How to do use this NAT?



  • I know carp will use three WAN IP address.Two pfsense wan interface will use two wan IP address.And carp will use one shared IP address.Please see information.
    one primary pfsense use wan ip address is 1.2.3.4
    one backup pfsense use wan ip address is 1.2.3.5
    carp ip use 1.2.3.6
    I set NAT on primary pfsense 1.2.3.4 --> 192.168.0.5:80
    If primary pfsense break.The primary ip address 1.2.3.4 haven't set on backup pfsense.
    This NAT rule should can't run it. Is right?

    Could any solution to setup it on backup pfsense if primary pfsense break?



  • @akong77 said in How to do use this NAT?:

    one primary pfsense use wan ip address is 1.2.3.4
    one backup pfsense use wan ip address is 1.2.3.5
    carp ip use 1.2.3.6

    So 1.2.3.4 can only be used on the primary and 1.2.3.5 can only be used on the backup.
    1.2.3.6 is used by the master (whether it's the primary or the secondary) and is meant for fail-over.


  • LAYER 8 Netgate

    @akong77 said in How to do use this NAT?:

    I set NAT on primary pfsense 1.2.3.4 --> 192.168.0.5:80

    Set the port forward to forward 1.2.3.6 --> 192.168.0.5:80

    That same rule will be synced to the secondary.

    Whatever node happens to be the CARP MASTER will receive the connection and forward it.

    Whatever states already exist to that server should be synced and continue to work.



  • Because these three IP address I has set for some service.
    1.2.3.4 for web service and forward to 192.168.0.5:80
    1.2.3.5 for mail service and forward to 192.168.0.6:25 and 110
    1.2.3.6 for ftp service and forward to 192.168.0.7:21
    If I set 12.3.6 forward to 192.168.0.5:80,I will change my dns mapping ip address. Is it right?
    Could I only set all service on 1.2.3.6 this ip address?


  • LAYER 8 Netgate

    Yes.

    If you expect HA to work you need to port forward connections to the CARP VIP.

    In general, you can forward one protocol:address:port tuple to one inside destination.

    There is no reason you cannot forward these:

    1.2.3.6:80 --> 192.168.0.5:80
    1.2.3.6:25 --> 192.168.0.6:25
    1.2.3.6:110 --> 192.168.0.6:110
    1.2.3.6:21 --> 192.168.0.7:21

    They are all different listening ports so they can be forwarded inbound independently.

    Yes, You would change the A record for these services to 1.2.3.6.



  • So,If I have two web server and use 80 port.Could I use HA CARP?



  • So,If I want building carp service. It's must use three IP address and two IP address not use any service. Is it right?



  • Yes, that’s the way it’s recommended to set up CARP.
    However, there are also ways to set up CARP with three private IPs and hook up the public IPs on the CARP VIP with some drawbacks.
    E. g. you will have to set up a second default route over the master for the backup to reach the internet and draw updates.

    Another way to use to webserver is to run HA proxy on pfSens and let it do the spreadind.



  • If I have three wan ip.
    IP is 1.2.3.4~1.2.3.6 and gateway is 1.2.3.254
    I want use 192.168.13.2~192.168.13.4 these private ip to set it.
    Could you tell me how to do it?
    Thanks a lot.



  • For now, I had only set up something like that for a second WAN, where the backup WAN connection was given by the first WAN.

    This may look like this:
    pfSense 1: 192.168.13.2
    pfSense 2: 192.168.13.3
    CARP VIP: 192.168.13.4

    Then go to Firewall > Virtual IPs and add 1.2.3.4 to the WAN CARP VIP as „IP alias“. Set the correct mask (/24, I guess). Do the same with your other public IPs.
    Go to System > Routing > Gateways and add 1.2.3.254 as a gateway to WAN and set it as default.
    Go to Firewall > NAT > Outbound, switch to manual mode and edit the rules for your internal subnets and for pfSense itself to translate outbound packets to one of your public IPs, e.g. the CARP VIP.

    Now your WAN interface should work in CARP mode and your public addresses should be reachable from the internet. However, the backup will not be able to draw updates.



  • So, I should set 192.168.13.2 to pfsense1 wan interface and 192.168.13.3 to pfsense2 wan interface.
    Then I set 192.168.13.4 to Firewall--Virtual IPs--CARP.
    And 1.2.3.4 this IP set on Firewall--Virtual IPs--IP Aliases. Is it correct?



  • Yes, for 1.2.3.4 and all other public IPs select type "IP Alias" and at interface select "192.168.13.4", which is the CARP VIP.



  • Hello,
    Thank you teach us.
    I want know two question.
    WAN interface I has set 192.168.13.2.The upstream gateway should be set none. Is it correct?
    Outbound NAT the NAT address set should use public ip address e.g. 1.2.3.4. Is it correct?


  • LAYER 8 Netgate

    If it is a WAN and you want it to act like a WAN you should set the upstream gateway on the interface.



