How to use NAT 1:1 with HA / CARP



  • Hey guys,

    I'm working on cluster deployment and I'm having issues making the NAT 1:1 rules work. Running pfSense 2.2.6 on two Dell PowerEdge 1950s, 4 NICs total.

    My configs for box one and two is as follows:

    LAN = x.x.x.250/24 and x.x.x.251/24
    WAN = x.x.x.36/28 and x.x.x.37/28
    SYNC = x.x.x.1/30 and x.x.x.2/30

    LAN CARP = x.x.x.21/24
    WAN CARP = x.x.x.35/28

    The HA and sync appears to be working perfectly. Per the manual, I changed outbound NAT to manual and set the CARP address for each interface

    Now, I've created a NAT 1:1 entry for (WAN address) x.x.x.38/28 > x.x.x.225/24 (LAN address). Then I created a new CARP address for the same WAN IP x.x.x.38/28.

    Immediately, the devices loses internet access and I'm missing the reason as to why.

    Any pfsense gurus that see an error in my config?


  • LAYER 8 Netgate

    Now, I've created a NAT 1:1 entry for (WAN address) x.x.x.38/28 > x.x.x.225/24 (LAN address). Then I created a new CARP address for the same WAN IP x.x.x.38/28.

    Are you actually using these netmasks in your 1:1 NAT entry? How, exactly, are you configuring the 1:1?



  • Hi Derelict,

    Thanks for taking the time to respond. The NAT 1:1 entry doesn't allow me to specify netmasks, just external and internal IPs. Essentially, I configured a CARP VIP for the external IP that I want to use, then created a NAT 1:1 entry to map that same CARP VIP to an inside IP address. I'm testing from my primary WAN circuit and this pfsense cluster is live on our backup WAN circuit- neither circuit is connected to same equipment, it's a true outside attempt to connect. I've included screenshots of my config if you don't mind taking a look at them.

    I'm wondering if this has something to do with the outbound NAT rules, although they should be configured per the guide. I disabled automatic outbound nat rules and switched to manual. Then I reconfigured each rule use the shared CARP VIP, and from my tests, appears to be working correctly.










  • @GhengisT:

    Hi Derelict,

    Thanks for taking the time to respond. The NAT 1:1 entry doesn't allow me to specify netmasks, just external and internal IPs.

    My mistake, I revisited the page and it does allow me to specify entire networks, etc. In this case, I only specified single host addresses.


  • LAYER 8 Netgate

    So for the 1:1 NAT entry Single host is selected for Internal IP?

    All of the netmasks on all the CARP VIPs on your L3 circuit should be /28. Not that it's causing this problem.

    Enabling that 1:1 NAT should not stop any traffic.

    How about a screen shot of the 1:1 NAT edit screen?



  • @Derelict:

    So for the 1:1 NAT entry Single host is selected for Internal IP?

    All of the netmasks on all the CARP VIPs on your L3 circuit should be /28. Not that it's causing this problem.

    Enabling that 1:1 NAT should not stop any traffic.

    How about a screen shot of the 1:1 NAT edit screen?

    Ah, good eye on the /28 CARP IPs. Although, I'm attempting to reach an IP on the WAN_COX circuit (WAN_L3 isn't connected yet).

    Initially I was thinking that it was an incorrect outbound NAT rule, however without the 1:1 rule enabled, the device at 192.168.4.225 has no problem reaching the internet.

    Screenshot of the 1:1 edit is below.



Log in to reply