High Availability in pfSense 2.4.5. Incongruity and BUG?
-
Hi everyone,
- I have found an incongruity in the documentation:
- In this link (Configuring High Availability):
https://docs.netgate.com/pfsense/en/latest/virtualization/virtualizing-pfsense-with-proxmox.html
Tells that configure the Network Interface Model VirtIO.
But in this other link:
https://docs.netgate.com/pfsense/en/latest/highavailability/configuring-high-availability.html?highlight=high%20availability
Tells that configure the Network Interface Model E1000
What should be the Network Interface Model configured really?
- I have found a possible BUG:
- In the previous link (Configuring High Availability), in the "Setup Manual Outbound NAT" step, tells that configure the NAT Outbound in Manual Mode and change the Translation Address by the CARP Virtual IP.
Well, I have NAT Outbound:
I add the WAN CARP IP and change the Translation Address:
But if I change the WAN CARP IP:
The Translation Address not change to the new WAN CARP IP and the Translation Address in the rule is changed by Interface Address :
What would happen if:
- I create a WAN CARP IP.
- I create a VIP WAN Aliase with the IP of the WAN CARP IP.
- I configure the Translation Address to the VIP WAN Aliase.
If I change later the WAN CARP IP and the VIP WAN Aliase, the Translation Address remain the VIP WAN Aliases.
This config will works well or this is a wrong configuration?
Regards,
Ramses
-
That's not a bug. It's a manual outbound NAT rule. As implied by the name, you must change it manually since the address is hardcoded in the rule.
-
Hi @jimp,
I know that is Outbound NAT Manual Rule but the Translate Address (Interface Address / IP CARP / Aliase) set in the rule is a object and I think that if changes the value of the object the rule should maintain the object, isn't?
Thus, if I have a long list of Outbound NAT Manual Rules, for instance, various IPsec VPN with various Phase 2 with NAT each one, if I need change the WAN IP CARP I don't have to change the long list of rules and it's a trivial change.
Another thing: The idea of configure a VIP WAN Aliase as Translation Address instead of the WAN IP CARP, It is a good idea or It is a wrong configuration and It would not work?
Regards,
Ramsés
-
It may have been selected by a drop-down but the value stored in the rule is the IP address -- not any kind of special pointer to a VIP entry which could be identified and updated dynamically.
As for how you decide the translation address, that's up to you, so long as the alias contains what you expect (e.g. a single IP address) then it would functionally be the same as using the address directly.
The only part that gets more complex is when you attempt to translate to an alias which contains multiple IP addresses -- that will NAT anything that matches onto one of the entries in a round-robin fashion (or whichever style is chosen in Pool Options when picking an alias)
-
Hi @jimp,
But wouldn't It be better practice that if I select the Translation Address was as VIP CARP, if the value of
VIP CARP changes, the selection of Translation Address stays as It was (VIP CARP) and don't change to Interface Address?For instance:
-
If Translation Address was Interface Address and the Interface Address is changed, the Translation Address remains as was.
-
If Translation Address was a Aliase (VIP_WAN) and the value of Aliase (VIP_WAN) is changed, the Translation Address remains as was.
-
But if Translation Address was a VIP CARP and the value of the VIP CARP is changed, the Translation Address change to Interface Address instead of stay as It was (VIP CARP). Why?. I don't understand...
Sorry by not understanding it...
Regards,
Ramsés
-
-
@jimp, I'm sorry but I'm afraid that something is wrong because in "Firewall > NAT > Port Forward" works well, when I change the value of the Virtual IP (CARP) in "Firewall > Virtual IP" It updates dinamically in "Firewall > NAT > Port Forward" but not in "Firewall > NAT > Outbound".
Example.
Firewall > Virtual IP > VIP CARP DEDI_NIC_FO (Type: CARP) => 80.80.80.80
Firewall > NAT > Port Forward:
In the NAT Port Forward Rule We select Destination: VIP CARP DEDI_NIC_FO
In the Rule appears the correct value of VIP CARP DEDI_NIC_FO.
Firewall > NAT > Outbound:
In the NAT Outbound Rule We select Translation > Address: VIP CARP DEDI_NIC_FO.
In the Rule appears the correct value of VIP CARP DEDI_NIC_FO.
We Edit and Change Firewall > Virtual IP > VIP CARP DEDI_NIC_FO (Type: CARP) => 90.90.90.90
Firewall > NAT > Port Forward:
In the Rule appears the correct value of VIP CARP DEDI_NIC_FO. It's changed dinamically.
Firewall > NAT > Outbound:
In the Rule appears the old value of VIP CARP DEDI_NIC_FO. It's not changed dinamically.
I think that It's not correct.
Is this the correct way of operating or should It change dinamically too?
Regards,
Ramsés