Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound NAT not working with CARP

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    6 Posts 2 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nlevesque
      last edited by

      I will start by saying I sure this has been posted before, but I am just not seeing it. I have two pfSense 2.0.1 machines in HA with CARP. Everything works file except Outbound NAT. When I change to "Automatic outbound" machines on the LAN can get out to the big "I" but with "Advanced Outbound NAT" on with the proper (what I believe is correct) settings I cannot get out. I have VIPs for both WAN and LAN, 3 public static IPs for WAN, not hooked into cable modem switch, everything is setup as I would expect it to be. The biggest problem is I just set up two boxes in the same manner and it worked perfectly, no problems what-so-ever. I thought I may have some DOA NICs but they all check out, so I am stumped. Any help would be appreciated.

      Outbound NAT

      WAN  192.168.1.0/24  *  *  *  192.168.2.3  *  NO

      [192.168.2.3 not real WAN IP, but valid IP for subnet given by provider setup as CARP VIP]

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        So basically, you are double nating. okay, so if you use automatic, is it using 2.3? if so, that would be the WAN address. If you are mapping an external address to 2.3 or even let say 2.2 (WAN Address), then the CARP must be setup on that address with the WAN on each FW on lets say 2.12 and 2.13. That is for specific routing only. If it is looser than that, just beware that routing roues are top down first matching like the firewall rules. Also, if you have a new machine, make sure you are not running realtek nics .. they are currently just too unpredictable.

        1 Reply Last reply Reply Quote 0
        • N
          nlevesque
          last edited by

          podilarius -

          Thanks for your quick response. Maybe I am misunderstanding, but I am only using "Advanced Outbound NAT" at the moment. I toggled back and forth between automatic and advanced to see what difference it would make. All NICS are Intel (4), the machines are SuperMicro 1U Core2Duo 2.93Ghz 4GB ram 16GB SSD. Don't know if any of that makes any difference. I do have the SSD running in ACHI, will that make any difference? I only have the one entry for outbound nat. Do I need to create a route to manage traffic for the VIPs (WAN and LAN)?

          1 Reply Last reply Reply Quote 0
          • P
            podilarius
            last edited by

            First, if you are using CARP, manual advanced outbound NAT is the only option. Automatic will only work on the primary. I guess it would work on the secondary (in a failover situation, but states will not be kept thus all connections will be reset and will defeat the purpose of the HA setup). Even the default gateway used on DHCP and every server or manually set IP will need to use the CARP LAN IP you setup. If you are double NATing on multiple CARP then the main router will need entries to route external to internal addresses and ports and then the pfSense will have to do the same only internal (external to pfSense) to internal. You can use 1:1 or port forward to accomplish that. You will also need to turn off block private ips on the WAN interface.

            1 Reply Last reply Reply Quote 0
            • N
              nlevesque
              last edited by

              I have turned off "Block Private Networks" on WAN, but problem still persists. Pardon my ignorance, but I am not sure what you mean by double NAT'ing. Are you referring to my outbound rule-set?

              1 Reply Last reply Reply Quote 0
              • P
                podilarius
                last edited by

                Nope … I am refering to something like

                8.8.8.8 -> <your_external_real_ip_address>-> 10.1.1.1    ->  10.1.1.2              -> 192.168.1.1      -> 192.168.1.2
                Internet      WAN on your router                    Lan on router    WAN on pfsense        Lan on pfsense      Server

                You are having to go through 2 private nets to get to the internet ... this is double nat.
                It is not usually a good idea to double nat. Usually because of the administration headache and over complicating the network setup. Sometimes it is necessary and I would only use it if absolutely needed. You have to make sure that the correct ports are open all the way through your setup.</your_external_real_ip_address>

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.