  • @viragomann
    WAN interface I has set 192.168.13.2.The upstream gateway should be set none. Is it correct?
    Outbound NAT the NAT address set should use public ip address e.g. 1.2.3.4. Is it correct?



  • @Derelict
    Thanks a lot.
    Because I will set private ip on wan. So I need understand this setup.Thanks a lot.



  • @akong77
    As @Derelict already mentioned, if it is the WAN interfaces facing to your upstream gateway, you should state the gateway here (1.2.3.254).

    Yes the outbound NATs translation address has to be one of your public IPs like 1.2.3.4.



  • @Derelict @viragomann Thanks all friend.
    But it's can't monitor internet ip status if I set private ip on wan. Right?
    I want know if I use multi wan with carp. What do I want to know?



  • You can configure the gateway monitoring to use an alternative (public) IP.
    Edit the gateway settings in System > Routing > Gateways and enter a public IP which responses to ICMP into the "Monitor IP" box.



  • @viragomann I has use alternative (public) IP like 1.1.1.1 this ip address to monitor.I also test diag--ping to test wan. It's can ping to 1.1.1.1 this ip address.But it's always show offline.How to set monitor ip use ICMP?


  • LAYER 8 Netgate

    Monitor pings every half-second by default. This is an ICMP echo request looking for an echo reply. Not sure what you're asking.



  • My Wan is set private ip use 192.168.15.2/24 and set gateway is 61.220.69.254. This gateway ip is true. And I can ping to anywhere. But monitor always show offline.


  • LAYER 8 Netgate

    Then pings to the monitor IP address are not being returned.



  • @Derelict So if I use private ip at WAN interface. The monitor is show offline is normal?


  • LAYER 8 Netgate

    Yes. That is why you need three routable IP addresses to do HA correctly. Else only the node that holds the CARP address can access the internet.

    If it is worth HA it is worth doing correctly.



  • Hello, I have two wan interface. I has set private ip on two wan interface. It's can ping outgoing on pfsense. I has set default gateway. But client pc only go default gateway to internet. If client pc set outbound NAT to none default gateway. It's can't go to internet. How to set up it?


  • LAYER 8 Netgate

    No idea based on that description. Sorry. Please post more details.



  • Sorry.
    WAN1 -- 192.168.15.2/24 and gateway set to 1.2.3.254
    WAN1 have five CARP IPs.
    WAN2 -- 192.168.20.2/24 and gateway set to 5.6.7.254
    WAN2 have file CARP IPs.
    LAN1 -- 192.168.0.0/24
    LAN2 -- 192.168.10.0/24
    Outbound NAT set LAN1 to WAN2 CARP IP. Set LAN2 to WAN1 CARP IP.
    I set default gateway as WAN2.
    It's only LAN1 user can go to internet. LAN2 user can't go to internet.
    If I set default gateway is WAN1.
    It's only LAN2 user can go to internet. LAN1 user can't.
    How to set it?


  • LAYER 8 Netgate

    You do not route traffic with Outbound NAT rules. You route traffic with policy routing rules.

    Set your Outbound NAT for all inside source addresses on both WANs to the proper CARP VIP.

    Policy routing determines what traffic flows out which interface.

    https://docs.netgate.com/pfsense/en/latest/book/multiwan/policy-routing-configuration.html#policy-routing-configuration



  • So in addition to setting the Outbound NAT to the CARP IP, also set the Gateway in LAN1 and LAN2's Rules, right?



  • Hello,
    I has set finish all WAN and LAN setting and success it. But I have another problem. I set openvpn on it and click on redirect ipv4 gateway this option. But when client connect openvpn server. It's can't go to internet. If I click off redirect ipv4 gateway. It's can go to internet. But it's use original IP. I has set firewall rules all allow for OPENVPN tab. Could any loss another setting?


  • LAYER 8 Netgate

    Outbound NAT for the tunnel network source addresses. Again, the NAT address should be the CARP VIP just like for any other inside network.

    You also need to pass all traffic on the OpenVPN firewall rules.



  • Thanks a lot. I have another question. I has set some NAT setting.
    NAT Reflection mode --> PureNAT
    Enable NAT Reflection for 1:1 NAT --> check on.
    Enable automatic outbound NAT for Reflection --> check on.
    But user can't browser intranet web page when this web page resolve IP is CARP IP.Could I miss another setting?


  • LAYER 8 Netgate

    Doesn't sound like it. Split DNS is generally considered a more effective solution.

    But it depends. You'll have to post everything including the firewall rules for the interface the users are sourcing from.



  • I got some pic about firewall rules.
    Please see attachment.
    WAN1.PNG WAN2.PNG LAN1.PNG LAN2.PNG
    I have not set any block rules. Could have any problem?


  • LAYER 8 Netgate

    What, specifically, is not working?


Log in to reply