VIP setup for HA

  • Hello,

    I have a running installation of two pfsense routers with the following configuration:



    The VIP for WAN is and for LAN Both LAN and WAN IPs are routable, so I disabled the automatic NAT and removed all created rules except the ones for I can successfully reach from the outside world the WAN of each router and the VIP WAN for the master one.

    My problem is that when the master initiates traffic towards the internet it does it from the real WAN address ( and not the VIP WAN ( In case of having the LAN on private IP addressing it was easy because could be solved by adding a manual NAT rule and have outgoing traffic nat-ed on the VIP WAN.

    But how to do this when both LAN and WAN are routable, please?

    Thanks in advance!

  • Need to set manual NAT rule to rewrite origin address…..

    So setup a CARP IP to float between the boxes and then...

    From my own notes:

    On Master box - NAT
        Select "Manual Nat rules"

    Save and apply the settings - new rules will appear
            For each of the rules for the lan interface must be edited to have the "Outgoing" source address changed from "interface" to "CARP WAN IP".

  • Sorry, but I think this is valid only when I do NAT, or? In my case I only route the addresses, so no NAT.


  • The outbound nat is the source nat, if you need to change source address, you need the Outbound nat.

    Change it from automatic to manual and assign a rule to use VIP address.

  • Ok,

    Automatic NAT is disabled already and all rules deleted. how should the rule look like, please:

    Interface: WAN
    Source:network-WAN real IP address/32
    Translation:VIP address of WAN

    Is this correct?

    And is it safe to have it both on master and slave?


  • Source is usually lan subnet but you can use any internal address/network range.

  • Maybe I was missunderstood: pfsense is doing routing between the block of public IPs we have and which is configured on the LAN interface and the ISP address which is configured on the WAN interface. So the goal is to have our block of IPs routed and not NAT-ed. My problem is that on the WAN interface I would like packets to have as outgoing address the VIP of WAN and not the real IP of the WAN. So in case master fails and slave takes over the receiving party will always "see" the same originating IP address.

Log in to reply