4. OpenVPN + CARP + MultiWAN

OpenVPN + CARP + MultiWAN

  • B

    Hi, all,

    I had a nice failover setup working with OpenVPN and Multi-WAN, using 'any' binding.  After I added CARP VIP's, this stopped working:

    https://redmine.pfsense.org/issues/2273

    Chris says there, "In some circumstances with multi-WAN you can't use any and that's probably where you're going wrong."

    Question 1:

    Can anybody explain what those circumstances are?  I'd like to offer a patch that would keep users out of that situation.

    Question 2:

    I've tried port forwarding from my WAN CARP address to the LAN CARP address.  This works for TCP OpenVPN connections, but for UDP OpenVPN connections, it doesn't.  If I try logging on the associated filter rule, I never see anything.  If I capture packets on the hardware interface, I see inbound packets.  If I capture on the 'vip' interface, I don't see any packets (should I?).

    Anyway, I suspect somehow TCP's state tracking is helping NAT work here, but I've seen others post that they've got this working with UDP, so I'm wondering what might be different.

    0
  • Rebel Alliance Developer Netgate

    With UDP on multi-WAN, the return traffic will follow the default route when bound to "any", it has nothing to do with CARP.

    The usual fix is to bind the OpenVPN instance to the LAN address and add port forwards from each WAN into the LAN IP on the OpenVPN port. Works just fine that way.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy