Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    In a HA setup, the outbound address is the interface address not the VIP?

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jsvg
      last edited by

      Help me understand this… I have a master and a backup setup. Each firewall has a public IP. The master has x.x.x.139 and the backup has x.x.x.140 on their upstream ISP interface. They have a CARP address of x.x.x.141. I have an outbound group setup and a firewall rule on the LAN interface that reads "Anything !192.168.0.0/16 use OutboundGroup". The OutboundGroup's VIP is set to x.x.x.141.

      I guess what's surprising to me is that when you goto whatsmyip.org you see x.x.x.139, not x.x.x.141. My only concern is that during a failover event, how are the IP states in the master worth anything if the backup is going to use x.x.x.140? Or does TCP allow you to change IP address on established connections?

      1 Reply Last reply Reply Quote 0
      • F Offline
        fragged
        last edited by

        Setup outbound NAT to use the VIP instead of WAN address.

        1 Reply Last reply Reply Quote 0
        • V Offline
          viragomann
          last edited by

          Only CARP VIPs or IP Aliases hooked up on CARP VIPs are able to takeover by the backup box. So you have to use one of these for outbound NAT.

          You have to set up outbound NAT manually if you have a CARP installation:
          https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)#Setup_Manual_Outbound_NAT

          1 Reply Last reply Reply Quote 0
          • J Offline
            jsvg
            last edited by

            Awesome thanks! I got that setup and it's working as expected now!

            I have a followup question about this rule:

            WAN0	 	127.0.0.0/8	*	*	*	x.x.x.140	1024:65535	NO
            

            What is the purpose of that? I changed it as well to use the CARP address.

            1 Reply Last reply Reply Quote 0
            • V Offline
              viragomann
              last edited by

              That is for pfSense itself. It is used e.g. when pfSense check for updates or for DNS lookups.

              You should leave this at WAN address, otherwise the backup gets no response, cause the CARP is used by master.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.