Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP with private WAN

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 819 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MikeX
      last edited by

      Hello,

      I have a fairly straightforward CARP deployment with several public networks existing on the PF config, and a private address link between the PF boxes and the internet router.

      The internet router is not performing NAT, this is a dual Tier 1 WAN connection using BGP. I have an issue with how the traffic is sourced on the PF secondary node and only for that node.

      For example, the secondary cannot get any update information, package installs, NTP updates, or any resources that are internet based. I believe this is because of the NAT configuration and the way the routing over private address link is set up.

      Is there any easy fix for this? Any idea how I can resolve without creating publicly routed IP's on the WAN transit link?

      Thanks

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Hi,

        the reason for unreachable internet on backup box is mostly a wrong CARP configuration.

        For CARP with two boxes, you need at least 3 IPs in each subnet configured on any interface. One for master, one for backup and the third is the CARP IP.
        If that is set up this way and you have configured a default gateway, the internet should be reachable from both, the master and backup.

        Regards

        1 Reply Last reply Reply Quote 0
        • M
          MikeX
          last edited by

          The CARP configuration is correct and works as designed. The issue is the private WAN link between the internet router and the CARP pair. The secondary needs to source it's address as part of one of the public VLANS which are owned by the Master CARP box. This is causing some kind of forwarding/NAT problem.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.