CARP/HA Port Forwarding does not work

  • Hello everybody!
    I am struggling with the configuration of a simple port forwarding in a two node HA Cluster running 2.4.4.
    After a lot of testing i hope to find an answer here at the community.

    I have configured a two node cluster using the pfsense book.
    The master server has the role "master" in CARP status, the slave has the role "Backup" on all interfaces.
    The failover is working great, the ipsec vpn tunnel will switch to the slave as well.
    So everything is working as desired.

    The only thing which is not working as desired are normal port forwards over a dedicated CARP VIP.
    These are my settings:


    Automatic firewall rule:


    Sometimes i got a firewall log like this:


    A tcpdump shows:

    09:02:52.961158 IP > WAN CARP VIP.443: tcp 0

    The port 443 is active on the destination server:


    When i try to use "IP Alias" instead of "CARP" the port forwarding fails as well.
    Looks like a general issue with the virtual ips for me.

    Is there anybody who has a idea how to find a solution for that?
    Best Regards!

  • LAYER 8 Netgate

    Does it work if you forward WAN Address, not the CARP VIP? Highly doubtful it's an issue with the VIP.

    The first thing I would do is move the webgui off of 443 in System > Advanced.

  • @derelict

    I have reconfigured the CARP VIPs, recreated the nat rule and suddenly it works...
    Have no clue why, but really appreciated your message!

  • LAYER 8 Netgate

    Did you ever see any alerts in the upper right that said anything about failing to load filter rules?

  • @derelict
    nope, the only warning which i got was one of the pfblockerng package. There was a faulty url in one ASN rule i have installed for another purpose...