CARP only on lan - force NAT from WAN via slave



  • Hi,

    currently we do have CARP on our LAN side only.
    At the moment theres no option to get CARP on WAN site, too.

    The cluster consists of two pfSense.
    All mashines in LAN do have CARP IP as default gateway.
    pfSense01 is currently set as master.

    There is a NAT rule on them to offer access to a terminalserver (which is inside LAN) from WAN.
    My Client is on WAN.

    When using WAN IP of pfSense01 with NAT port I get access to that terminalserver.
    When using WAN IP of pfSense02 with NAT port I do not get access to that terminalserver.

    I thought that this may is a problem of pfSense being master and therefore the default gateway of all LAN machines.
    So when using NAT via pfSense02 to a LAN machine I will get connection to it but this machine may cannot respond because its default gateway points to pfSense01 instead.

    Accessing web gui of pfSense02 via WAN IP works fine.

    Any Idea what the problem could be and if it is solvable?


  • Netgate

    No you are trying to game HA.

    It sounds like the port forward on the secondary is working but the target is sending its reply traffic back to its default gateway - the primary.

    You can probably make this sort of work by using outbound NAT on the LAN interface so all traffic appears to come from LAN Address so the replies are same-subnet.

    If you have Multi-WAN I wouldn't do HA at all.

    I would use one node for both WANs and be sure to keep a regular copy of the configuration backed up and keep the other node as a warm or cold spare.

    That or get the proper WAN subnets (/29 or larger) and configure HA correctly.