Unable to basic NAT traffic from Master WAN IP to LAN?
I have CARP configured and everything seems to be working perfectly, except for a specific NAT scenario.
Running pfSense 2.0.1 AMD64.
Let's say this is my IP configuration … but I do in fact have real public IP address space on the WAN.
WAN Master IP - 10.0.0.7
LAN Master IP - 192.168.1.1
Active pfSense Box:
WAN - 10.0.0.5
LAN - 192.168.1.2
CARP IP - 172.16.1.1
Passive pfSense Box:
WAN - 10.0.0.6
LAN - 192.168.2.3
CARP IP - 172.16.1.2
If I use a basic NAT/firewall rule to forward a port to the LAN, I must use the WAN IP of the Active pfSense box for the traffic to make it to the LAN server. If I attempt to use the CARP Master WAN IP, the traffic appears to never go anywhere. Thus, if I configure external DNS for the FQDN, I have to use the WAN IP of the Active pfSense box in the DNS record and I cannot achieve fail-over if the Active pfSense box goes offline.
All the servers on the LAN use 192.168.1.1 as their gateway.
1:1 NAT works fine when failing back and forth, but there are some things I don't want to dedicate an IP address for, as we have limited public address space.
Is this expected behavior for a basic NAT port forward and CARP, or is there some additional setup I need to perform for this to work?
Thanks as always.
Sounds like traffic isn't getting to the CARP IP for some reason - two most common would be an IP conflict, or a stale ARP cache upstream from where that IP was previously assigned elsewhere. Packet capture on WAN would confirm or deny that.