Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT issue with secondary node

    Scheduled Pinned Locked Moved NAT
    2 Posts 1 Posters 841 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      MikeX
      last edited by

      Hello,

      I have an Active/Passive config using CARP in my data center environment.

      When the secondary node is in 'backup' mode, it no longer can route/connect to the internet correctly. I get a number of blocked packets in the firewall logs of both nodes, and it seems that traffic is sourcing from the private WAN interface, and not one of the public interfaces.

      The firewalls are connected to the ISP routers via a private /29… So my feeling is I have to do the following.

      X.X.X.2 is one of the public primary IP's. X.X.X.3 is the secondary public IP.

      I will add a static route on the ISP routers that will look something like this:

      X.X.X.3 255.255.255.255 172.31.255.236 << this is the real WAN-transit interface IP of the secondary host.

      Now how do I create a NAT rule which will force outbound traffic from localhost (secondary) to always SOURCE from X.X.X.3, and not be overwritten by sync?

      1 Reply Last reply Reply Quote 0
      • M Offline
        MikeX
        last edited by

        To add further clarification… I'm not running a dynamic routing protocol between the pfsense nodes and the ISP routers.. I'm using a static route that points to the CARP VIP on the WAN segment.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.