Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi-WAN CARP (1 Static IP) With Gateway Groups Bonded/Failover

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    5 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      Atlantisman
      last edited by

      So i followed the instructions found here:

      https://forum.pfsense.org/index.php?topic=88940.msg491787#msg491787

      I was playing around with a test box and was able to do the following:

      1. Put a private IP on the WAN interface, left gateway empty.
      2. Create a CARP VIP on the WAN with a public IP.
      3. Go back to WAN interface, add gateway, put in public gateway IP.
      4. Turned on AON, set CARP IP as outbound NAT.
        I've yet to put this on a live segment and test failover, but it looks promising.

      And i have this working. But i am trying to take it a step further and use gateway groups to bond connections and failover, the problem is that my gateways are reporting as down. If i apply a real public static ip back to the WAN interfaces the gateway reports as up once again.

      This is probably because the outbound NAT is not applying to traffic sent from apinger, right? How would i fix this?

      Thanks.

      EDIT:

      Nevermind, i think i figured it out. I just setup an outbound NAT rule that applies to the firewall (self) and NATs it to each of the CARP VIPs (1 rule for each WAN interface)

      1 Reply Last reply Reply Quote 0
      • C Offline
        cmb
        last edited by

        That NAT is fine for the primary, but won't work on the system with backup status. That might be OK, though your system with backup status won't have functional Internet connectivity, which means it won't auto-update, time sync, update bogons, etc.

        1 Reply Last reply Reply Quote 0
        • A Offline
          Atlantisman
          last edited by

          @cmb:

          That NAT is fine for the primary, but won't work on the system with backup status. That might be OK, though your system with backup status won't have functional Internet connectivity, which means it won't auto-update, time sync, update bogons, etc.

          Any idea how i would fix it for the secondary system as well?

          Thanks.

          1 Reply Last reply Reply Quote 0
          • C Offline
            cmb
            last edited by

            You can't where you have only one public IP available, the system with backup status can't use the IP that's active elsewhere.

            1 Reply Last reply Reply Quote 0
            • dotdashD Offline
              dotdash
              last edited by

              @Atlantisman:

              Nevermind, i think i figured it out. I just setup an outbound NAT rule that applies to the firewall (self) and NATs it to each of the CARP VIPs (1 rule for each WAN interface)

              Mind sharing the details of your OB NAT rule?
              I've tried this in the past with something like WAN, This firewall, ,,,CARP VIP,,NO
              And my gateway still shows as down…

              EDIT- Nevermind...
              It does work, you just have to start and stop apinger after adding the NAT rule.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.