HAProxy for HTTP + CARP + MultiWAN with VIPs issue (Outbound NAT?)

b0rman

Hi!

I have two pfSense firewalls with CARP setup, 2 WANs and HAProxy that points to HTTP servers in my LAN.

Scheme:
pfSense server #1
ISP#1 - Public IP1.1 - pfSense#1 with HAProxy - HTTP
ISP#2 - Public IP1.2 - ISP#2 Local IP1 - pfSense#1 with HAProxy - HTTP
LAN vIP - pfSense as Gateway (Master)

pfSense server #2
ISP#1 - Public IP2.1 - pfSense#2 with HAProxy - HTTP
ISP#2 - Public IP2.2 - ISP#2 Local IP2 - pfSense#2 with HAProxy - HTTP

All LAN servers and PCs GW set as LAN vIP that migrates via CARP.

Problem:
When I'm trying to access HTTP servers via IPs:
Public IP1.1 -> OK
Public IP1.2 -> OK
Public IP2.1 -> OK
ISP#2 Local IP1 -> OK
ISP#2 Local IP2 -> OK
Public IP2.2 -> FAILED

How can I get Public IP2.2 accessible?

I think it's some king of outbound NAT issue, but I can't figure it out how to set it up. Need help :)

PiBa

Check that reply-to is written in the pass firewall rules for this traffic in /tmp/rules.debug. If its not there check that the opt1 interface edit page for isp2 has the gateway configured properly.

b0rman

All gateways configured properly since everything is great on any IP excluding Public IP2.2. Also if pfSense server #2 becomes Master, than Public IP2.2 is accessible, but Public IP 1.2 is not. Plus ISP#2 local IPs are accessible all the time.

dotdash

In a HA CARP setup, all the virtual IP's should be CARP VIPs that migrate from the primary to the secondary. There should be no 'local' VIPs. It is normal that the virtual IPs are only reachable on the master server. It is failover, not load-balancing.

b0rman

Provider gives it's local (internal) IP and binds it to it's public IP. I don't need to migrate it with CARP.
Since HAProxy is running on pfSense itself it can be reachable and it reachable for any IP excluding just one (IP2.2)!
Sorry, I think You didn't understand problem.

b0rman

Problem solved. Thanks everyone. NAT problem was found for ISP#2.