[SOLVED] CARP Outbound NAT rule in Wiki Docs doesn't work when using Squid/DansG



  • I have been successfully using CARP for while a while now; it rocks!

    The only issue I have had is the outbound IP address. I followed the instructions for setting up CARP in the wiki (and elsewhere where the documentation was kind of vague) on this page…

    https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29

    …but that seems to be wrong; it still uses the WAN NIC's own IP for the outbound traffic (not the CARP WAN IP).

    I only realised I had the problem when I investigated complaints from users whenever I switched pfsense boxes; the main site they use complained about the IP changing and they had to log out and back in.

    I googled about but haven't found much about how to get this working. I have managed to fix it by adding a couple of rules (the ones ringed in red in the attached image) as suggested somewhere on this forum. That's great, but now the secondary box can't check if it has the latest OS. I assume this is because ALL traffic it is sending out is using the CARP IP, and therefore the box's own traffic is returning to the primary server instead. That isn't the end of the world in itself, but it does tell me something isn't setup correctly, and that worries me.

    So....could someone who knows how this is supposed to work tell me what I have wrong? ...and maybe someone could fix the wiki documentation, maybe I will if I can.

    My Outbound NAT rules:

    Red - The ones I added to get the CARP IP used. One rule for each box.
    Green - The rule the wiki documentation said to do
    Yellow - I read that changing this doesn't fix it, because no traffic should be going out from the localhost IP. I think I tried it anyway and it was correct.
    Blue - These are my VPN connections (one for the WAN CARP IP, one for each box's WAN IP)

    The bits that are blacked out are ALL the same from the external IP's. I'm not sure it really matters if someone see's my WAN IP's, but it seems to be the norm to hide them.

    Thanks,
    Colin :o
    ![pfSense2 Outbound NAT.png](/public/imported_attachments/1/pfSense2 Outbound NAT.png)
    ![pfSense2 Outbound NAT.png_thumb](/public/imported_attachments/1/pfSense2 Outbound NAT.png_thumb)


  • Rebel Alliance Developer Netgate

    The article is correct.

    https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)#Setup_Manual_Outbound_NAT

    Navigate to Firewall > NAT on the Outbound tab
        Select Manual outbound NAT
        Click save
        Edit the automatically added rule for LAN
            Select a shared CARP virtual IP address on WAN as the Translation address
            Change the Description to refer to the rule's use of the CARP VIP if desired
            Click Save
        Repeat the rule edit for additional rules
        Click Apply changes

    Any outbound NAT rules that reference internal networks should have had the CARP VIP set on the outbound NAT rules.

    You should never have any rules that reference your public IP addresses as a source on NAT rules.

    If you have a package like squid/dansguardian/havp traffic will exit via the WAN IP because they are not subject to NAT. They may have a separate config item to use a CARP VIP for outbound traffic, but DO NOT use NAT for that.



  • Thank-you for the reply. I'm glad I asked, I thought that didn't seem quite right.  :)

    I do indeed have Squid and Dansguardian; now I just have to work out how to fix them correctly.  :o



  • Ok, here's what I should have done in the first place….

    Add the following to the Custom Options field, at the bottom of the General tab, of the Squid (Proxy Server) settings.

    tcp_outgoing_address ???.???.???.???
    

    …where the question marks are your WAN CARP IP address.



  • Thanks again to jimp for putting me on the right path.  :D


Log in to reply