Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] CARP Outbound NAT rule in Wiki Docs doesn't work when using Squid/DansG

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    5 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheLimey
      last edited by

      I have been successfully using CARP for while a while now; it rocks!

      The only issue I have had is the outbound IP address. I followed the instructions for setting up CARP in the wiki (and elsewhere where the documentation was kind of vague) on this page…

      https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29

      …but that seems to be wrong; it still uses the WAN NIC's own IP for the outbound traffic (not the CARP WAN IP).

      I only realised I had the problem when I investigated complaints from users whenever I switched pfsense boxes; the main site they use complained about the IP changing and they had to log out and back in.

      I googled about but haven't found much about how to get this working. I have managed to fix it by adding a couple of rules (the ones ringed in red in the attached image) as suggested somewhere on this forum. That's great, but now the secondary box can't check if it has the latest OS. I assume this is because ALL traffic it is sending out is using the CARP IP, and therefore the box's own traffic is returning to the primary server instead. That isn't the end of the world in itself, but it does tell me something isn't setup correctly, and that worries me.

      So....could someone who knows how this is supposed to work tell me what I have wrong? ...and maybe someone could fix the wiki documentation, maybe I will if I can.

      My Outbound NAT rules:

      Red - The ones I added to get the CARP IP used. One rule for each box.
      Green - The rule the wiki documentation said to do
      Yellow - I read that changing this doesn't fix it, because no traffic should be going out from the localhost IP. I think I tried it anyway and it was correct.
      Blue - These are my VPN connections (one for the WAN CARP IP, one for each box's WAN IP)

      The bits that are blacked out are ALL the same from the external IP's. I'm not sure it really matters if someone see's my WAN IP's, but it seems to be the norm to hide them.

      Thanks,
      Colin :o
      ![pfSense2 Outbound NAT.png](/public/imported_attachments/1/pfSense2 Outbound NAT.png)
      ![pfSense2 Outbound NAT.png_thumb](/public/imported_attachments/1/pfSense2 Outbound NAT.png_thumb)

      Everything is easy when you know how, …and have the right tools, ...and the time, ...and money.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The article is correct.

        https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29#Setup_Manual_Outbound_NAT

        Navigate to Firewall > NAT on the Outbound tab
            Select Manual outbound NAT
            Click save
            Edit the automatically added rule for LAN
                Select a shared CARP virtual IP address on WAN as the Translation address
                Change the Description to refer to the rule's use of the CARP VIP if desired
                Click Save
            Repeat the rule edit for additional rules
            Click Apply changes

        Any outbound NAT rules that reference internal networks should have had the CARP VIP set on the outbound NAT rules.

        You should never have any rules that reference your public IP addresses as a source on NAT rules.

        If you have a package like squid/dansguardian/havp traffic will exit via the WAN IP because they are not subject to NAT. They may have a separate config item to use a CARP VIP for outbound traffic, but DO NOT use NAT for that.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • T
          TheLimey
          last edited by

          Thank-you for the reply. I'm glad I asked, I thought that didn't seem quite right.  :)

          I do indeed have Squid and Dansguardian; now I just have to work out how to fix them correctly.  :o

          Everything is easy when you know how, …and have the right tools, ...and the time, ...and money.

          1 Reply Last reply Reply Quote 0
          • T
            TheLimey
            last edited by

            Ok, here's what I should have done in the first place….

            Add the following to the Custom Options field, at the bottom of the General tab, of the Squid (Proxy Server) settings.

            tcp_outgoing_address ???.???.???.???
            

            …where the question marks are your WAN CARP IP address.

            Everything is easy when you know how, …and have the right tools, ...and the time, ...and money.

            1 Reply Last reply Reply Quote 0
            • T
              TheLimey
              last edited by

              Thanks again to jimp for putting me on the right path.  :D

              Everything is easy when you know how, …and have the right tools, ...and the time, ...and money.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.