Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [PFsense 2.4.3] NAT not working on CARP backup instance

    NAT
    2
    7
    420
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AS 0
      last edited by

      Hello,

      i try to update my cluster to PF 2.4.5, i start with the backup server. The update failed... I saw before restore, the WAN Gateway is offline (before update the gateway is online...).
      So, i reinstall the 2.4.3 version with a ISO and i restore my params. The WAN Gateway is always offline contrariwise the master PF is online. The 2 PF is sync with pfsync.

      For example :

      • CARP Public address is : 1.2.3.4
      • PF1 WAN private : 10.0.0.1
      • PF2 WAN private : 10.0.0.2
      • Orange DNS : 194.2.0.20

      When i ping the Orange DNS from PF1, my private address is NAT with my public address and the ping is OK.

      When i ping the Orange DNS from PF2, my private address is not NAT and my Gateway appear offline. If i ping from command line i've 1 ping response and all other pings losts.

      has anyone encountered this concern with NAT?

      Thank you,

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @AS 0
        last edited by

        @as-0
        Do you have only a single public IP used as CARP address?

        A 1 Reply Last reply Reply Quote 0
        • A
          AS 0 @viragomann
          last edited by

          @viragomann Hi, tank you for reply. Yes i use one public IP address on CARP.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @AS 0
            last edited by

            @as-0
            In this case, the backup node has to go over the masters LAN interface for accessing the internet and the update server, since it has no public IP.
            Did you ever configure that correctly?

            A 1 Reply Last reply Reply Quote 0
            • A
              AS 0 @viragomann
              last edited by

              @viragomann yes it's exactly what i want. I configure NAT to do that, i've other param to set ?

              thank you and happy new year

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @AS 0
                last edited by

                @as-0
                I think, you have to create a gateway group on the secondary node. But first you have to add the masters LAN-IP as gateway in System > Routing > Gateways. Then go to gateway groups and add a new group. Set the WAN-GW as tier 1 and the masters LAN as tier 2, trigger level = member down.
                Set this gateway group as default gateway.
                Possibly you have to disable XMLRPC Sync of "Static Route configuration" to avoid getting overwritten by the master.

                This directs upstream traffic to the masters LAN-IP if the WAN-GW isn't reachable (backup mode).

                Add a outbound NAT rule to LAN for the source 127.0.0.0/8.

                You may do the same on the primary, but using the secondaries LAN IP instead to have internet access while it is slave.

                A 1 Reply Last reply Reply Quote 0
                • A
                  AS 0 @viragomann
                  last edited by

                  @viragomann Thank you, i'll try that quickly. For information, one ping is ok and after nothing but with this comportement i think the conf seems be correct....

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.