CARP/HA Multi WAN redirect each IP to LAN IP

joezyz

Hello,
I'm new to PFSense and to HA, so please try to be detailed in your response as to the location of settings etc? Thanks in advance.

Setup:

14 WAN IP addresses.

I can log into the Web Configurator using the WAN IP addresses on each of the HA PFSense machines.

I have created 5 Virtual IP addresses as CARP IP's.

What I need to do is route Wan IP 1 to Lan IP 1 (Port 80 to 80), Wan IP 2 to Lan IP 2 (Port 80 to 80), etc.

When I was originally playing with PFSense, I used 1 WAN IP and NAT port 80 to LAN IP port 80.

I cannot seem to get this working. I have read to use NAT, 1:1 NAT, etc. But nothing works. I keep getting a "Site Cant be reached" when I type in the WAN IP Address.

Can anyone suggest anything?
Let me know if you need any more information.
Thanks!!

Joe

viragomann

@joezyz
Yes, you have to do it with NAT port forwarding rules as well.
Firewall > NAT > Port Forward

When you have added multiple WAN IPs as virtual IPs you are able to select them from the destination drop-down. At "Redirect target IP" select "Single host" and enter the respective LAN IP.

If you have the WAN and LAN IPs consecutively and you can embody the internal IPs as subnet you can also use 1:1. This effectuates that upstream traffic from the concerned internal IPs gets the respectively assigned external IP when it's going out to WAN.

joezyz

@viragomann
Thank you so much for your reply.

That is exactly how I have it set up right now, and it is not forwarding.
I still must not have my settings correct. The rule is there as a NAT rule, but when I look at the logs, I don;t see any denial on port 80.

Should the Virtual IP be a CARP, IP Alias, Proxy ARP, or Other? I currently have it as CARP.

Thanks again for your help on this.

-Joe

joezyz

Also as a side note. When I put the IP address in the header with port 444 (Im using that for secure PFSense HTTPS) It does get me to the log-in screen for PFSense.

It just seems its not routing inside the firewall to the LAN.

viragomann

@joezyz said in CARP/HA Multi WAN redirect each IP to LAN IP:

That is exactly how I have it set up right now, and it is not forwarding.

What? Port forwarding or 1:1?

Should the Virtual IP be a CARP, IP Alias, Proxy ARP, or Other? I currently have it as CARP.

Both CARP and IP Alias can be used.
It's not necessary to add all your public IPs as CARP, since this type generates some overhead network traffic.
You need at least one CARP IP, the others can be added as IP Alias and hook up on the CARP IP.

Did you also add a firewall rule to allow the access?
In port forwarding rules you can set associated filter rules or simply "pass" to allow the access. When using 1:1 you have to configure rules by yourself.

Is pfSense the default gateway on the device you've forwarded traffic?

Maybe you can post screenshots so we can verify the settings.