Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    CARP only on lan - force NAT from WAN via slave

    HA/CARP/VIPs
    2
    2
    556
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kaspatoo last edited by

      Hi,

      currently we do have CARP on our LAN side only.
      At the moment theres no option to get CARP on WAN site, too.

      The cluster consists of two pfSense.
      All mashines in LAN do have CARP IP as default gateway.
      pfSense01 is currently set as master.

      There is a NAT rule on them to offer access to a terminalserver (which is inside LAN) from WAN.
      My Client is on WAN.

      When using WAN IP of pfSense01 with NAT port I get access to that terminalserver.
      When using WAN IP of pfSense02 with NAT port I do not get access to that terminalserver.

      I thought that this may is a problem of pfSense being master and therefore the default gateway of all LAN machines.
      So when using NAT via pfSense02 to a LAN machine I will get connection to it but this machine may cannot respond because its default gateway points to pfSense01 instead.

      Accessing web gui of pfSense02 via WAN IP works fine.

      Any Idea what the problem could be and if it is solvable?

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        No you are trying to game HA.

        It sounds like the port forward on the secondary is working but the target is sending its reply traffic back to its default gateway - the primary.

        You can probably make this sort of work by using outbound NAT on the LAN interface so all traffic appears to come from LAN Address so the replies are same-subnet.

        If you have Multi-WAN I wouldn't do HA at all.

        I would use one node for both WANs and be sure to keep a regular copy of the configuration backed up and keep the other node as a warm or cold spare.

        That or get the proper WAN subnets (/29 or larger) and configure HA correctly.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post