CARP with single WAN IP - firewall can't ping but LANs can.

  • I have CARP running well with a single WAN address from my ISP. I allocated two (that can't get to internet) assigned to master and backup to make it work. Yes, my subnet is bigger than allocated by ISP but that's fine, been doing similar things for years. Worst case I can't contact another client of ISP, unlikely.

    I think the box(es) have an irritating issue though as they can't ping out from WAN interface. I tried changing outbound NAT for network to virtual WAN IP instead of "interface," no luck. All docs/posts seem to say not to do that anyway, only for LAN networks.

    All is fine with hosts on two separate LANs, IPSEC is good using virtual IP. All works perfectly on the inside and outside.

    BUT, the firewall can't ping out from it's WAN side and I think because that doesn't work it can't send notifications, check for updates, and GUI seems slow on some pages because (possibly) of that and lack of DNS, regardless of whether I access from WAN virtual address or lan real/virtual addresses. Of course it can ping and resolve from it's LAN interfaces.

    Any ideas how I can avoid buying 2 more IPs from ISP, which assume would fix it??

    If I could tell the firewall to access the internet via virtual IP I think that would solve it.

  • Just confirmed the same on some other sets. If I use a "fake" external IP for the WAN address, can't ping out from "real" WAN. pfSense also uses this for updates/alerts/who knows what else. It would be great to bypass this which seems uncomplicated given all that works perfectly otherwise.

    Easy to replicate. Take a box and juts assign virtual carp on it's WAN address to a "real" ip. Make sure the real ip works fine and clients connect, change OAN, etc. follow guides.

    Probably internal DNS would fail so keep DHCP clients or statics otherwise assigned like 208.67 or whatever.

    Network is perfect. IPSEC VPN works when you switch ID's to virtual and IP's.
    Regular NAT works when you change AON as per guides.

    I'm sure now that I'm not alone to figure this out. I'd be willing to contribute to a bounty to solve or patch.

    Anyone else?

    It means being able to perfectly CARP with just one ISP ip.

  • It probably doesn't work on all ISP, my ISP runs proxy ARP for the whole subnet that I'm in. So you would have to filter that on the device between your firewall and your ISP I think. Not very clean, if you ask me.

    But besides that, yes this can work if you can separate out what traffic is sent for CARP and the internet, because you would need traffic going to the multicast IP for CARP to not be coming from the VIP, of course.

    should be possible with rules like:
    src: dst: uses IP: real IP
    src: dst: ! uses IP: VIP

    (you probably need some more, and I don't think pfSense currently allows this)

Log in to reply