Route local traffic using Interface IP instead CARP VIP



  • Hi all
    Not sure if I should post this in OpenVPN, MultiWAN or CARP, but here's the thing :

    I have 2 pfSense setup in HA. Each one has its own WAN connection (they are connected on different ISPs).
    The LAN interface is a CARP VIP.
    Everything works fine in this regard. If either master is down or it's gateway doesn't answer pings, the backup takes over without any problem.

    Now, I have an OpenVPN server used on both routers. They are used by remote users to connect to the LAN (remote workers).
    Until now, they all connected through the master. Now, with the current Coronavirus problem, we will have a lot more users connecting, and I'd like to take advantage of my two ISPs to balance the VPN load on the two servers.

    It works almost fine, but clients connecting to the backup pfSense box via OpenVPN don't get any traffic back from the network. My guess is that the packet is coming in through the router, but routed on the LAN using the CARP VIP and not using the LAN IP address. This makes sense in the normal HA scenario, but in my case I'd like, at least temporarily, to force OpenVPN to route this traffic through the real LAN interface and not through the virtual IP of the CARP interface.

    If that doable ?
    Thanks a lot for helping !



  • @thewild said in Route local traffic using Interface IP instead CARP VIP:

    My guess is that the packet is coming in through the router, but routed on the LAN using the CARP VIP and not using the LAN IP address.

    No, the packet neither use the LAN IP nor the CARP VIP by default. The packets go out the LAN interface towards the destination device with their virtual IP out of the OpenVPN tunnel pool. So the LAN devices send responses back to the default gateway, which will be the CARP VIP obviously.

    Basically your setup will not do its job very well. I recommend to set up a real MultiWAN-HA, where you connect each ISP-line to each pfSense box, if you have additional interfaces available on the boxes.

    However, there may be 2 ways to achieve what you intend:

    1. Add a static route for the OpenVPN tunnel network of the backup box pointing to the backups LAN IP to all your LAN devices which should be reachable over the VPN.
    2. Add an outbound NAT rule (S-NAT) to both pfSense boxes translating the source addresses in packets coming from the OpenVPN tunnel into the boxes LAN IP.
      Drawback of this solution: you are not able to differ the OpenVPN user on the destination device, cause all packets from VPN clients are arriving with the LAN IPs of the pfSense boxes.


  • Hi @viragomann , thanks a lot for your help.

    Indeed I was planning to setup a full MultiWAN-HA, but having no additional interface on the pfSense boxes this appeared to be difficult.

    I found a dirty way to achieve this. I simply change the IP configuration of the LAN devices that I wanted to use the backup box and set their gateway to the backup box LAN IP.
    This is not perfect at all because the VPN client still can't reach other LAN devices than the ones configured this way (so it can't query internal DNS servers for instance), but since everything is going through remote desktop this issue mitigated.

    Thanks for helping !



  • @thewild said in Route local traffic using Interface IP instead CARP VIP:

    Indeed I was planning to setup a full MultiWAN-HA, but having no additional interface on the pfSense boxes this appeared to be difficult.

    Get VLAN capable switch and put it in front of the pfSense boxes on WAN side. Set up a different VLAN for each ISP and you will be able to run CARP HA on WAN.



  • Yes, I have a VLAN capable switch, but somehow I never managed to set this up correctly. After sometime I gave up without knowing exactly what the problem was, but I think maybe one of the cable boxes had trouble managing VLANs. One of the pfSense needs to do a PPPoE dial-up over the VLAN, and this never really worked.



  • @viragomann said in Route local traffic using Interface IP instead CARP VIP:

    Add a static route for the OpenVPN tunnel network of the backup box pointing to the backups LAN IP to all your LAN devices which should be reachable over the VPN.

    Just wanted to let you know that I finally used your advice and created a static route.
    I now have two OpenVPN servers with distinct virtual IP subnets. The first server is used only on the main (master) box, and the second server on the backup box.
    Each LAN client has a static route to the backup box's lan ip for the second OpenVPN server's subnet.
    This works well.
    Thanks a lot !


Log in to reply