Unable to basic NAT traffic from Master WAN IP to LAN?

  • Hello Everyone,

    I have CARP configured and everything seems to be working perfectly, except for a specific NAT scenario.

    Running pfSense 2.0.1 AMD64.

    Let's say this is my IP configuration … but I do in fact have real public IP address space on the WAN.


    WAN Master IP -
    LAN Master IP -

    Active pfSense Box:

    WAN -
    LAN -
    CARP IP -

    Passive pfSense Box:

    WAN -
    LAN -
    CARP IP -

    If I use a basic NAT/firewall rule to forward a port to the LAN, I must use the WAN IP of the Active pfSense box for the traffic to make it to the LAN server. If I attempt to use the CARP Master WAN IP, the traffic appears to never go anywhere. Thus, if I configure external DNS for the FQDN, I have to use the WAN IP of the Active pfSense box in the DNS record and I cannot achieve fail-over if the Active pfSense box goes offline.

    All the servers on the LAN use as their gateway.

    1:1 NAT works fine when failing back and forth, but there are some things I don't want to dedicate an IP address for, as we have limited public address space.

    Is this expected behavior for a basic NAT port forward and CARP, or is there some additional setup I need to perform for this to work?

    Thanks as always.

  • Sounds like traffic isn't getting to the CARP IP for some reason - two most common would be an IP conflict, or a stale ARP cache upstream from where that IP was previously assigned elsewhere. Packet capture on WAN would confirm or deny that.

Log in to reply