Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy for HTTP + CARP + MultiWAN with VIPs issue (Outbound NAT?)

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    6 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      b0rman
      last edited by

      Hi!

      I have two pfSense firewalls with CARP setup, 2 WANs and HAProxy that points to HTTP servers in my LAN.

      Scheme:
      pfSense server #1
      ISP#1 - Public IP1.1 - pfSense#1 with HAProxy - HTTP
      ISP#2 - Public IP1.2 - ISP#2 Local IP1 - pfSense#1 with HAProxy - HTTP
      LAN vIP - pfSense as Gateway (Master)

      pfSense server #2
      ISP#1 - Public IP2.1 - pfSense#2 with HAProxy - HTTP
      ISP#2 - Public IP2.2 - ISP#2 Local IP2 - pfSense#2 with HAProxy - HTTP

      All LAN servers and PCs GW set as LAN vIP that migrates via CARP.

      Problem:
      When I'm trying to access HTTP servers via IPs:
      Public IP1.1 -> OK
      Public IP1.2 -> OK
      Public IP2.1 -> OK
      ISP#2 Local IP1 -> OK
      ISP#2 Local IP2 -> OK
      Public IP2.2 -> FAILED

      How can I get Public IP2.2 accessible?

      I think it's some king of outbound NAT issue, but I can't figure it out how to set it up. Need help :)

      1 Reply Last reply Reply Quote 0
      • P
        PiBa
        last edited by

        Check that reply-to is written in the pass firewall rules for this traffic in /tmp/rules.debug. If its not there check that the opt1 interface edit page for isp2 has the gateway configured properly.

        1 Reply Last reply Reply Quote 0
        • B
          b0rman
          last edited by

          All gateways configured properly since everything is great on any IP excluding Public IP2.2. Also if pfSense server #2 becomes Master, than Public IP2.2 is accessible, but Public IP 1.2 is not. Plus ISP#2 local IPs are accessible all the time.

          1 Reply Last reply Reply Quote 0
          • dotdashD
            dotdash
            last edited by

            In a HA CARP setup, all the virtual IP's should be CARP VIPs that migrate from the primary to the secondary. There should be no 'local' VIPs. It is normal that the virtual IPs are only reachable on the master server. It is failover, not load-balancing.

            1 Reply Last reply Reply Quote 0
            • B
              b0rman
              last edited by

              Provider gives it's local (internal) IP and binds it to it's public IP. I don't need to migrate it with CARP.
              Since HAProxy is running on pfSense itself it can be reachable and it reachable for any IP excluding just one (IP2.2)!
              Sorry, I think You didn't understand problem.

              1 Reply Last reply Reply Quote 0
              • B
                b0rman
                last edited by

                Problem solved. Thanks everyone. NAT problem was found for ISP#2.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.