HAProxy for HTTP + CARP + MultiWAN with VIPs issue (Outbound NAT?)



  • Hi!

    I have two pfSense firewalls with CARP setup, 2 WANs and HAProxy that points to HTTP servers in my LAN.

    Scheme:
    pfSense server #1
    ISP#1 - Public IP1.1 - pfSense#1 with HAProxy - HTTP
    ISP#2 - Public IP1.2 - ISP#2 Local IP1 - pfSense#1 with HAProxy - HTTP
    LAN vIP - pfSense as Gateway (Master)

    pfSense server #2
    ISP#1 - Public IP2.1 - pfSense#2 with HAProxy - HTTP
    ISP#2 - Public IP2.2 - ISP#2 Local IP2 - pfSense#2 with HAProxy - HTTP

    All LAN servers and PCs GW set as LAN vIP that migrates via CARP.

    Problem:
    When I'm trying to access HTTP servers via IPs:
    Public IP1.1 -> OK
    Public IP1.2 -> OK
    Public IP2.1 -> OK
    ISP#2 Local IP1 -> OK
    ISP#2 Local IP2 -> OK
    Public IP2.2 -> FAILED

    How can I get Public IP2.2 accessible?

    I think it's some king of outbound NAT issue, but I can't figure it out how to set it up. Need help :)



  • Check that reply-to is written in the pass firewall rules for this traffic in /tmp/rules.debug. If its not there check that the opt1 interface edit page for isp2 has the gateway configured properly.



  • All gateways configured properly since everything is great on any IP excluding Public IP2.2. Also if pfSense server #2 becomes Master, than Public IP2.2 is accessible, but Public IP 1.2 is not. Plus ISP#2 local IPs are accessible all the time.



  • In a HA CARP setup, all the virtual IP's should be CARP VIPs that migrate from the primary to the secondary. There should be no 'local' VIPs. It is normal that the virtual IPs are only reachable on the master server. It is failover, not load-balancing.



  • Provider gives it's local (internal) IP and binds it to it's public IP. I don't need to migrate it with CARP.
    Since HAProxy is running on pfSense itself it can be reachable and it reachable for any IP excluding just one (IP2.2)!
    Sorry, I think You didn't understand problem.



  • Problem solved. Thanks everyone. NAT problem was found for ISP#2.


Log in to reply