Outbound NAT not working with CARP



  • I will start by saying I sure this has been posted before, but I am just not seeing it. I have two pfSense 2.0.1 machines in HA with CARP. Everything works file except Outbound NAT. When I change to "Automatic outbound" machines on the LAN can get out to the big "I" but with "Advanced Outbound NAT" on with the proper (what I believe is correct) settings I cannot get out. I have VIPs for both WAN and LAN, 3 public static IPs for WAN, not hooked into cable modem switch, everything is setup as I would expect it to be. The biggest problem is I just set up two boxes in the same manner and it worked perfectly, no problems what-so-ever. I thought I may have some DOA NICs but they all check out, so I am stumped. Any help would be appreciated.

    Outbound NAT

    WAN  192.168.1.0/24  *  *  *  192.168.2.3  *  NO

    [192.168.2.3 not real WAN IP, but valid IP for subnet given by provider setup as CARP VIP]



  • So basically, you are double nating. okay, so if you use automatic, is it using 2.3? if so, that would be the WAN address. If you are mapping an external address to 2.3 or even let say 2.2 (WAN Address), then the CARP must be setup on that address with the WAN on each FW on lets say 2.12 and 2.13. That is for specific routing only. If it is looser than that, just beware that routing roues are top down first matching like the firewall rules. Also, if you have a new machine, make sure you are not running realtek nics .. they are currently just too unpredictable.



  • podilarius -

    Thanks for your quick response. Maybe I am misunderstanding, but I am only using "Advanced Outbound NAT" at the moment. I toggled back and forth between automatic and advanced to see what difference it would make. All NICS are Intel (4), the machines are SuperMicro 1U Core2Duo 2.93Ghz 4GB ram 16GB SSD. Don't know if any of that makes any difference. I do have the SSD running in ACHI, will that make any difference? I only have the one entry for outbound nat. Do I need to create a route to manage traffic for the VIPs (WAN and LAN)?



  • First, if you are using CARP, manual advanced outbound NAT is the only option. Automatic will only work on the primary. I guess it would work on the secondary (in a failover situation, but states will not be kept thus all connections will be reset and will defeat the purpose of the HA setup). Even the default gateway used on DHCP and every server or manually set IP will need to use the CARP LAN IP you setup. If you are double NATing on multiple CARP then the main router will need entries to route external to internal addresses and ports and then the pfSense will have to do the same only internal (external to pfSense) to internal. You can use 1:1 or port forward to accomplish that. You will also need to turn off block private ips on the WAN interface.



  • I have turned off "Block Private Networks" on WAN, but problem still persists. Pardon my ignorance, but I am not sure what you mean by double NAT'ing. Are you referring to my outbound rule-set?



  • Nope … I am refering to something like

    8.8.8.8 -> <your_external_real_ip_address>-> 10.1.1.1    ->  10.1.1.2              -> 192.168.1.1      -> 192.168.1.2
    Internet      WAN on your router                    Lan on router    WAN on pfsense        Lan on pfsense      Server

    You are having to go through 2 private nets to get to the internet ... this is double nat.
    It is not usually a good idea to double nat. Usually because of the administration headache and over complicating the network setup. Sometimes it is necessary and I would only use it if absolutely needed. You have to make sure that the correct ports are open all the way through your setup.</your_external_real_ip_address>


Locked