CARP NAT rules not working

  • Hi all, I'm not sure where this should go but I hope somebody can help.

    I had a setup working fine, using CARP to enable NAT from multiple WAN IPs to a few internal email servers, with a simple dual-homed WAN-LAN system.

    Now I have set up a router-on-a-stick VLAN configuration and no port forwarding rules seem to be working, even on the first WAN address (please correct me if I am wrong, but I understand CARP VIPs are used to listen for second, third etc public IP addresses from the WAN interface, amongst other things, so the 'first' IP address should be a simple WAN->LAN rule?). I have double checked VLAN memberships, IP addresses and deleted/recreated NAT and firewall rules to confirm. A packet capture sees packets arriving on the WAN but nothing on the LAN side.

    Other info:

    There are three internal VLANs, but the servers in question are on the LAN interface
    pfSense 2.0 amd64
    Physical NIC is re0

    Any help is appreciated. I already googled, and RTFM'd - an excellent book BTW, I wasted a day trying to work out VLANs on pfSense, I solved my problem after reading 2 paragraphs of the manual.

    Thanks in advance.

  • If you see it on WAN and not LAN, then either your port forward is wrong, you don't have an associated firewall rule to permit the traffic, you have a block rule that's blocking it, or the internal host isn't reachable.

  • Thank you for the advice,

    This is one of my rules for the WAN->LAN (standard, first WAN IP to LAN IP, not one of the additional CARP WAN addresses):

    WAN TCP * * LAN address 25 (SMTP) *

    I have recreated the NAT rule, and the firewall rule was automatically created. The only block rules are these:

    The default Private/BOGON rules on the WAN

    The two OPT interfaces I created both have the following rule

        • LAN net * * none

    pfSense can ping the host from the LAN interface.

    If any of that looks wrong to you I would appreciate any help, thanks again.

  • "LAN address" is almost definitely wrong, that should be the actual public IP.

  • Really? if it is that simple I hope you are right. But just to be sure we are on the same page I'll be more clear about the rule:

    This is from the Firewall: NAT: Port Forward page

    If = WAN

    Proto = TCP

    Src. addr = *

    Src. ports = *

    Dest. addr = LAN Address

    Dest. ports = 25 (SMTP)

    NAT IP =

    NAT Ports = *

    If this relates to the WAN interface, I assumed the destination would be the IP of the mail server and the source would simply be WAN.

    Bear with me, I will provide a screenshot when I am on another PC.

    edit: added screenshot

  • cmb,

    I went back to the book, and learned quite a bit. I was misunderstanding the options in the rules setup, thank you for giving me a direction to look in, I have it working now.

    In the end I had a look through the firewall logs and saw the 'easy setup' option to create an allow rule and followed the syntax. I didn't realize the feature was there, I'll remember next time.

Log in to reply