Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Help understanding Manual Outbound NAT on Multiwan/lan 2.0.2 rls

    HA/CARP/VIPs
    1
    1
    1981
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Ventolin last edited by

      Hi,

      I'm trying to get my CARP cluster working fully and I am having trouble understanding outbound NAT.  Accepted wisdom is I need manual outbound NAT but when I switched from automatic to manual and added outbound NAT rules my pfsenses lost all outbound connections (and maybe some other connections, but didn't explore fully as panic set in!)

      My setup:
      2 WANs from 2 different ADSL providers and 2 modem/routers, each modem router doing NAT for specific services to corresponding pfSense VIP.

      WAN1 192.168.2.x
      WAN2 192.168.1.x
      WLAN 192.168.3.x
      LAN 192.168.0.x
      pfSync 192.168.5.x connected using crossover cable

      Each pfsense box has 5 nics, 1 for each WAN, WLAN, LAN and pfSync, consisting of onboard NICs and Intel PROs.  Both running 2.0.2 release, AMDXP 3200+ / AMD64 3400+, 1GB ram each.

      4 vips, WAN1, WAN2, WLAN, LAN
      3 Gateways, GW_WAN, GW_OPT1, GW_OPT2 (WLAN) (none are default)

      GW_WAN and GW_OPT1 are configured in groups to provide failover and are used in LAN outbound firewall rules.

      LAN and WLAN each have about 5 devices attached.  I have a 2 webservers configured as a LoadBalanced cluster on the LAN.

      I have firewall rules set on LAN so that certain services or PCs use specific gateways/groups so I can separate traffic according to type and/or user.  EG. SMTP from a particular server on LAN always goes out of WAN2 via associated VIP, PC1 web traffic goes to failover group OPT1->WAN etc.

      With no Manual Outbound NAT (automatic NAT on) everything works as it should, if I turn off the master, the backup takes over and when the master comes back the master takes over from the backup as expected.

      However, there is a delay of about 10 seconds when the backup kicks in or out and that is enough time to drop any existing connections (eg. IRC or video streaming).  Connections are re-established though.

      So I'm not sure how to get outbound NAT working correctly given I have alot of firewall rules set for LAN or if having outbound NAT would decrease the delay of the switchover.

      So far as I can understand I need a manual outbound NAT rule to allow:
      LAN-WAN1
      LAN-WAN2
      WLAN-LAN
      WLAN-WAN1
      WLAN-WAN2
      plus the loopback rules.

      However, as mentioned if I add those rules in I loose outbound connectivity.  So can anyone please explain if I need manual outbound NAT over automatic and if that will allow faster switchovers, and if my understanding is correct?

      Thank you in advance,

      Vent

      1 Reply Last reply Reply Quote 0
      • First post
        Last post