In a HA setup, the outbound address is the interface address not the VIP?

jsvg

Help me understand this… I have a master and a backup setup. Each firewall has a public IP. The master has x.x.x.139 and the backup has x.x.x.140 on their upstream ISP interface. They have a CARP address of x.x.x.141. I have an outbound group setup and a firewall rule on the LAN interface that reads "Anything !192.168.0.0/16 use OutboundGroup". The OutboundGroup's VIP is set to x.x.x.141.

I guess what's surprising to me is that when you goto whatsmyip.org you see x.x.x.139, not x.x.x.141. My only concern is that during a failover event, how are the IP states in the master worth anything if the backup is going to use x.x.x.140? Or does TCP allow you to change IP address on established connections?

fragged

Setup outbound NAT to use the VIP instead of WAN address.

viragomann

Only CARP VIPs or IP Aliases hooked up on CARP VIPs are able to takeover by the backup box. So you have to use one of these for outbound NAT.

You have to set up outbound NAT manually if you have a CARP installation:
https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)#Setup_Manual_Outbound_NAT

jsvg

Awesome thanks! I got that setup and it's working as expected now!

I have a followup question about this rule:

WAN0	 	127.0.0.0/8	*	*	*	x.x.x.140	1024:65535	NO

What is the purpose of that? I changed it as well to use the CARP address.

viragomann

That is for pfSense itself. It is used e.g. when pfSense check for updates or for DNS lookups.

You should leave this at WAN address, otherwise the backup gets no response, cause the CARP is used by master.