NAT Outbound Pool in a High Availability enviroment?



  • I have attempted this a few times with no luck. Yes Proxy ARP will work but not when using a HA. Is this even possible?

    Internal RFC1918 network --> NAT --> /25 Public IP Space. The HA part of the question seems to be where I run into problems. How to make a config that will successfully work with HA


  • Rebel Alliance Developer Netgate

    Your upstream provider should be routing that /25 to a CARP VIP on your WAN. Then you do not need any VIPs.

    If that /25 is directly on your WAN, then you are stuck making individual CARP VIPs (or IP Alias VIPs on a CARP VIP parent, which is more efficient). If this is the case, you should contact your ISP and request a /29 for your WAN and then have the /25 routed to your VIP in that subnet.



  • So, lets say I have the /25 and an additional /29 routed to my WAN port. What would I do? I am guessing it has something to do with the "Other" type interface...


  • Rebel Alliance Developer Netgate

    Nothing special. You do not need any VIPs. If the block is routed to the firewall, the traffic is already arriving there.

    VIPs in this case would tell the other devices at L2 that this firewall (cluster) accepts traffic for those additional IP addresses. When the block is already routed to the firewall, that is unnecessary.



  • OK, that makes sense. Thanks for the quick response.


Log in to reply