Accessing the lan ip addresses of my remote carped firewalls



  • Hello,

    I have two firewalls configured with carp.  They are at my remote colo, and I access the network there via ipsec vpn.  I noticed recently that I could only access the lan ip address of the primary firewall, but not the secondary firewall.

    It makes sense: only one of the firewalls will have the ipsec vpn functioning while it's in master mode: the other firewall won't have a clue where to send response packets since there isn't a vpn there at all.  It would need to route through the master firewall.

    Is there a means to install a route that is dependent on the vpn NOT being present?  ie: firewall B is in carp backup mode, thus to access my side of the point to point vpn, it would need to route the packets through firewall A.

    –jason



  • You can setup rules to allow access to the non CARP addresses of the boxes.  For example I have:

    192.168.48.2 - Master
    192.168.48.3 - Slave

    192.168.48.1 - CARP address

    To access the specific pfsense box, connect to the non virtual address on the box.



  • I think the solution to this has been mentioned on the forums somewhere. It involves creating Outbound NAT rules, such that when you want to access your secondary firewall through the VPN tunnel on the primary, the secondary firewall will see the primary firewall as the source. And therefore it will not try to send the reply over the VPN tunnel but instead to the primary firewall.

    Edit: It was actually on the wiki: https://doc.pfsense.org/index.php/CARP_Secondary_Unreachable_Over_VPN



  • Hi,

    This last one solved it for me, but it looked like the previous one had potential…

    --jason