Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VIP setup for HA

    HA/CARP/VIPs
    3
    7
    2250
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rpopa last edited by

      Hello,

      I have a running installation of two pfsense routers with the following configuration:

      Router1:
      WAN: 1.1.1.2
      LAN:2.2.2.2
      SYNC:3.3.3.1

      Router2:
      WAN: 1.1.1.3
      LAN:2.2.2.3
      SYNC: 3.3.3.2

      The VIP for WAN is 1.1.1.1 and for LAN 2.2.2.1. Both LAN and WAN IPs are routable, so I disabled the automatic NAT and removed all created rules except the ones for 127.0.0.1. I can successfully reach from the outside world the WAN of each router and the VIP WAN for the master one.

      My problem is that when the master initiates traffic towards the internet it does it from the real WAN address (1.1.1.2) and not the VIP WAN ( 1.1.1.1). In case of having the LAN on private IP addressing it was easy because could be solved by adding a manual NAT rule and have outgoing traffic nat-ed on the VIP WAN.

      But how to do this when both LAN and WAN are routable, please?

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • D
        djsmiley2k last edited by

        Need to set manual NAT rule to rewrite origin address…..

        So setup a CARP IP to float between the boxes and then...

        From my own notes:

        On Master box - NAT
            Select "Manual Nat rules"

        Save and apply the settings - new rules will appear
                For each of the rules for the lan interface must be edited to have the "Outgoing" source address changed from "interface" to "CARP WAN IP".

        1 Reply Last reply Reply Quote 0
        • R
          rpopa last edited by

          Sorry, but I think this is valid only when I do NAT, or? In my case I only route the addresses, so no NAT.

          Thanks!

          1 Reply Last reply Reply Quote 0
          • marcelloc
            marcelloc last edited by

            The outbound nat is the source nat, if you need to change source address, you need the Outbound nat.

            Change it from automatic to manual and assign a rule to use VIP address.

            1 Reply Last reply Reply Quote 0
            • R
              rpopa last edited by

              Ok,

              Automatic NAT is disabled already and all rules deleted. how should the rule look like, please:

              Interface: WAN
              Protocol:any
              Source:network-WAN real IP address/32
              Destination:any
              Translation:VIP address of WAN

              Is this correct?

              And is it safe to have it both on master and slave?

              Thanks!

              1 Reply Last reply Reply Quote 0
              • marcelloc
                marcelloc last edited by

                Source is usually lan subnet but you can use any internal address/network range.

                1 Reply Last reply Reply Quote 0
                • R
                  rpopa last edited by

                  Maybe I was missunderstood: pfsense is doing routing between the block of public IPs we have and which is configured on the LAN interface and the ISP address which is configured on the WAN interface. So the goal is to have our block of IPs routed and not NAT-ed. My problem is that on the WAN interface I would like packets to have as outgoing address the VIP of WAN and not the real IP of the WAN. So in case master fails and slave takes over the receiving party will always "see" the same originating IP address.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy