Slave unable to reach out via IPSEC tunnel
chopped_pork last edited by
I have a set of CARP/failover firewalls (with network A behind them). I have set up a tunnel (with the external/WAN CARP IP being the endpoint on this side) to a public/routable subnet (that is, it's a /25 in the public IP space) - network B. I am able to reach everything in network A from network B - I've had issues with the slave but this is now sorted thanks to the outbound NAT rule. I can't reach network B from the firewalls though as they're trying to route the traffic via the Internet rather than over the VPN link. I have managed to solve this for the master firewall by using a LAN source IP. I can't seem to make this work on the slave though.
One solution I have thought of was adding an outbound NAT rule reverse to the one mentioned in the forum thread and wiki article - nat anything coming from either firewall to the vpn subnet to the lan interface. Problem is, this would have to be a WAN rule and the 'Interface address' alias/option from drop down menu is going to resolve in WAN address. I've also thought of creating some ssh tunnels but ideally I would like the solution to be simpler and easier to failover (ie. implement it in a way where no extra scripts have to be written to successfully failover the firewalls apart from the carp/nat/ha sync configuration in pfSense).
Any ideas on how I can make this happen? At the moment I only need this to send some client-side monitoring test results from the slave to the VPN subnet but I imagine there might be some other scenarios where this would be useful.