Best Practice: Remote Access to CARP Firewall



  • Hi,

    when having CARPed firewalls and working from remote, I cannot access the secondary firewall because its routing table is trying to answer on its very own ovpns interface because the routing table says so.

    Thus I cannot reach my secondary firewall from remote via OpenVPN.

    Is there any best practice for this problem?

    Thank you!



  • @pmisch
    You can set up an Outbound NAT rule to translate source address in packets destined to the secondary pfSense into the LAN address. So responses will be directed back to the masters LAN IP and the routing will work.

    Best practise: On the master box add an alias for both pfSense LAN IPs.
    Go to Outbound NAT. Ensure that it's working in hybrid or manual mode.
    Add a rule:
    interface: LAN
    source: OpenVPN tunnel network
    destination: the alias you've added before
    translation: interface address

    The XMLRPC sync will copy that rule to the backup box and the alias ensures that it fits for both. So if the secondary is the master you're also able to access the first one.



  • A non-VPN solution would be to allow access to the routers' WAN IPs, port 443, from your IP address. Of course that works if you have a static IP where you are.



  • @viragomann
    Thank you very much.
    What do you think about IPv6? Is also NAT best practice?


Log in to reply