Unable to basic NAT traffic from Master WAN IP to LAN?



  • Hello Everyone,

    I have CARP configured and everything seems to be working perfectly, except for a specific NAT scenario.

    Running pfSense 2.0.1 AMD64.

    Let's say this is my IP configuration … but I do in fact have real public IP address space on the WAN.

    CARP:

    WAN Master IP - 10.0.0.7
    LAN Master IP - 192.168.1.1

    Active pfSense Box:

    WAN - 10.0.0.5
    LAN - 192.168.1.2
    CARP IP - 172.16.1.1

    Passive pfSense Box:

    WAN - 10.0.0.6
    LAN - 192.168.2.3
    CARP IP - 172.16.1.2

    If I use a basic NAT/firewall rule to forward a port to the LAN, I must use the WAN IP of the Active pfSense box for the traffic to make it to the LAN server. If I attempt to use the CARP Master WAN IP, the traffic appears to never go anywhere. Thus, if I configure external DNS for the FQDN, I have to use the WAN IP of the Active pfSense box in the DNS record and I cannot achieve fail-over if the Active pfSense box goes offline.

    All the servers on the LAN use 192.168.1.1 as their gateway.

    1:1 NAT works fine when failing back and forth, but there are some things I don't want to dedicate an IP address for, as we have limited public address space.

    Is this expected behavior for a basic NAT port forward and CARP, or is there some additional setup I need to perform for this to work?

    Thanks as always.



  • Sounds like traffic isn't getting to the CARP IP for some reason - two most common would be an IP conflict, or a stale ARP cache upstream from where that IP was previously assigned elsewhere. Packet capture on WAN would confirm or deny that.


Log in to reply