Multi-WAN CARP (1 Static IP) With Gateway Groups Bonded/Failover



  • So i followed the instructions found here:

    https://forum.pfsense.org/index.php?topic=88940.msg491787#msg491787

    I was playing around with a test box and was able to do the following:

    1. Put a private IP on the WAN interface, left gateway empty.
    2. Create a CARP VIP on the WAN with a public IP.
    3. Go back to WAN interface, add gateway, put in public gateway IP.
    4. Turned on AON, set CARP IP as outbound NAT.
      I've yet to put this on a live segment and test failover, but it looks promising.

    And i have this working. But i am trying to take it a step further and use gateway groups to bond connections and failover, the problem is that my gateways are reporting as down. If i apply a real public static ip back to the WAN interfaces the gateway reports as up once again.

    This is probably because the outbound NAT is not applying to traffic sent from apinger, right? How would i fix this?

    Thanks.

    EDIT:

    Nevermind, i think i figured it out. I just setup an outbound NAT rule that applies to the firewall (self) and NATs it to each of the CARP VIPs (1 rule for each WAN interface)



  • That NAT is fine for the primary, but won't work on the system with backup status. That might be OK, though your system with backup status won't have functional Internet connectivity, which means it won't auto-update, time sync, update bogons, etc.



  • @cmb:

    That NAT is fine for the primary, but won't work on the system with backup status. That might be OK, though your system with backup status won't have functional Internet connectivity, which means it won't auto-update, time sync, update bogons, etc.

    Any idea how i would fix it for the secondary system as well?

    Thanks.



  • You can't where you have only one public IP available, the system with backup status can't use the IP that's active elsewhere.



  • @Atlantisman:

    Nevermind, i think i figured it out. I just setup an outbound NAT rule that applies to the firewall (self) and NATs it to each of the CARP VIPs (1 rule for each WAN interface)

    Mind sharing the details of your OB NAT rule?
    I've tried this in the past with something like WAN, This firewall, ,,,CARP VIP,,NO
    And my gateway still shows as down…

    EDIT- Nevermind...
    It does work, you just have to start and stop apinger after adding the NAT rule.


Log in to reply