Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP Secondary Unreachable Over VPN

    Routing and Multi WAN
    2
    2
    316
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rafel.amer
      last edited by

      I have readed the document https://doc.pfsense.org/index.php/CARP_Secondary_Unreachable_Over_VPN, but I don't understand where apply the manual outbound NAT.
      In the primary, secondary or both servers?

      Can someone explain me step by step, how to configure the rule for outbound NAT and where?
      The local address  of the openVPN in the master is

      ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
      options=80000 <linkstate>inet6 fe80::224:81ff:fe7e:43e1%ovpns1 prefixlen 64 scopeid 0xb
      inet 10.11.8.1 –> 10.11.8.2  netmask 0xffffffff
      nd6 options=21 <performnud,auto_linklocal>groups: tun openvpn
      Opened by PID 42792

      Thanks

      Rafel Amer</performnud,auto_linklocal></linkstate></up,pointopoint,running,multicast>

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        The rule should be active on both, so you can also access FW1 while FW2 is master. However, since you will have activated NAT rule sync in System > High Availability Sync you only need to set it on FW1 and must set up a rule, which can work on both.

        Assuming you want to access your firewall by their LAN IPs:
        First add an alias for both LAN IPs, the master and backup. Firewall > Aliases > IP. Call it e.g. FW1_2_LAN.
        Go to Firewall > NAT > Outbound. If the Outbound NAT Mode is set to Automatic check "Hybrid Outbound NAT rule generation" and hit Save below.
        Then add a new rule:
        Interface: LAN
        Protocol: TCP
        Source: <vpn tunnel="" subnet="">Destination: "Network" and enter "FW1_2_LAN" (the alias you've added first)
        Translation Address: Interface address
        Save the rule.

        Now source addresses of outgoing packets leaving the masters LAN interface destined for the backups LAN are translated to the masters LAN address, so the backup sends its responses back to the master and they are directed back to the VPN client. This also works reverse on the other firewall while it's the master and the vpn client is connected to it.</vpn>

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.