Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help! dont understand the NAT instruction in the docs for creating master/slave

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    5 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ace
      last edited by

      The carp setup page http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29 say sthis:

      Setting up advanced outbound NAT
      Enable advanced outbound NAT in Firewall -> NAT -> Outbound -> Enable advanced outbound NAT. Click save.
      Edit the automatically added rule for LAN. Pick a shared CARP virtual IP address as the Translation IP address. Give the item a description and click Save.

      I dont undersand this: why is it required, and what is required exactly?.  The XOVER interface has a single fixed ip on master (e.g. 192.168.1.1) and on the slave e.g. (192.168.1.2).  Why would any NAT need to be setup?  Surely if we enable the advanced outbout NAT, it disables the automatic NAT generation (what ever that is doing), which presumably will break any auto stuff we need, but is not shown?

      If we do break the auto NAT and go advanced, what are we supposed to put in the NAT rule?  There are none in the mappings list.

      It half works with no nat setup - all the rules and VIPs etc are propagated (except the last one only half came through, we have broken it and dont know why…)

      Any help or ideas much appreciated.

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        This is required so that traffic will look like it is coming from the CARP and not an interface on the firewall. This way if there is a failure, the second firewall can pick up where the primary left off.

        1 Reply Last reply Reply Quote 0
        • A
          ace
          last edited by

          @podilarius:

          This is required so that traffic will look like it is coming from the CARP and not an interface on the firewall. This way if there is a failure, the second firewall can pick up where the primary left off.

          Ah, its becomming clearer.  So the NAT has nothing to do with the dedicated XOVER sync link, but todo with the CARP of the Default route?

          There are several CARPed IPs on the WAN, and the single CARPed ip of the LAN which is used for the default route of all the servers on the LAN.

          Which of these are supposed to be NATed (LAN, WAN or both?), and what should the NAT rule look like?  Could anyone suppy an exmaple?  I dont want to play with it on the production firewalls untill we undestand how it works.  Ive read the book and the web instructions, and it really doesnt give enough information to know how the rule should be setup (or what its for).

          Thanks for your help!

          1 Reply Last reply Reply Quote 0
          • A
            ace
            last edited by

            Ok, I was wrong - the book does explain why this NAT is required and how it should be setup.  All is clear now.  Many thanks for the help.

            How do I mark this as solved?

            1 Reply Last reply Reply Quote 0
            • P
              podilarius
              last edited by

              Post a reply that is was solved and perhaps change the subject on the either the original post or on this one. If that does not work, then a mod will have to do that.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.