NAT 1:1 on CARP VIP
-
Hi all,
I have a /28 WAN network and I have a HA cluster with 2 boxes. My NICs are as follow:
for master and backup:
WAN: x.x.x.201/28 and x.x.x.202/28 => VIP x.x.x.203/28
LAN interface that I want to use: y.y.y.1/16 and y.y.y.2/16 ==> VIP y.y.y.3/16I need to use a public IP x.x.x.200 on a local device y.y.y.8
I added a NAT 1:1 entry with:
interface: WAN
externat subnet IP: x.x.x.200
internal IP: network y.y.y.8/32
destination: any
NAT reflection: noneThen I added an IP alias on CARP WAN (x.x.x.203) with x.x.x.200/28
After that, the CARP status shows both IPs 203 and 208 as master on box 1 and backup on box 2. It appears to be OK.
Finaly, I added a firewal rule on WAN interface to allow any source/any protocol to x.x.x.200 (just to try)
My local device y.y.y.8 have Internet access and source IP is OK (y.y.y.200). But when I try to simply ping x.x.x.200 from outside, I can see my requests on WAN interface, but nothing goes to my local device (firewall disabled on it).
So, it appears I can only use x.x.x.200 from LAN o WAN and not from WAN to LAN.
Is a pfSense guru can help me? :-) Where am I wrong?
-
Finaly, I added a firewal rule on WAN interface to allow any source/any protocol to x.x.x.200 (just to try)
Firewall rules for inbound traffic are processed after NAT occurs. That rule needs to pass traffic to the real address of the server, y.y.y.8.
https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
(I realize you are using 1:1 but almost all of the port forwarding principles still apply in that case.)
-
Hi Derelict,
thank you for you for your time!
Ok, so my firewall rule must be: WAN interface, allow any source/any protocol to y.y.y.8 or something like this. I'll try this and come back here. I think I have to disable bogon rules so?
You are saying I can do NAT port forwarding: like all port to x.x.x.200 forward to y.y.y.8? and specific SNAT rule for y.y.y.8 to x.x.x.200?
-
I just changed my firewall rule and it works!!!! thx!! :)
-
You are saying I can do NAT port forwarding: like all port to x.x.x.200 forward to y.y.y.8? and specific SNAT rule for y.y.y.8 to x.x.x.200?
1:1 NAT does both. Your problem was the rule wasn't passing the correct destination address because the rule needs to pass the post-NAT address.
-
Thank you mate!!!! yes, corrected firewall rule and works immediately as expected! :-)