Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help understanding outbound NAT for VLANS and CARP Failover

    Scheduled Pinned Locked Moved NAT
    4 Posts 3 Posters 623 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pomtom44
      last edited by

      Hi all
      Im new to PFsense and learning as I go, following tutorials online
      (Not new ish to networking though)

      Im setting up a carp failover using online tutorials, and have gotten to the point where I need to change the outbound NAT to use the virtual IP rather than the interface IP

      (screenshot for reference )alt text
      When watching the tutorial, the guy has 2 rules for his LAN, (Bottom 2 on the screenshot) and he changes both to use the VIP WAN

      However my setup since I have a few vlans I have a few more rules
      But, i seem to have 4 rules per network
      one for Virtual IP and one for the Interface
      (Top 4 rules on the screenshot)
      Iv been trying to find the difference between the two rules
      I believe I can change all of them to use the VIP, but id like to know what the difference is between them?

      Thanks in advance

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @pomtom44
        last edited by

        @pomtom44 Your top screen cap shows two rules for "Virtual IP (LAN)" and two for "50_IOT"...same subnet though??

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        P 1 Reply Last reply Reply Quote 0
        • P
          pomtom44 @SteveITS
          last edited by

          @steveits Yes thats why im a little confused
          you can see one is auto created for the VIP (I assume the virtual IP i set for my LAN CARP)
          And one is set for 50_IOT (Which is my interface name on the router)

          So im assuming it has auto made one for each, but on another thread (reddit) i was told I can delete one of them so I only have one per subnet (as the source is the same for both, its only the comment which is different)

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @pomtom44
            last edited by

            @pomtom44
            Yes, you can remove one of the double. Obviously there was something going wrong with automatic rule generation.

            The matching parameters of the rules are:
            Interface
            Address family
            protocol
            source address
            source port
            destination address
            destination port

            If all these values are equal, the rules match to the same traffic and hence only the first one is applied while the next are ignored.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.