Only particular failure - WAN issues

    I have set up two nodes CARP. Works fine so far.
    Going on "Status -> CARP (failover)" I can see the current state. Clicking (on the current master) "Enter persistent CARP maintenance mode" if fails over to the second node and there is only a minimal interruption in network connection.

    BUT when I simulate the failure of a single NIC (ie by disabling the switch port) the secondary takes control of the failing interface and is now master for just this interface. Sounds good.

    But unfortunately no Internet/ WAN connection can be done at this stage. LAN can reach the virtual IP (now at the secondary pfsense) but it can not go further into direction of the WAN.

    I assume this has something to do with my NAT configuration. I have created a CARP interface for WAN, too. Virtual IP there is .99. To which IP-address do I have to configure my NAT?

    When configuring it for .99 (virtual) it is failsafe. But is does not cover the "single interface failure" I tested above (because it NATs to .99 on both active WAN interfaces).

    When configuring it for the correct address (.201 for master .202 for backup) connections will be lost during a failover, right?

    So what might be the solution for this scenario?


  LAYER 8 Netgate

    Is the primary node actually seeing the interface go down? That is what is necessary to trigger a failover. It will fail over just fine with an actual interface failure. Even only one of many.

    CARP does not protect against a failure at Layer 2. That is up to you to provide Layer 2 redundancy in addition to Layer 3.

    It has zero to do with NAT.

