Pure Nat + CARP + multi wan
-
fast question,
is "pure nat" mandatory if i have a setup with carp and HA configured ?
i have split dns in place but if i disable pure nat nothing workfor example i have a voip server listening in a dedicated vlan and with pure nat disabled i can't register any client from inside my network or outside my network
WAN = /28 carp ip
LAN 192.168.8.0/24
pfsense1:192.168.8.6
pfsense2: 192.168.8.7
carp(default gw) 192.168.8.5
rules: any/any
VLAN voip 192.168.16.0/24
pfsense1 192.168.16.1
pfsense2 192.168.16.2
carp(default gw) 192.168.16.3
rules: any/anyno registration from lan to voip or from wan to voip
it's not the only services that stop working, i have other stuff in different vlan with the same behavior
i have moved every web services under haproxy and that is working with or without "pure nat"
services are being resolved from my dns but packets seems to stop at the network interface (LAN) or (WAN), depends from where i start the testam i missing something? or is it like it should be?
pure nat on = ok
pure nat disable= ko -
@kiokoman said in Pure Nat + CARP + multi wan:
is "pure nat" mandatory if i have a setup with carp and HA configured ?
i have split dns in place but if i disable pure nat nothing workI assume, you're talking about the "pure NAT" reflection mode.
With split DNS configured properly, you don't need any NAT reflection. Moreover, changing NAT reflection options should not have any affect at all.
But if you have split DNS configured, ensure that the devices are requesting your internal server to get the correct private IPs for the public host names.
Consider to redirect any DNS requests to your local DNS server and block DoH with pfBlockerNG. -
@viragomann
yeah, that's what i 'm doing
another strange thing is that even if it set for the LAN interface this is actually forwarding all traffic from all interfaces (even VOIP interface are redirected to 192.168.8.230) i had to add
192.168.16.0/24 to the DNS alias to prevent this from happeningalso
with packet capture without pure nat >>>> services (voip.domainname.it etc etc) are being resolved from my dns but packets seems to stop at the network interface (LAN) or (WAN)
so request voip.domainname.it-> dns 192.168.8.230 answer -> 192.168.16.180 -> request to 192.168.16.180 -> no answer and nothing on the VOIP interface with packet capture
There must be something stupid i'm missing.
-
@kiokoman said in Pure Nat + CARP + multi wan:
request to 192.168.16.180 -> no answer and nothing on the VOIP interface with packet capture
Ensure that network settings on the device are correct, especially mask and gateway and that it does except access from the other subnet.
NAT reflection does masquerading in the end. So the device will respond to an IP inside its subnet without the need of a gateway. And access from inside the subnet is often trusted by default, while outside access is blocked by the device's firewall.
-
[root@centralino ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.16.3 0.0.0.0 UG 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 192.168.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 [root@centralino ~]# ip address 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:0d:d2:c0 brd ff:ff:ff:ff:ff:ff inet 192.168.16.176/24 brd 192.168.16.255 scope global dynamic eth0 valid_lft 4759sec preferred_lft 4759sec inet6 fe80::20c:29ff:fe0d:d2c0/64 scope link valid_lft forever preferred_lft forever192.168.16.1 pfsense1
192.168.16.2 pfsense2
192.168.16.3 carp
