How to use NAT 1:1 with HA / CARP
-
Hey guys,
I'm working on cluster deployment and I'm having issues making the NAT 1:1 rules work. Running pfSense 2.2.6 on two Dell PowerEdge 1950s, 4 NICs total.
My configs for box one and two is as follows:
LAN = x.x.x.250/24 and x.x.x.251/24
WAN = x.x.x.36/28 and x.x.x.37/28
SYNC = x.x.x.1/30 and x.x.x.2/30LAN CARP = x.x.x.21/24
WAN CARP = x.x.x.35/28The HA and sync appears to be working perfectly. Per the manual, I changed outbound NAT to manual and set the CARP address for each interface
Now, I've created a NAT 1:1 entry for (WAN address) x.x.x.38/28 > x.x.x.225/24 (LAN address). Then I created a new CARP address for the same WAN IP x.x.x.38/28.
Immediately, the devices loses internet access and I'm missing the reason as to why.
Any pfsense gurus that see an error in my config?
-
Now, I've created a NAT 1:1 entry for (WAN address) x.x.x.38/28 > x.x.x.225/24 (LAN address). Then I created a new CARP address for the same WAN IP x.x.x.38/28.
Are you actually using these netmasks in your 1:1 NAT entry? How, exactly, are you configuring the 1:1?
-
Hi Derelict,
Thanks for taking the time to respond. The NAT 1:1 entry doesn't allow me to specify netmasks, just external and internal IPs. Essentially, I configured a CARP VIP for the external IP that I want to use, then created a NAT 1:1 entry to map that same CARP VIP to an inside IP address. I'm testing from my primary WAN circuit and this pfsense cluster is live on our backup WAN circuit- neither circuit is connected to same equipment, it's a true outside attempt to connect. I've included screenshots of my config if you don't mind taking a look at them.
I'm wondering if this has something to do with the outbound NAT rules, although they should be configured per the guide. I disabled automatic outbound nat rules and switched to manual. Then I reconfigured each rule use the shared CARP VIP, and from my tests, appears to be working correctly.
-
Hi Derelict,
Thanks for taking the time to respond. The NAT 1:1 entry doesn't allow me to specify netmasks, just external and internal IPs.
My mistake, I revisited the page and it does allow me to specify entire networks, etc. In this case, I only specified single host addresses.
-
So for the 1:1 NAT entry Single host is selected for Internal IP?
All of the netmasks on all the CARP VIPs on your L3 circuit should be /28. Not that it's causing this problem.
Enabling that 1:1 NAT should not stop any traffic.
How about a screen shot of the 1:1 NAT edit screen?
-
So for the 1:1 NAT entry Single host is selected for Internal IP?
All of the netmasks on all the CARP VIPs on your L3 circuit should be /28. Not that it's causing this problem.
Enabling that 1:1 NAT should not stop any traffic.
How about a screen shot of the 1:1 NAT edit screen?
Ah, good eye on the /28 CARP IPs. Although, I'm attempting to reach an IP on the WAN_COX circuit (WAN_L3 isn't connected yet).
Initially I was thinking that it was an incorrect outbound NAT rule, however without the 1:1 rule enabled, the device at 192.168.4.225 has no problem reaching the internet.
Screenshot of the 1:1 edit is below.