Confirm my NAT config



  • I know this is related to NAT, but i've lodged it under this section, as it's in relation to my HA setup and the right config with the CARP IP.

    Having some weird comms issues on the backup PFSense, and wondered if someone is able to sanity check my setup, and confirm i've done everything right, mainly around the NAT config.

    Our environment has a Edge Router with public IP on the WAN end and 10.1.1.1 on the internal (LAN) side.
    This is patched into a Cisco Switch (No special config)
    Then both my PFSenses are patched into this switch on their WAN side, with IP's 10.1.1.10(A) and 10.1.1.11(B) and i'm using 10.1.1.5 has the VirtualIP (CARP)
    Comms through it work fine, but i've noticed the backup PFSense has slowness logging in, and cannot resolve anything. But can ping 1.1.1.1 etc.
    I'm assuming the slowness is due to the DNS not resolving.

    Here's my NAT setup. The IP address of the NAT Address is the CARP IP (10.1.1.5) and the automatic rules includes ALL the subnets i have on the LAN side.

    PFSense-NAT.PNG

    Thanks


  • LAYER 8 Netgate

    You do not want to NAT your interface address to the CARP VIP. It won't be able to connect out unless it is CARP MASTER.

    In your case your RFC1918 alias catches the interface address.

    Put exclusions in for traffic sourced from both 127.0.0.0/8 and 10.1.1.0/24. NO NAT rules above what you have should suffice.


  • Rebel Alliance Moderator

    I'd go a step further than @Derelict and X the NAT completely.

    • Delete the Hybrid Mappings
    • Switch to manual mode
    • let the generated 127.0.0.1 Sources be done via "WAN address"
    • change the local networks (192.168.x or whatever you blacked out...) to your CARP VIP instead of WAN address. If you want to keep the rules short, you could add the RFC1918 prefix, but I find that a bit "biiig", so just create an alias like "local networks" and add all networks you would NAT outgoing to your VIP.

    Be done :)

    Also switching to manual gives a much finer control of what is actually NATted and where. But that's just IMHO :)



  • Thanks for the input folks.

    Derelict, yeah good spot, i actually really confused the matter by changing the actual IP addresses we use in this post, to hide the info. So apologises for that. Our WAN interface address is actually outside the RFC1918 range. Again, apologises for confusion.

    JeGr, yeah i was thinking of doing that. But wasn't sure if it would work correctly with our setup.
    I have an outage planned tonight, and will try switching back to Manual mode and see how it goes. I'll come back and update the post after that.

    Thanks again


  • LAYER 8 Netgate

    All of these details matter.

    I would delete all of the custom rules, switch to Automatic NAT, switch to Manual NAT, then change the resulting NAT rules that actually NAT inside traffic to utilize the CARP VIP.



  • Hi Derelict, yeah i know, and i felt dumb when i realised i'd done that. Apologises again.

    Your plan sounds good, i'll do the change tonight and update the post.

    Thanks for your help.



  • Follow up!

    Yeah i basically followed Derelicts info and moved to Manaual NAT rules, then changed the IP to my CARP VIP for my WAN.

    Everything seems happier now.

    Thanks for your help.


Log in to reply