Only master gets software updates



  • Hi everybody,
    I have the following master/slave configuration:

    Master IP: 192.168.1.51
    Slave IP: 192.168.1.52
    Virtual IP: 192.168.1.88

    On the master node, if I check for updates, I receive a correct answer in a few seconds. On the slave, I receive a timeout. Only if I perform a CARP failover (so the slave becomes master) the slave can search for updates.
    By performing a tcpdump on the internet gateway I noticed that both nodes use the shared IP 192.168.1.88 to connect to the internet, I do not see any connections coming from their private IPs .51 and .52. I suppose this is the cause of the issue, only the node that has .88 IP can correctly connect to the internet and receive updates. Is it normal? Or do I have some wrong configurations?


  • Rebel Alliance Developer Netgate

    Your outbound NAT rules must be incorrect. You likely have a source of "any" for the outbound NAT rules which map to your CARP VIP. This also causes traffic from the firewalls themselves to have NAT applied, which is not what you want.

    Change the outbound NAT rules so they have a specific source of your local network(s). Using an alias helps keep those rules simple, even if it's a catch-all RFC1918 alias (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8)



  • Here is the current Outbound NAT configuration, that is set to 'Manual':

    https://imgur.com/a/OxQfV

    Lan is the 192.168.1.0/24 network, and WAN_ is the interface with the 193.x.x.x IP address. With this configuration, I have the problem reported in the first post. Do I need to add an additional rule?



  • You need an additional rule for pfSense itself like this:
    interface: WAN
    source: 127.0.0.0/8
    dest: any
    translation address: WAN address

    Set this rule on the master, so it will be synced to slave.



  • Thank you for your answers. Everything worked using viragomann rule, in source I used "This firewall" instead of 127.0.0.0/8 and it worked anyway.