Client cant reach internet under HA

    1. gateway is online
    2. physical wan/lan is active
    3. virtual wan/lan is active
    4. Lan not offering dhcp.
    5. client statically assigned ip, gateway is Virtual LAN.
    6. DNS is quad 8s and quad 75s

    Why does getting to the internet from client have to be sooo dang difficult.


  • Have you set the WAN VIP in the outbound NAT?

  • yes.

  • LAYER 8 Netgate

    Well, what is actually failing? Diagnose that and fix it.

  • Here is an idea. If we have a physical public IP of .13 in use and we try using a virtual public IP of .13, will there be a conflict at the modem?

  • LAYER 8 Netgate

    Depends on the modem and the ISP provisioning, bro.

    Proper HA needs at least a /29 and good layer 2 between the two WAN interfaces and the ISP gateway.

  • we have a /28 so no issue there. But we are trying to test this on an already established network where IPs might be in use on another device. .13 is a single firewall(public IP), in use, and we are trying to use .13 as WAN VIP for this HA lab. We are thinking IP conflict at the modem.

  • LAYER 8 Netgate

    Well yeah you can only have one device on .13

    If you set the two interfaces and can ping .13 without making a VIP for it you need to use something else.

  • I have the exact same issue. Tried different public IPs for WAN VIP! Set the clients to use the LAN VIP and set the Outbound NAT but no matter what Clients never connect to the internet.

    Pfsense versions are 2.4.2-RELEASE-p1
    Carp is working well, sync is good and there are no errors in the logs.
    My only issue is clients are not getting internet when I setup Manual Outbound NAT.

  • LAYER 8 Netgate

    This is not a guessing game. You need to know what addresses you have available.

    You need to be able to generate traffic from the CARP VIP on the node that currently holds MASTER and get proper responses to the CARP MAC address from the ISP. This requires them doing the correct thing with both the CARP traffic (adds the CARP MAC address to the CAM table in their layer 2) and ARP (sets their layer 3 gear to send traffic for the CARP VIP address to the CARP MAC).

    Diagnostics > Ping source from the CARP VIP and ping things on the outside like, the ISP gateway, etc.

    If that works then try Diagnostics > Test Port, again source from the CARP VIP, and connect to something you know should respond like 587 on

    If those don't work you need to packet capture and look at everything to see what the ISP is screwing up. Source/Dest MAC addresses, ARP, etc. CARP does not break any rules. Much ISP gear does not play by those rules, however.

    Look at the generated states. Are they NATting to the proper VIP?

  • The IP address I placed I am certain of is available and already tried it with RDP on another server. Pinging to from the WAN VIP is not working but from LAN VIP does.

    Telnet to port 587 didn't work either, I will check the capture of packets to see what's wrong with that it could be the ISP.


  • LAYER 8 Netgate

    It might work fine using an interface address or an IP Alias VIP but not work CARP (using the identical IP address) because of improper handling of the necessary MAC address behavior by something upstream.