Help understanding Manual Outbound NAT on Multiwan/lan 2.0.2 rls

HA/CARP/VIPs
Log in to reply
  • V

    Hi,

    I'm trying to get my CARP cluster working fully and I am having trouble understanding outbound NAT.  Accepted wisdom is I need manual outbound NAT but when I switched from automatic to manual and added outbound NAT rules my pfsenses lost all outbound connections (and maybe some other connections, but didn't explore fully as panic set in!)

    My setup:
    2 WANs from 2 different ADSL providers and 2 modem/routers, each modem router doing NAT for specific services to corresponding pfSense VIP.

    WAN1 192.168.2.x
    WAN2 192.168.1.x
    WLAN 192.168.3.x
    LAN 192.168.0.x
    pfSync 192.168.5.x connected using crossover cable

    Each pfsense box has 5 nics, 1 for each WAN, WLAN, LAN and pfSync, consisting of onboard NICs and Intel PROs.  Both running 2.0.2 release, AMDXP 3200+ / AMD64 3400+, 1GB ram each.

    4 vips, WAN1, WAN2, WLAN, LAN
    3 Gateways, GW_WAN, GW_OPT1, GW_OPT2 (WLAN) (none are default)

    GW_WAN and GW_OPT1 are configured in groups to provide failover and are used in LAN outbound firewall rules.

    LAN and WLAN each have about 5 devices attached.  I have a 2 webservers configured as a LoadBalanced cluster on the LAN.

    I have firewall rules set on LAN so that certain services or PCs use specific gateways/groups so I can separate traffic according to type and/or user.  EG. SMTP from a particular server on LAN always goes out of WAN2 via associated VIP, PC1 web traffic goes to failover group OPT1->WAN etc.

    With no Manual Outbound NAT (automatic NAT on) everything works as it should, if I turn off the master, the backup takes over and when the master comes back the master takes over from the backup as expected.

    However, there is a delay of about 10 seconds when the backup kicks in or out and that is enough time to drop any existing connections (eg. IRC or video streaming).  Connections are re-established though.

    So I'm not sure how to get outbound NAT working correctly given I have alot of firewall rules set for LAN or if having outbound NAT would decrease the delay of the switchover.

    So far as I can understand I need a manual outbound NAT rule to allow:
    LAN-WAN1
    LAN-WAN2
    WLAN-LAN
    WLAN-WAN1
    WLAN-WAN2
    plus the loopback rules.

    However, as mentioned if I add those rules in I loose outbound connectivity.  So can anyone please explain if I need manual outbound NAT over automatic and if that will allow faster switchovers, and if my understanding is correct?

    Thank you in advance,

    Vent

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy