Routed subnet / Nat to CARP



  • Hey

    I got a HA setup with 3 ISP's connected.
    Yesterday we did a test failover over on the HA part and i didnt went as expectet.

    I got a /24 routed from each ISP to a WAN CARP on each ISP.
    Some of thoes IP's from the /24 is used to a DMZ zone (routed right thru) and some used for NAT Port forward.
    Should all of those ips form the /24 be added as IP Alias on the WAN CARP or just the one used for NATs?

    Some of the errors from yesterday was that the ips routed thru worked but not the NAT'ed ones.
    I cant seem to find anything in the handbook about this subject abouted IP used for NATs in this HA setup.

    Thanks in advance.


  • Netgate

    It depends on what they are being used for.

    Addresses from a routed subnet on one ISP will not work on any other ISPs unless you are announcing them to all of them via BGP or something - at least inbound. You might be able to get outbound working by using Outbound NAT on the WANs that do not have those addresses natively.

    Going to need a lot more details as to your situation in order to provide more targeted feedback. Use one example of what appeared not to work and give details on that one thing.



  • Hey.

    I dont mix the /24 subnets from the other ISP's, that i got right :)
    And i also got the outbound nat working right, the problem/question is about the inbound nat / port forward.

    The question is, do i need to add the IP address's i use for NAT AS a carp address?
    My ISP is routing the /24 subnet to the carp address so i know the backup node gets the traffic if i failover, but it didnt work with the NAT's


  • Netgate

    Why are you port forwarding and using NAT at all if you have a routed /24?

    If it is routed you do not need a VIP to do a port forward. Just set the Destination to Single host or alias and enter the address on the routed subnet. The traffic will arrive, NAT will be applied, firewall rules will be checked, and the packet forwarded on its way inside. Zero reason that won't work on an HA failover unless they are really not routing to the CARP VIP.



  • Hey

    The reason for the NAT is because its part of a DNS failover.
    I got it working like this:
    WAN1 IP: 1.2.3.4 NAT'ed to 172.10.0.1
    WAN2 IP: 4.3.2.1 NAT'ed to 172.10.0.1

    That way i got a WAN failover to the same server.