Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP/HA Port Forwarding does not work

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    5 Posts 2 Posters 966 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      streetsfinest
      last edited by streetsfinest

      Hello everybody!
      I am struggling with the configuration of a simple port forwarding in a two node HA Cluster running 2.4.4.
      After a lot of testing i hope to find an answer here at the community.

      I have configured a two node cluster using the pfsense book.
      The master server has the role "master" in CARP status, the slave has the role "Backup" on all interfaces.
      The failover is working great, the ipsec vpn tunnel will switch to the slave as well.
      So everything is working as desired.

      The only thing which is not working as desired are normal port forwards over a dedicated CARP VIP.
      These are my settings:

      0_1550417036455_1934175f-f573-42ce-b532-ba0b8e56140c-grafik.png

      Automatic firewall rule:

      0_1550417069296_ef697fff-5061-4b97-9081-f17eae59d01c-grafik.png

      Sometimes i got a firewall log like this:

      0_1550417205117_47dfabfd-af17-4403-9529-7f6cf29589c1-grafik.png

      A tcpdump shows:

      09:02:52.961158 IP 79.239.94.72.57421 > WAN CARP VIP.443: tcp 0

      The port 443 is active on the destination server:

      0_1550417287203_6dfda9c7-dd52-46ba-9cbb-acee74f195ce-grafik.png

      When i try to use "IP Alias" instead of "CARP" the port forwarding fails as well.
      Looks like a general issue with the virtual ips for me.

      Is there anybody who has a idea how to find a solution for that?
      Best Regards!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Does it work if you forward WAN Address, not the CARP VIP? Highly doubtful it's an issue with the VIP.

        The first thing I would do is move the webgui off of 443 in System > Advanced.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        S 1 Reply Last reply Reply Quote 0
        • S
          streetsfinest @Derelict
          last edited by

          @derelict

          I have reconfigured the CARP VIPs, recreated the nat rule and suddenly it works...
          Have no clue why, but really appreciated your message!

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Did you ever see any alerts in the upper right that said anything about failing to load filter rules?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            S 1 Reply Last reply Reply Quote 0
            • S
              streetsfinest @Derelict
              last edited by

              @derelict
              nope, the only warning which i got was one of the pfblockerng package. There was a faulty url in one ASN rule i have installed for another purpose...

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.