Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP with single WAN IP - firewall can't ping but LANs can.

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 2 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      msmith9xr4
      last edited by

      I have CARP running well with a single WAN address from my ISP. I allocated two (that can't get to internet) assigned to master and backup to make it work. Yes, my subnet is bigger than allocated by ISP but that's fine, been doing similar things for years. Worst case I can't contact another client of ISP, unlikely.

      I think the box(es) have an irritating issue though as they can't ping out from WAN interface. I tried changing outbound NAT for 127.0.0.0/8 network to virtual WAN IP instead of "interface," no luck. All docs/posts seem to say not to do that anyway, only for LAN networks.

      All is fine with hosts on two separate LANs, IPSEC is good using virtual IP. All works perfectly on the inside and outside.

      BUT, the firewall can't ping out from it's WAN side and I think because that doesn't work it can't send notifications, check for updates, and GUI seems slow on some pages because (possibly) of that and lack of DNS, regardless of whether I access from WAN virtual address or lan real/virtual addresses. Of course it can ping and resolve from it's LAN interfaces.

      Any ideas how I can avoid buying 2 more IPs from ISP, which assume would fix it??

      If I could tell the firewall to access the internet via virtual IP I think that would solve it.

      1 Reply Last reply Reply Quote 0
      • M
        msmith9xr4
        last edited by

        Just confirmed the same on some other sets. If I use a "fake" external IP for the WAN address, can't ping out from "real" WAN. pfSense also uses this for updates/alerts/who knows what else. It would be great to bypass this which seems uncomplicated given all that works perfectly otherwise.

        Easy to replicate. Take a box and juts assign virtual carp on it's WAN address to a "real" ip. Make sure the real ip works fine and clients connect, change OAN, etc. follow guides.

        Probably internal DNS would fail so keep DHCP clients or statics otherwise assigned like 208.67 or whatever.

        Network is perfect. IPSEC VPN works when you switch ID's to virtual and IP's.
        Regular NAT works when you change AON as per guides.

        I'm sure now that I'm not alone to figure this out. I'd be willing to contribute to a bounty to solve or patch.

        Anyone else?

        It means being able to perfectly CARP with just one ISP ip.
        ???

        1 Reply Last reply Reply Quote 0
        • S
          SeventhSon
          last edited by

          It probably doesn't work on all ISP, my ISP runs proxy ARP for the whole subnet that I'm in. So you would have to filter that on the device between your firewall and your ISP I think. Not very clean, if you ask me.

          But besides that, yes this can work if you can separate out what traffic is sent for CARP and the internet, because you would need traffic going to the multicast IP for CARP to not be coming from the VIP, of course.

          should be possible with rules like:
          src: 127.0.0.0/8 dst: 224.0.0.0/8 uses IP: real IP
          src: 127.0.0.0/8 dst: !224.0.0.0/8 uses IP: VIP

          (you probably need some more, and I don't think pfSense currently allows this)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.