CARP Config with Outbound Address Pools
-
Greetings,
Here is my setup:
I have pfsense in a CARP configuration w/ NATing on the LAN. One of the Public Addresses NAT's to a private IP to my internal pfsense that is also in a CARP configuration.
Question: How do I set up my External firewall OUTBOUND NAT so that traffic leaving the internal firewall and heading out to the web utilizes a pool of public addresses?
Thanks,
Dino
-
Hello,
CARP doesn't use an address pool, CARP is just one shared VIP. Additional VIPs (IP Aliases) may hook up on the CARP VIP.
To translate the source address to your public VIP when packets go out to WAN, you have to configure outbound NAT to use this VIP.
Firewall > NAT > Outbound
If you use "Automatic outbound NAT rule generation" select " Hybrid Outbound NAT rule generation" and hit save.
Add a rule for WAN interface
Source: any
Destination: any
Translation: <select your="" desired="" public="" vip="">enter a description and save it</select> -
Thanks for your reply. It is much appreciated.
I do currently have that setup and it works flawlessly. I assumed that I wouldn't change the Outbound NAT for the DMZ network because that would break the failover. Soo…
How do I set up my external firewall then so a single DMZ address that is NAT'd to a single public address will use a pool of Addresses? Just to make it clear, even though the External Firewall NAT's to the Internal Firewall, there is no NATing on the Internal Firewall.
Ex;
Current NAT
Public DMZ
xxx.xxx.xxx.15 yyy.yyy.yyy.15Desired configuration
Public DMZ
xxx.xxx.xxx.17 yyy.yyy.yyy.15
xxx.xxx.xxx.18 yyy.yyy.yyy.15
xxx.xxx.xxx.19 yyy.yyy.yyy.15
xxx.xxx.xxx.20 yyy.yyy.yyy.15
xxx.xxx.xxx.21 yyy.yyy.yyy.15
xxx.xxx.xxx.22 yyy.yyy.yyy.15
xxx.xxx.xxx.23 yyy.yyy.yyy.15
xxx.xxx.xxx.24 yyy.yyy.yyy.15
xxx.xxx.xxx.25 yyy.yyy.yyy.15
xxx.xxx.xxx.26 yyy.yyy.yyy.15
xxx.xxx.xxx.27 yyy.yyy.yyy.15
xxx.xxx.xxx.28 yyy.yyy.yyy.15
xxx.xxx.xxx.29 yyy.yyy.yyy.15
xxx.xxx.xxx.30 yyy.yyy.yyy.15I REALLY like the idea of 'Round Robin' through the public IP's. We have +100 connections going out that one public IP and I would like to split the load a little.
Thanks again for your input and assistance!
Dino
-
I see now, you want explicitly use the whole public addresses in round robin.
If it is a whole subnet you want to translate, you can select "other subnet" at translation in the outbound NAT rule and enter the subnet below. At "Pool Options" select "round robin".
If it's not the whole subnet you have to add an IP alias for these addresses at first and select this one at translation. -
So I would create an OUTBOUND NAT entry for the specific DMZ IP (yyy.yyy.yyy.15/32) as the Source Address, create an IP Alias with the range of IP's I want to target (NOT the entire network range), and use that in the Translation section of the Outbound NAT entry.
Would I change the interface from WAN to the WANCARP IP? It is an option in the dropdown and, logically speaking, seems to make sense to do that.
After creation, move this to the top of the list so it is used instead of the existing entry for that DMZ subnet.
How does this work in a CARP environment if Backup takes over for the MASTER?
Great response time!! Thanks again!
Dino
-
Would I change the interface from WAN to the WANCARP IP? It is an option in the dropdown and, logically speaking, seems to make sense to do that.
So you've created an additional WANCARP interface? Why?
How does this work in a CARP environment if Backup takes over for the MASTER?
Do you know CARP basics?
You assign a CARP VIP to each of your interfaces.
If you need additional IPs, create "IP Aliases" (this may also be CARP if you like) for each hooking up on the CARP VIP of that interface.
If the Master fails the Backup takes over the CARP VIPs and all VIPs hooking up with it. -
Yes, I do understand CARP basics and will admit that I'm not explaining this very well. My apologies.
I have the IP Aliases created already and they show up in the Virtual IP Addresses and their interface is currently assigned to the WANCARP.
Shouldn't I create a Host Alias, list all the IP Alias addresses in that Host Alias, then select that Host Alias in the Translation: Address drop down?
-
I have the IP Aliases created already and they show up in the Virtual IP Addresses and their interface is currently assigned to the WANCARP.
That's okay. That's the CARP VIP the IP Aliases hook up.
I interpreted your last post that you have WANCARP in dropdown in outbound NAT rule.Shouldn't I create a Host Alias, list all the IP Alias addresses in that Host Alias, then select that Host Alias in the Translation: Address drop down?
Yes, you need this Alias to set the translation pool.
You can state the range with something like "xxx.xxx.xxx.17-xxx.xxx.xxx.30". -
OK. Probably a silly question but within the NAT: Outbound, can the source be a /32 so instead of a network range it's a specific address?
Right now I have the OUTBOUND NAT map settings as follows:
Interface: WAN
Protocol: any
Source: Type: Network (because 'any' and 'Firewall' are not correct)
Source: Address: yyy.yyy.yyy.15 / 32
Destination: any
Destination Port: 465 (for testing)
Translation: Address: Host Alias
Translation: Pool Options: Round Robin with Sticky Address
Translation: Static Port: CheckedNot working. Resolving to the old outbound.
I have to add that the NEW rule (settings listed above) was placed first/top of the list.
Dino
-
within the NAT: Outbound, can the source be a /32 so instead of a network range it's a specific address?
Yes, it should work this way.
Don't use "Sticky Address"!
With this option a particular source address is always translated to the same address of the pool. Since you have just one source, the outbound address is ever the same.Also "Static Port" isn't a good idea if you don't need it for special purposes.
-
Thanks again for the time you have spent assisting me.
Made those changes and it's still not working. For testing purposes, I'm set the outbound nat protocol to ICMP. I didn't see a reason why that would cause an issue.
One thought (and in hindsight this could be obvious). Should I remove the NAT that has been assigned to the .15? That public address is NOT in the Alias Host.
Thanks again!
-
Silly question. Glad no one answered. Removed that NAT and it's working great!
Thanks again for your help!
Dino