NAT issue with secondary node

  • Hello,

    I have an Active/Passive config using CARP in my data center environment.

    When the secondary node is in 'backup' mode, it no longer can route/connect to the internet correctly. I get a number of blocked packets in the firewall logs of both nodes, and it seems that traffic is sourcing from the private WAN interface, and not one of the public interfaces.

    The firewalls are connected to the ISP routers via a private /29… So my feeling is I have to do the following.

    X.X.X.2 is one of the public primary IP's. X.X.X.3 is the secondary public IP.

    I will add a static route on the ISP routers that will look something like this:

    X.X.X.3 << this is the real WAN-transit interface IP of the secondary host.

    Now how do I create a NAT rule which will force outbound traffic from localhost (secondary) to always SOURCE from X.X.X.3, and not be overwritten by sync?

  • To add further clarification… I'm not running a dynamic routing protocol between the pfsense nodes and the ISP routers.. I'm using a static route that points to the CARP VIP on the WAN segment.