Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    High Avail secondary node IPs - How to find it

    Scheduled Pinned Locked Moved General pfSense Questions
    45 Posts 4 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance @viragomann
      last edited by

      @viragomann Sorry i sent a screen shot of my own pfsense not in HA mode but i wanted to ensure i didn't need to do any SNAT rules here

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      V 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @stephenw10
        last edited by

        @stephenw10
        So you mean for source address use the WAN interface?

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Nope the source should be the subnet (or subnets) that need to be translated to the VPN address. So whatever internet subnet(s) you;re routing over the VPN.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann @michmoor
            last edited by

            @michmoor said in High Avail secondary node IPs - How to find it:

            @viragomann Sorry i sent a screen shot of my own pfsense not in HA mode but i wanted to ensure i didn't need to do any SNAT rules here

            In a CARP set up you might have an outbound NAT rule in place, natting the source address to the CARP VIP. Maybe your outbound NAT is also in manual mode, not hybrid.
            In this case you need an additional rule for pfSense itself as shown in my screenshot above. But it would be sufficient to have the last one of these if you don't need ISAKMP (NAT-T doesn't use it, as far as I know).
            And the NAT-T rule in my screen is due to using a specific outbound IP.

            @stephenw10 said in High Avail secondary node IPs - How to find it:

            Nope the source should be the subnet (or subnets) that need to be translated to the VPN address.

            Hint: you can also state an alias here by selecting "Network" and entering the network alias with a /32 mask.

            M 1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @viragomann
              last edited by

              @viragomann @stephenw10

              I appreciate you folk working with me on this thread. I think i ironed out all the issues and/or misunderstandings i was having here.

              Appreciate yall !

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.