CARP routing problem



  • I have two pfsense machines connected to my WAN, each has it's own IP and there's a shared CARP VIP. When packets originate from my LAN the outbound NAT rules take care of rewriting the send address so that it looks like it's coming from my WAN CARP VIP. But when packets are originating from the pfsense box itself NAT isn't used and packets go out with the normal IP, not the CARP IP. Is there any way to make these packets go out using the CARP VIP instead of the normal IP?



  • Hi,

    I might not be an expert on the matter, but here's my two cents:

    If you have activated "Advanced Outbound NAT", there should be a NAT rule regarding traffic from the firewall itself, and by default, it looks like this:

    WAN   	127.0.0.0/8 	* 	* 	* 	WAN address 	1024:65535 	NO 	Auto created rule for localhost to WAN
    

    This rule translates the source address on traffic originating from the firewall, to the WAN address. You might try to change it so that it sets the source IP to your WAN CARP VIP instead.

    A possible problem with this, is your passive pfsense machine. Since the CARP VIP is in BACKUP mode, it probably will not be able to contact the outside world.

    If your two pfsense boxes are in production, you might wanna set up a virtual test environment and experiment with the NAT rules there before you start messing around with the production firewalls.



  • Thanks, you led me in the right direction - sort of ;)

    When the packets are sent from the WAN interface to some other host, on the wire they'll never have a 127.0.0.1 as a source address. They'll have the external IP of the interface. What I needed to do was to add a no NAT for CARP, then add a NAT mapping that translated the WAN net to my WAN CARP address. And of course some more external NAT mappings to cover the RFC1918 internal address ranges.

    I'm not sure why the 127.0.0.0/8 mapping was generated - I don't think it would ever be matched in the real world, CARP or no CARP. It's obviously necessary for a host to place it's own address in the source address field if it wants to be replied to. The only time it would use 127.0.0.1 is if it was sending data to itself.



  • Excellent, glad I could be of some help :)



  • This is also related to hiding everything behind the CARP VIP:

    You don't want to use the CARP VIP to do the gateway pinging, otherwise your CARP BACKUP hosts won't know if they are connected. The pings go out, but with the source address rewritten as the CARP VIP so the ping responses come back to the VIP, not the CARP BACKUP host. So you need to add a NO NAT for these ping packets to make the gateway pinging work properly.


Log in to reply