it's the master and the vpn client is connected to it.</vpn>