Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Backup Firewall Using CARP Address

    HA/CARP/VIPs
    2
    3
    3.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mebdnaconet
      last edited by

      I'm running CARP on two pfSense firewalls.  Everything appeared to be working correctly, but I noticed that pings from the backup firewall to an external gateway were failing.  I ran tcpdump and found that pings leaving the backup firewall are using the CARP virtual IP for that interface, so the replies go to the master.  This is only happening on one of four interfaces.  On the others, packets from the backup firewall are sourced from its real interface IP address as I would expect.

      –Mike

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Check your outbound NAT, make sure you don't have any manual outbound NAT rules with a source of "*" (any). Those also apply to traffic from the firewall.

        Properly specify a source and it will stop doing the NAT to the CARP VIP.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          mebdnaconet
          last edited by

          Thank-you, Jim.  That was the issue - I needed to tighten up my NAT rule.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.