Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    High Availability in pfSense 2.4.5. Incongruity and BUG?

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 2 Posters 517 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ramses.sevilla
      last edited by

      Hi everyone,

      • I have found an incongruity in the documentation:
      • In this link (Configuring High Availability):

      https://docs.netgate.com/pfsense/en/latest/virtualization/virtualizing-pfsense-with-proxmox.html

      Tells that configure the Network Interface Model VirtIO.

      But in this other link:

      https://docs.netgate.com/pfsense/en/latest/highavailability/configuring-high-availability.html?highlight=high%20availability

      Tells that configure the Network Interface Model E1000

      What should be the Network Interface Model configured really?

      • I have found a possible BUG:
      • In the previous link (Configuring High Availability), in the "Setup Manual Outbound NAT" step, tells that configure the NAT Outbound in Manual Mode and change the Translation Address by the CARP Virtual IP.

      Well, I have NAT Outbound:

      NAT-01.png

      I add the WAN CARP IP and change the Translation Address:

      NAT-02-01.png

      NAT-02-02.png

      NAT-02-03.png

      But if I change the WAN CARP IP:

      NAT-03-01.png

      The Translation Address not change to the new WAN CARP IP and the Translation Address in the rule is changed by Interface Address :

      NAT-03-02.png

      NAT-03-03.png

      What would happen if:

      • I create a WAN CARP IP.
      • I create a VIP WAN Aliase with the IP of the WAN CARP IP.
      • I configure the Translation Address to the VIP WAN Aliase.

      NAT-04-01.png

      NAT-04-02.png

      NAT-04-03.png

      If I change later the WAN CARP IP and the VIP WAN Aliase, the Translation Address remain the VIP WAN Aliases.

      This config will works well or this is a wrong configuration?

      Regards,

      Ramses

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        That's not a bug. It's a manual outbound NAT rule. As implied by the name, you must change it manually since the address is hardcoded in the rule.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • R
          ramses.sevilla
          last edited by

          Hi @jimp,

          I know that is Outbound NAT Manual Rule but the Translate Address (Interface Address / IP CARP / Aliase) set in the rule is a object and I think that if changes the value of the object the rule should maintain the object, isn't?

          Thus, if I have a long list of Outbound NAT Manual Rules, for instance, various IPsec VPN with various Phase 2 with NAT each one, if I need change the WAN IP CARP I don't have to change the long list of rules and it's a trivial change.

          Another thing: The idea of configure a VIP WAN Aliase as Translation Address instead of the WAN IP CARP, It is a good idea or It is a wrong configuration and It would not work?

          Regards,

          Ramsés

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            It may have been selected by a drop-down but the value stored in the rule is the IP address -- not any kind of special pointer to a VIP entry which could be identified and updated dynamically.

            As for how you decide the translation address, that's up to you, so long as the alias contains what you expect (e.g. a single IP address) then it would functionally be the same as using the address directly.

            The only part that gets more complex is when you attempt to translate to an alias which contains multiple IP addresses -- that will NAT anything that matches onto one of the entries in a round-robin fashion (or whichever style is chosen in Pool Options when picking an alias)

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            R 1 Reply Last reply Reply Quote 0
            • R
              ramses.sevilla
              last edited by

              Hi @jimp,

              But wouldn't It be better practice that if I select the Translation Address was as VIP CARP, if the value of
              VIP CARP changes, the selection of Translation Address stays as It was (VIP CARP) and don't change to Interface Address?

              For instance:

              • If Translation Address was Interface Address and the Interface Address is changed, the Translation Address remains as was.

              • If Translation Address was a Aliase (VIP_WAN) and the value of Aliase (VIP_WAN) is changed, the Translation Address remains as was.

              • But if Translation Address was a VIP CARP and the value of the VIP CARP is changed, the Translation Address change to Interface Address instead of stay as It was (VIP CARP). Why?. I don't understand...

              Sorry by not understanding it...

              Regards,

              Ramsés

              1 Reply Last reply Reply Quote 0
              • R
                ramses.sevilla @jimp
                last edited by

                @jimp, I'm sorry but I'm afraid that something is wrong because in "Firewall > NAT > Port Forward" works well, when I change the value of the Virtual IP (CARP) in "Firewall > Virtual IP" It updates dinamically in "Firewall > NAT > Port Forward" but not in "Firewall > NAT > Outbound".

                Example.

                Firewall > Virtual IP > VIP CARP DEDI_NIC_FO (Type: CARP) => 80.80.80.80

                Firewall > NAT > Port Forward:

                In the NAT Port Forward Rule We select Destination: VIP CARP DEDI_NIC_FO

                01-NAT-PF.png

                In the Rule appears the correct value of VIP CARP DEDI_NIC_FO.

                02-NAT-PF.png

                Firewall > NAT > Outbound:

                In the NAT Outbound Rule We select Translation > Address: VIP CARP DEDI_NIC_FO.

                03-NAT-Out.png

                In the Rule appears the correct value of VIP CARP DEDI_NIC_FO.

                04-NAT-Out.png

                We Edit and Change Firewall > Virtual IP > VIP CARP DEDI_NIC_FO (Type: CARP) => 90.90.90.90

                Firewall > NAT > Port Forward:

                In the Rule appears the correct value of VIP CARP DEDI_NIC_FO. It's changed dinamically.

                05-NAT-PF.png

                Firewall > NAT > Outbound:

                In the Rule appears the old value of VIP CARP DEDI_NIC_FO. It's not changed dinamically.

                06-NAT-Out.png

                I think that It's not correct.

                Is this the correct way of operating or should It change dinamically too?

                Regards,

                Ramsés

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.