Port Forwarding not working with VIP (WAN)



  • We have a pair of Netgate SG5100s setup in HA via CARP, we followed all the directions and have the CARP setup working flawlessly. We have a VIP setup for our WAN side, with 3 static IPs, one is for the VIP and one each for each SG5100 WAN interface.

    Our VIP (lets call it .154) was working before with port forwarding and we dont understand how/why it stopped. We have deleted, re-added it, looked at the firewall logs, not seeing anything even coming in, so sounds like the VIP isnt even passing it. If I create a port fwd rule on say the primary SG5100 using our .155 WAN address vs the VIP in the destination (which is the WAN static IP for that primary SG5100), it works fine, but that defeats the purpose of the VIP/HA concept if it fails over.

    Ive enabled the firewall log to track all packets and still not seeing anything when I attempt to hit it via .154. Have run a packet capture on the active firewall and not getting anything when we try to access a web server that we have setup for on the NAT port forward rule.

    Just to make sure, yes we have the VIP selected in the NAT Port Forward as the "Destination Address" vs using the standard "WAN Address". I have two rules, one for the VIP and one for the WAN address one (which as I mentioned above, thats the only one that works, thats here for testing only since the VIP one refuses to work).

    How can I troubleshoot this further? Im not getting why I dont see anything on packet capture or firewall logs.


  • LAYER 8 Netgate

    The rule must match the real (after NAT) address of the server being forwarded to, not the WAN Address or the WAN VIP. The inside local address if you will.

    Have run a packet capture on the active firewall and not getting anything when we try to access a web server that we have setup for on the NAT port forward rule.

    Can you do a simple ping out from the firewall setting the CARP VIP as the source?

    Does whatever is upstream of you even ARP/etc for the CARP VIP?

    All of the port forwarding troubleshooting items here apply to CARP VIPs as well as any other address being forwarded:

    https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html



  • @Derelict said in Port Forwarding not working with VIP (WAN):

    The rule must match the real (after NAT) address of the server being forwarded to, not the WAN Address or the WAN VIP. The inside local address if you will.

    Have run a packet capture on the active firewall and not getting anything when we try to access a web server that we have setup for on the NAT port forward rule.

    The NAT rule does has the inside server address and port correct. Just to be clear there is a NAT rule with the Destination Address as the CARP VIP. Destination port is 12443 for me. Then the NAT IP and NAT Port is my actual inside server (in this case 10.31.99.4 and port 443). This is the rule that doesnt work. I have the exact same rule but with the Destination Address only changed to the .155 WAN IP we have (We have 3 static IPs from our ISP, .154 (VIP), .155 (Primary SG5100), .156 (Secondary SG5100) and that rule works. But if this goes into failover mode, that rule is useless since the failover is .156 as the WAN.

    Here is a screenshot of those port Forwards.
    Screen Shot 2019-09-23 at 4.47.28 PM.png

    Can you do a simple ping out from the firewall setting the CARP VIP as the source?

    Interesting that this doesnt work. But the WAN IPs (primary or secondary) works fine.



  • Closing this. Thanks for pointing me into the direction of testing the Ping on the CARP VIP. That ended up being the issue. Turns out somehow ISP took back one of our 3 IPs, we got them to put it back on our account and now we are back to normal. Can ping off that CARP VIP as well as port forwarding works now using the CARP VIP as Destination Address.

    Thanks again @Derelict


Log in to reply